Access - DUO MFA Integration

This lab will cover how to integrate DUO Multi-Factor Authentication with WorkspaceONE Access. This is another common multi-factor authentication method being used by our customers.

Part 1: Setup Trial

Part 2: Setup Integration

Part 3: Test Integration

NOTE: For the authentication policy simply replace DUO MFA where you had VMware Verify (Intelligent Hub) as they serve a similar purpose.

Part 1 :Setup DUO Trial

1. On you ControlCenter VM navigate to google.com and search for DUO Multifactor. Now click on 30 Day Free Trial. Alternatively browse to the following link - https://signup.duo.com/trial

2.  Fill in the requested information and click Start My Trial.

NOTE: Ensure you are using a valid Phone number as we will verify the admin account for virtual devices using SMS.

3. You will now have to open your e-mail to confirm your registration.

  • Click on Verify Your Email.

4. You will be greeted with the New Admin Setup page. Click on Get started.

5. You will be prompted to create a new password. Once you have set a random memorable password click Continue.

6. You will now be asked to setup your smart phone with Duo Mobile App.

7. For both physical or if you are using the emulator Download the DUO Mobile application from the app store. Open the application after it has downloaded.

NOTE: If you are using a Android Emulator skip to step number 11 and on your web browser on Controlcenter click Don't have a smartphone? Skip for now

All you will have to do with the Android Emulator for Part 1 is have it downloaded. The rest of the instructions for Part 1 to get Duo Trial setup.

8. Allow the application to send you notifications by clicking Allow.

9. Still in the DUO mobile application click ADD ACCOUNT

10. Allow the application to now access the camera by clicking  OK.

11. Physical Device: Now scan the QR code from the website that should still be open in your browser. You will now see an entry in the DUO Mobile app with the title DUO ADMIN

Android Emulator: If you are using a  in your web browser on Controlcenter click Don't have a smartphone? Skip for now and continue with a Text Me option for verification.

12. In your browser you will now be presented with an option to use Duo Push or Text. If you have a physical device you can use Duo Push.

NOTE: If you are using the Android emulator simply use Text Me option for registering the administrator.

13. (Skip if you are using emulator) The Duo Mobile application will receive a notification to approve or deny the authentication. Click Approve.

14. You should now be authenticated into the trial Duo Admin page. We will now add a user to DUO.

NOTE: Active Directory connector is available also admins can perform a bulk upload of users.

15. In the DUO Admin console navigate to Users > Add User

16. Enter the username of your unique user created earlier in the Active Directory and that has been synced to Workspace ONE Access.

Click Add User to continue.

17. Enter the Full name of the unique user (If you used Mark Debio before continue) and the e-mail address. Please ensure that this e-mail matches the email of the user attribute in WorkspaceONE Access.

  • Leave the remainder of the settings as default on this page and click Save Changes

Part 2: WorkspaceONE Access and DUO integration

1. In the DUO admin console navigate to Applications > Protect an Application then search for WEB SDK.

  • Click Protect next to WEB SDK

2. Note down the Integration key, Secret Key and API hostname in notepad.

NOTE: Be carful to not introduce spaces or returns when doing a copy and paste.

3. Scroll down to settings and change the Name field to WorkspaceONE Access

  1. At the bottom of the page
    • Select Save
    • In the Activate the Universal Prompt for Web SDK window
      • Select Activate Now

 

  1. On the Controlcenter server
    • Open a new tab,
    • Log into the WorkspaceONE Access Admin Console

6. Navigate to Identity & Access Management > Authentication Methods and click on the pencil next to DUO Security.

  1. On the DUO Security page
    • Enable the following next to:
      • Select the check box next to Enable DUO Security,
      • Next to  Integration Key, Paste your Client ID
      • Next to Secret Key paste your Client Secret
      • Next to API host name , paste API hostname
      • Next to  Username Format, from the dropdown select Username
      • Select Save.

8. Now navigate to Identity & Access Management > Identity Providers > Built-in

9. Wait for the Authentication Methods to load and click the check box to enable DUO Security. Click Save at the bottom of the page.

10. Navigate to Identity & Access Management > Policies > and click the EDIT DEFUALT POLICY

11. Edit the Web Browser Policy and change the form of authentication to Password(cloud deployment) and  click on the plus + sign and add DUO Security as second form of authentication.

  • Then make sure you keep Password (Local Directory) as the fallback method of authentication
  • Click SAVE at the bottom of the page.
  • NOTE: If you did the previous lab using VMware Verify (Intelligent Hub) you can simply replace that authentication method with DUO Security for the same user flow.  

12. Click Next on the configuration page and click SAVE on the Summary page to close the edit policy wizard.

Part 3: Test DUO Multi-Factor Authentication

1. Navigate to your W10Client01 vm open a new incognito web browser and navigate to the WorskspaceONE Access URL.

  • Select the euc-livefire domain and click Next
  • Type in the username and password for the unique user that you added to DUO above. (example: Mark and VMware1! )

2. You should now see the DUO splash screen, click Start setup

 

3. Select Tablet and click Continue

NOTE: You can choose mobile phone however this requires a GSM number. Notice some of the different device types that are supported.

4. Now choose your operating system and click Continue

  • NOTE: Due to the fact that we cannot use the camera on the Android emulator we will be forced to use an e-mail registration method. If you have been using a physical Android or iOS You can skip the email registration and scan the barcode with the physical device.

5. Click I have Duo Mobile and open the Duo Mobile app on your device

6. PHYSICAL DEVICE On your mobile phone in the Duo Application. click the Plus + in the top right to start the camera and scan the QR code generated in the browser.

Android Emulator click the Email me an activation link instead button.

NOTE: The DUO webpage will expire during registration, this is not a problem simply navigate back to your WorkspaceONE Access URL.

6a. Android Emulator type your e-mail address into the field and click Send email.

6b. Android Emulator open your e-mail and click on the link in your email.

6c. Android Emulator copy the activation code string from your browser then open the Android emulator and click the Duo Mobile Application and click the + in the top right and corner click No Barcode and click DUO Security Enabled Account and then paste you Activation code from the link in the e-mail that you received.

7. Once scanned the QR code will show with a green checkmark and click Continue to proceed

8. Now click on the drop down When I log in: Automatically send this device a Duo Push

Click Continue to Login

9. Click Send Me a Push on the next screen and you will be prompted with a push notification on your mobile.  

10. Approve the Login request in the DUO app on your mobile or tablet.

11. You should now be authenticated to Workspace ONE Access as your unique user.

12. In the DUO admin console  under users click on Mark. you should now see in the users field the last login as well as details about recent authentication on certain endpoints.

NOTE: The default setting for non-registered user is to prompt them to enroll. This means even users that are non-existent in DUO can still go through the registration process and authenticate using MFA.

13. In the DUO Admin Console navigate to Policies and click Edit  Global Policy

14. In the New User Policy select Deny access and click Save Policy. This will ensure that non registered users will not be able to register their devices and use MFA.

15. Open a new Incognito (make sure you are logged out of the previous user)

Authenticate using Jill and VMware1! notice you are not allowed to setup an account as this is not a pre-registered user.

This concludes the WorkspaceONE integration with DUO MFA.

Author: Simeon Frank