Skip to content

Implement Two-Step Authentication Using Janssen Server and Duo Security#

This document explains how to use Janssen Server Duo interception script to configure a two-step authentication process with username and password as the first step, and Duo as the second step.

Duo Security is a SaaS authentication provider that supports multi-factor authentication including push-approvals, passcode, SMS-OTP etc. Duo provides web SDK via which clients like Janssen Server can integrate with Duo Security services.


Prerequisites#

  • An account with Duo Security
  • User being authenticated will need to download the Duo mobile app
  • Janssen Server with Casa integrated

Enable Janssen Server Interception Script for Duo#

  • Go to Janssen Server installation
  • Get duo_web python library using commands below 
    cd /opt/jans/python/libs
wget https://raw.githubusercontent.com/GluuFederation/community-edition-setup/master/static/auth/lib/duo_web.py
sudo systemctl restart jans-auth
  • Use jans-cli to enable Duo script using instructions here. Set the enabled property for Duo script to true
  • Confirm that the script has been marked enabled in CLI script listing. Alternatively, access Janssen Server's OpenID Connect configuration endpoint at URL below. In the response JSON, find duo listed under acr_values_supported 
    https://jans-server-name/jans-auth/.well-known/openid-configuration

Configuring Duo credentials#

  • In order to connect to Duo Security via web SDK, Janssen Server Duo interception script needs to be provided with credentials as below:
    • ikey (integration key): Obtained from Duo security account
    • skey (secret key): Obtained from Duo security account
    • akey: Is an random alphanumeric key that need to be generated by following the instructions under Generate an akey section here
  • Provide these values to the script by editing the placeholder JSON file located at /etc/certs/duo_creds.json on Janssen Server. Replace placeholders with actual values and save the file. Sample contents of duo_creds.json is shown below:
  {"ikey": "replace-ikey-value", "skey": "replace-skey-value", "akey": "replace-akey-value"}

Configuring Custom Script Properties#

  • There are two mandatory properties that Janssen Server Duo interception script requires

    • duo_creds_file : Path to the file where values for ikey, skey and akey are stored. For example, /etc/certs/duo_creds.json
    • duo_host : Name of the host supplied by the Duo Security for your web-sdk to connect. For example: api-random.duosecurity.com

    Update the custom script using jans-cli to set values for these two properties.

Install Casa Duo plugin#

Follow these instructions to install Casa Duo plugin

Make Duo Default Authentication Method#

Change the default authentication method to duo using Jans-CLI by following these steps.

Test#

  • After installing Casa Duo plugin, option to enable Duo as an authentication method would become available on Casa administration console under Enabled Authentication Methods.
  • Administrator can enable Duo Security as authentication method by checking the box and clicking on Save
  • At this point, any user can log into Casa and configure Duo as authentication method for individual's account using these steps
  • During the next login attempt, user will be first presented with login/password authentication, if successful, Duo authentication screen will be presented.