SSPR 4.5 Integration with DUO

I know this question has been asked before and there was even an enhancement request which was denied : https://community.microfocus.com/cyberres/sspr/i/ssprideas/customer-request-support-for-duo-to-reset-password

The reason being that this can be accomplished with OAUTH. Unfortunately, DUO does not support OAUTH. Another suggestion was to include an IDP which doesn't really make sense either. As far as I can tell, the enhancement request was denied with not real solution provided.

I basically want to to implement DUO as an additional Verification method for the forgotten password module, just like the OTP verification. DUO supports TOTP but this is not used by any of our other applications. DUO Push is generally used.

Has anybody been able to do this?

  • I have integrated SSPR forgotten password with some other MFA providers, so it is possible. Not pretty, but possible.

    You said that DUO does not support OAuth. What about SAML or OpenID Connect?

  • DUO appears to have a gateway that can function as a SAML IDP, but we do not use it. I'm not sure how it would help either.

  • SAML is exactly what can be used to connect to external MFA provider.

    So some background:

    SSPR OAuth integrations is actually not that useful as it might look at first sight. It requires that OAuth SSO endpoint provides special URL, where SSPR will get user information (specifically User Name/DN login attribute). This endpoint is called "OAuth Profile Service URL" in SSPR configuration.

    Of course format of response must be specific to SSPR, and as far as I know only service that provides proper response is OSP (or maybe it was other way around, SSPR OAuth connector was developed to be able to use OSP endpoint...)

    Good thing is that OSP supports SAML authentication, so chain can be expanded.

    What we did:

    We connected SSPR to OSP instance and then configure OSP to talk to external MFA provider using SAML.

    Actually not directly, since external MFA supported only OpenID Connect, but through SAML-to-OIDC bridge.

    Sot it looks like that:

    SSPR<---oauth--->OSP<---saml--->SAML-to-OIDC bridge<---oidc--->MFA provider

    It looks like complicated and prone to errors, but after setting this up customer is happy and satisfied and had no problems at all. And they are using it a lot, especially during COVID-19 lockdowns.

  • So to get this to work in the forgotten password module, what verification method would you add?

  • Sorry, I just reread your responses. It looks like I would use the OAUTH method. Let me dig into this. Thanks for the information.

  • Yes, that's right. You need to use OAuth in SSPR.

    Let me know if you hit a roadblock.

  • Here is my first roadblock. On the SSPR server, I am already running OSP and it is associated with the IDP used for SSO. In order to implement DUO, I believe I need another OSP that can be associated with the DUO IDP so it can communicate with SAML. Is that correct?

    If so, do I need to setup a new server with an OSP? Since OSP can't be installed on its own, how do you handle that? Install another SSPR and just delete the WAR?

  • In that case you need to set up new OSP instance. You can set up completely new server or just spawn new tomcat instance on different port.