Duo Connector

Version: 8.3

This document and the information contained herein is SailPoint Confidential Information
Copyright and Trademark Notices
Copyright © 2022 SailPoint Technologies, Inc. All Rights Reserved.

All logos, text, content, including underlying HTML code, designs, and graphics used and/or depicted on these written
materials or in this Internet website are protected under United States and international copyright and trademark laws
and treaties, and may not be used or reproduced without the prior express written permission of SailPoint Tech-
nologies, Inc.

"SailPoint," "SailPoint & Design," "SailPoint Technologies & Design," "Identity Cube," "Identity IQ," "IdentityAI," "Iden-
tityNow," "SailPoint Predictive Identity" and "SecurityIQ" are registered trademarks of SailPoint Technologies, Inc.
None of the foregoing marks may be used without the prior express written permission of SailPoint Technologies, Inc.
All other trademarks shown herein are owned by the respective companies or persons indicated.

SailPoint Technologies, Inc. makes no warranty of any kind with regard to this manual or the information included
therein, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
SailPoint Technologies shall not be liable for errors contained herein or direct, indirect, special, incidental or con-
sequential damages in connection with the furnishing, performance, or use of this material.

Patents Notice. https://www.sailpoint.com/patents

Restricted Rights Legend. All rights are reserved. No part of this document may be published, distributed, reproduced,
publicly displayed, used to create derivative works, or translated to another language, without the prior written consent
of SailPoint Technologies. The information contained in this document is subject to change without notice.

Use, duplication or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c) (1) (ii)
of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD agencies, and sub-
paragraphs (c)(1) and (c)(2) of the Commercial Computer Software Restricted Rights clause at FAR 52.227-19 for
other agencies.

Regulatory/Export Compliance. The export and re-export of this software is controlled for export purposes by the U.S.
Government. By accepting this software and/or documentation, licensee agrees to comply with all U.S. and foreign
export laws and regulations as they relate to software and related documentation. Licensee will not export or re-export
outside the United States software or documentation, whether directly or indirectly, to any Prohibited Party and will not
cause, approve or otherwise intentionally facilitate others in so doing. A Prohibited Party includes: a party in a U.S.
embargoed country or country the United States has named as a supporter of international terrorism; a party involved
in proliferation; a party identified by the U.S. Government as a Denied Party; a party named on the U.S. Department of
Commerce’s Entity List in Supplement No. 4 to 15 C.F.R. § 744; a party prohibited from participation in export or re-
export transactions by a U.S. Government General Order; a party listed by the U.S. Government’s Office of Foreign
Assets Control as ineligible to participate in transactions subject to U.S. jurisdiction; or any party that licensee knows
or has reason to know has violated or plans to violate U.S. or foreign export laws or regulations. Licensee shall ensure
that each of its software users complies with U.S. and foreign export laws and regulations as they relate to software
and related documentation.
Contents

Supported Features iii

Prerequisites iv
Administrator Permissions v
Configuration Parameters vi
Additional Configuration Parameters vi
Schema Attributes viii
Account Attributes viii
Group Attributes ix
Provisioning Policy Attributes xi
Account Attributes xi
Additional Information xiii
Upgrade Considerations xiii
Behavioral Changes xv
Troubleshooting xvi
Supported Features

Supported Features
SailPoint IdentityIQ Duo Connector supports the following features:

Account Management:
Manages Duo User’s and Administrators as accounts

For Duo User’s

l Aggregation, Refresh Accounts

l Create, Update, Delete
l Enable, Disable, Unlock
l Add/Remove Entitlement
l Add/Remove Phone attribute

For Duo Administrators

l Aggregation, Refresh Accounts

l Enable, Disable
l Create, Update, Delete
l Change Password

Duo Connector supports password management of Duo Administrators for external management of the pass-
word in the Duo native system. While performing change password operation for the Duo Administrators,
Duo connector sets has_external_password_mgmt attribute to true.
For more information on has_external_password_mgmt attribute, see Account Attributes.

Account - Group Management

l Aggregation

By default, the Duo Administrator with Owner role is enabled.

SailPoint Duo Connector iii

Prerequisites

Prerequisites
Ensure that an Admin API integration is created.

This would generate an Integration Key and Secret Key that would be required for Duo configuration as explained in
Configuration Parameters section.

SailPoint Duo Connector iv

Administrator Permissions

Administrator Permissions
Login as an administrator user and log into the Duo Administrator Panel.

Ensure that the administrator creating the new Administrator API integration has the following permissions:

When Manage Administrator Users is enabled:

l Grant Administrators
l Grant Read Resource
l Grant Write Resource

When Manage Administrator Users is not enabled:

l Grant Read Resource

l Grant Write Resource

For read only operations, the 'Grant Write Resource' permission is not required.

SailPoint Duo Connector v

Configuration Parameters

Configuration Parameters
This section contains the information that this connector uses to connect and interact with the application. Each applic-
ation type requires different information to create and maintain a connection.

The Duo Integration Credentials are used by IdentityIQ and not by Connector.

The Duo Connector uses the following connection attributes:

Duo Connection Credentials

API Hostname *
The API Hostname is unique to account and shared with all integrations. Uses https, unsecured http is not sup-
ported.
Integration Key *
Identifies integration. Required to configure your system to work with Duo.
Secret Key *
The secret key is treated like a password. Identifies integration. Required to configure your system to work with
Duo.
Manage Administrator Users
Select this checkbox to manage Administrator Users.

Duo Integration Credentials

API Hostname
Enter the Auth API Hostname (used in multi-factor authentication).
Integration Key
Enter the Auth API Integration Key (used in multi-factor authentication).
Secret Key
Enter the Auth API Secret Key (used in multi-factor authentication).

Additional Configuration Parameters

Additional configuration parameters that can be set in the application debug page:

If these parameters are not configured, then Duo Connector uses the default page size for all operations.

pageSize
Page size for associated attributes of end user’s (such as phones, groups).
Set the value of the pageSize parameter as follows:
<entry key="pageSize" value="100"/>
Default value: 100
Maximum value: 500
userPageSize

SailPoint Duo Connector vi

Configuration Parameters

Page size for end user’s.

Set the value of the userPageSize parameter as follows:
<entry key="userPageSize" value="100"/>
Default value: 100
Maximum value: 300
groupPageSize
Page size for groups.
Set the value of the groupPageSize parameter as follows:
<entry key="groupPageSize" value="100"/>
Default value: 100
Maximum value: 100
adminPageSize
Page size for administrator user’s.
Set the value of the adminPageSize parameter as follows:
<entry key="adminPageSize" value="100"/>
Default Value: 100
Maximum Value: 500.

SailPoint Duo Connector vii

Schema Attributes

Schema Attributes
This section describes the different schema attributes.

Account Attributes
Following are the list of account attributes:

username
Name of the user.
status
The user’s status:

l Active: User must complete secondary authentication

l Bypass: User will bypass secondary authentication after completing primary authentication.
l Disabled: User will not be able to login.
l Locked out: User has been automatically locked out due to excessive authentication attempts.

email
Email address of the user.
user_id
User’s unique ID generated by Duo system.
realname
User’s real name.
notes
Notes about the user. Seen in Duo administrative interface.
groups
List of groups to which user belongs. Contains description and name of the group.
phones
Phone numbers of user account.
last_login
Last login time of user account.
tokens
Token for the user account.
desktoptokens
Desktop tokens for the user account.
role
Administrator role.
user_type
Type of user.

SailPoint Duo Connector viii

Schema Attributes

restricted_by_admin_units
Administrator account restricted by an administrative unit assignment.
alias1
Username Alias 1
alias2
Username Alias 2
alias3
Username Alias 3
alias4
Username Alias 4

Group Attributes
Following are the list of group attributes:

name
The group’s name.
desc
The group’s description
status
The group’s authentication status.

l Active: User must complete secondary authentication

l Bypass: User will bypass secondary authentication after completing primary authentication.
l Disabled: User will not be able to login.
l Locked out: User has been automatically locked out due to excessive authentication attempts.

group_id
The group’s ID.
voice_enabled
If true, user’s in the group would be able to authenticate with a voice callback. If false, user’s in the group would
not be able to authenticate with a voice callback.
This setting has no effect if voice callback is disabled globally.
sms_enabled
If true, user’s in the group would be able to use SMS passcodes to authenticate. If false, user’s in the group
would not be able to use SMS passcodes to authenticate.
This setting has no effect if SMS passcodes are disabled globally.
mobile_otp_enabled
If true, user’s in the group would be able to use mobile OTP password to authenticate. If false, user’s in the group
would not be able to use mobile OTP password to authenticate.
This setting has no effect if mobile OTP passwords are disabled globally.

SailPoint Duo Connector ix

Schema Attributes

push_enabled
If true, user’s in the group would be able to use Duo Push to authenticate. If false, user’s in the group would not
be able to use Duo Push to authenticate.
This setting has no effect if Duo Push is disabled globally.

SailPoint Duo Connector x

Provisioning Policy Attributes

Provisioning Policy Attributes

This section describes the various provisioning policy attributes for Account.

Account Attributes
Provisioning policy attributes for Create, Enable and Unlock Account:

If Phone attribute is not present in default provisioning policy, add the Phone attribute manually.

Create Account

User Type*
Type of the User account.

User Type is selected as 'User'

Username*
Name of user account.
Email*
Email of the user account.
Phone
Phone number of the user account.
Phone_Type
(Optional and applicable only when single mobile number is assigned to account) Type of phone (mobile or land-
line).
For multiple phone numbers assigned to the account, the default phone type is set as mobile.
Phone_Platform
(Optional and applicable only when single mobile number is assigned to account) Platform of the mobile.
For multiple phone numbers assigned to the account, the default phone platform is set as ‘generic smartphone’.

User Type is selected as 'Administrator'

Email*
Email of the user account.
Name*
Name of the user account.
Phone
Phone of the user account.
Role
Role of the user account.
The default role Owner is assigned to the administrator user if role value is not provided as available in the Duo
Managed System.

SailPoint Duo Connector xi

Provisioning Policy Attributes

Following are the optional parameters:

has_external_password_mgmt
For setting administrator's password along with password attribute, set the value of the has_external_pass-
word_mgmt attribute to true. The value of has_external_password_mgmt attribute is false if passwords are
self-managed.
Default value: false
password
Provide password for the Duo administrator after setting the value of has_external_password_mgmt attribute to
true.
send_email
If set to true (1), the activation link and an introductory message would be emailed to the new administrator. If set
to false(0), no email would be sent and the link would be returned to the API method’s caller only.
Default value: false

SailPoint Duo Connector xii

Additional Information

Additional Information
This section describes the additional information related to the Duo Connector.

Upgrade Considerations
l After upgrading IdentityIQ to version 80. Patch 5 or later, to support alias user name for the upgraded existing
Duo application, add the alias schema attributes manually to the application debug page as follows:

<AttributeDefinition name="alias1" type="string">

<Description>Username Alias 1</Description>
</AttributeDefinition>

<AttributeDefinition name="alias2" type="string">

<Description>Username Alias 2</Description>
</AttributeDefinition>

<AttributeDefinition name="alias3" type="string">

<Description>Username Alias 3</Description>
</AttributeDefinition>

<AttributeDefinition name="alias4" type="string">

<Description>Username Alias 4</Description>
</AttributeDefinition>

l While upgrading IdentityIQ to version to 8.5 Patch 5 or later, to manage the Duo Administrator user’s perform
the following:

a. Select the Manage Administrator Users check box in the Configuration tab. For more information,
see Configuration Parameters.

b. Add the following account schema attributes manually:

l role (type-string)
l user_type (type-string)
l restricted_by_admin_units (type-boolean)
<entry key="adminUsersUri" value="/admin/v1/admins"/>

c. Add the following entry to the application debug page:

d. For provisioning of administrator user, add the following attributes with the required settings:
l user_type
l name
l password

SailPoint Duo Connector xiii

Additional Information

l phone
l role

e. To enable the password management operations for administrator user, the PASSWORD feature value
must be added to the features string in application XML as follows:
featuresString="PROVISIONING, SYNC_PROVISIONING, UNLOCK, ENABLE, SEARCH,
PASSWORD"
l After upgrading to IdentityIQ version 8.0 Patch 5 or later, delete the existing password field from create
account provisioning policy.

SailPoint Duo Connector xiv

Behavioral Changes

Behavioral Changes
During Aggregation:

l On Duo system the Last login for some of the user’s is displayed as Never authenticated. In this case, during
aggregation, the last Login is displayed as blank.
l For the Phone numbers of Account attribute, the API returns the phone number as +19405429053 but on
Duo Connector UI it is displayed as 9405429053.

For provisioning:

l When performing provisioning on AD_SYNC user(s) on Duo, it fails with the following error message:

openconnector.ConnectorException: disable failed. Duo error code (40010): User is

synchronized with Active Directory. Some attributes may be read-only.

SailPoint Duo Connector xv

Troubleshooting

Troubleshooting
1- During provisioning policy while configuring phone_type or phone_platform attribute
an error message is displayed
During provisioning policy while configuring phone_type or phone_platform attribute the following error message is dis-
played:
openconnector.ConnectorException: Both attributes 'phone_type' and 'phone_
platform' are required.

Resolution: During provisioning policy, configure both the attributes phone_type and phone_platform.

2 - Aggregation failed for upgraded application if configured to “Manage Administrator Users”

While performing aggregation in an upgraded application configured to manage administrator user’s, fails with the fol-
lowing error message:
Exception during aggregation of Object Type account on Application <Application
Name>. Reason: Unable to create iterator sailpoint.connector.ConnectorException:
[ConnectorException] [Error details] <Host Address>null.

Resolution: Ensure that the following entry key is present in the application debug page:
<entry key="adminUsersUri" value="/admin/v1/admins"/>

3 - Test Connection fails with an error message

Test Connection fails with the following error message when the time of the system is not synchronized:
Unable to connect to Duo. [ConnectorException] [Error details] Duo error code
(40105): Bad request timestamp
This is typically caused by the system's time being out of sync.

Resolution: Ensure that the system time is properly synchronized with Network Time Protocol. Timestamp of server
instance must be updated to current date and it must be same as IdentityIQ.

SailPoint Duo Connector xvi