This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSPR 4.5 Integration with DUO

I know this question has been asked before and there was even an enhancement request which was denied : https://community.microfocus.com/cyberres/sspr/i/ssprideas/customer-request-support-for-duo-to-reset-password

The reason being that this can be accomplished with OAUTH. Unfortunately, DUO does not support OAUTH. Another suggestion was to include an IDP which doesn't really make sense either. As far as I can tell, the enhancement request was denied with not real solution provided.

I basically want to to implement DUO as an additional Verification method for the forgotten password module, just like the OTP verification. DUO supports TOTP but this is not used by any of our other applications. DUO Push is generally used.

Has anybody been able to do this?

  • 0  

    I have integrated SSPR forgotten password with some other MFA providers, so it is possible. Not pretty, but possible.

    You said that DUO does not support OAuth. What about SAML or OpenID Connect?

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    DUO appears to have a gateway that can function as a SAML IDP, but we do not use it. I'm not sure how it would help either.

  • 0   in reply to 

    SAML is exactly what can be used to connect to external MFA provider.

    So some background:

    SSPR OAuth integrations is actually not that useful as it might look at first sight. It requires that OAuth SSO endpoint provides special URL, where SSPR will get user information (specifically User Name/DN login attribute). This endpoint is called "OAuth Profile Service URL" in SSPR configuration.

    Of course format of response must be specific to SSPR, and as far as I know only service that provides proper response is OSP (or maybe it was other way around, SSPR OAuth connector was developed to be able to use OSP endpoint...)

    Good thing is that OSP supports SAML authentication, so chain can be expanded.

    What we did:

    We connected SSPR to OSP instance and then configure OSP to talk to external MFA provider using SAML.

    Actually not directly, since external MFA supported only OpenID Connect, but through SAML-to-OIDC bridge.

    Sot it looks like that:

    SSPR<---oauth--->OSP<---saml--->SAML-to-OIDC bridge<---oidc--->MFA provider

    It looks like complicated and prone to errors, but after setting this up customer is happy and satisfied and had no problems at all. And they are using it a lot, especially during COVID-19 lockdowns.

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    So to get this to work in the forgotten password module, what verification method would you add?

  • 0 in reply to 

    Sorry, I just reread your responses. It looks like I would use the OAUTH method. Let me dig into this. Thanks for the information.

  • 0   in reply to 

    Yes, that's right. You need to use OAuth in SSPR.

    Let me know if you hit a roadblock.

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Here is my first roadblock. On the SSPR server, I am already running OSP and it is associated with the IDP used for SSO. In order to implement DUO, I believe I need another OSP that can be associated with the DUO IDP so it can communicate with SAML. Is that correct?

    If so, do I need to setup a new server with an OSP? Since OSP can't be installed on its own, how do you handle that? Install another SSPR and just delete the WAR?

  • 0   in reply to 

    In that case you need to set up new OSP instance. You can set up completely new server or just spawn new tomcat instance on different port.

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button