ALERT! The community will be read-only on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only on April 19, 8am Pacific as the migration begins.Read more for important details.

Customer Request: Support for Duo to reset password

Idea ID 2783591

Customer Request: Support for Duo to reset password

I have a client that uses Duo for their 2FA requirements and is not going to change to AA (not the same department that controls Duo). They would prefer to use their existing Duo for SSPR resets rather than SMS as it is familiar to their user population.
4 Comments
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor
Status changed to: Declined

Duo supports OAuth 2.0 and the same set of configuration changes listed in this document will allow SSPR integration with Duo. Ofcourse, the respective changes - such as adding SSPR as a client etc. - needs to be done in Duo. 

https://www.netiq.com/documentation/self-service-password-reset-42/sspr-adminguide/data/t41us0izwpch.html

 

Cadet 3rd Class
Cadet 3rd Class

@Gireesh KumarAre you able to provide additional details on how this integration would work? Per the Duo Knowledge Base and our Duo admins, Duo does NOT support OAuth.

Commodore
Commodore

@Gireesh Kumar Why has this been declined. DUO does not support OAuth. 

https://help.duo.com/s/article/3898?language=en_US

Vice Admiral
Vice Admiral

If I can suggest you take a step backwards first.  Duo Security is an MFA provider, do you have an Identity Provider, such as NetIQ Access Manager?  This could integrate with Duo as the second factor for SSO, then it could be integrated via OAuth2 with SSPR to request a second factor.

If I understand correctly, you are looking for a user to come to SSPR, select "Forgot Password", potentially answer challenge response questions, then use Duo Security as a second factor prior to allowing a reset of their password?

If this is the case, I would recommend bringing an IDP into the equation.  This way SSPR can integrate with the IDP via OAuth2 for this flow as the documentation link from Gireesh suggests.  Duo could also integrate with that IDP for the second factor.  All of your applications that need Duo would then simply do an integration to the IDP via SAML, OAuth2/OIDC, Ws-Fed, etc.  This would make your end-user facing flow much more simplistic as it would enable SSO and MFA (as needed) to each of the applications at the same time.

Then, when you want to configure that flow, you simply do an OAuth2 integration over to your IDP (i.e. NAM) requesting the step-up authentication via Duo Security.

Your issue here is a limitation of Duo Security.  I believe Duo has an IDP offering as well that should be able to support this, but I'm not sure exactly how good it is, I've never seen anyone actually using it.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.