Idea ID: 2783591

Customer Request: Support for Duo to reset password

Status : Declined
over 2 years ago
I have a client that uses Duo for their 2FA requirements and is not going to change to AA (not the same department that controls Duo). They would prefer to use their existing Duo for SSPR resets rather than SMS as it is familiar to their user population.

Tags:

Labels:

Integrations
  • If I can suggest you take a step backwards first.  Duo Security is an MFA provider, do you have an Identity Provider, such as NetIQ Access Manager?  This could integrate with Duo as the second factor for SSO, then it could be integrated via OAuth2 with SSPR to request a second factor.

    If I understand correctly, you are looking for a user to come to SSPR, select "Forgot Password", potentially answer challenge response questions, then use Duo Security as a second factor prior to allowing a reset of their password?

    If this is the case, I would recommend bringing an IDP into the equation.  This way SSPR can integrate with the IDP via OAuth2 for this flow as the documentation link from Gireesh suggests.  Duo could also integrate with that IDP for the second factor.  All of your applications that need Duo would then simply do an integration to the IDP via SAML, OAuth2/OIDC, Ws-Fed, etc.  This would make your end-user facing flow much more simplistic as it would enable SSO and MFA (as needed) to each of the applications at the same time.

    Then, when you want to configure that flow, you simply do an OAuth2 integration over to your IDP (i.e. NAM) requesting the step-up authentication via Duo Security.

    Your issue here is a limitation of Duo Security.  I believe Duo has an IDP offering as well that should be able to support this, but I'm not sure exactly how good it is, I've never seen anyone actually using it.

  • @Gireesh Kumar Why has this been declined. DUO does not support OAuth. 

    https://help.duo.com/s/article/3898?language=en_US

  • Are you able to provide additional details on how this integration would work? Per the Duo Knowledge Base and our Duo admins, Duo does NOT support OAuth.

  • Duo supports OAuth 2.0 and the same set of configuration changes listed in this document will allow SSPR integration with Duo. Ofcourse, the respective changes - such as adding SSPR as a client etc. - needs to be done in Duo. 

    https://www.netiq.com/documentation/self-service-password-reset-42/sspr-adminguide/data/t41us0izwpch.html