Enable Duo authentication

This topic describes how to configure Duo and Duo Universal Prompt in your tenant so you can select it as an authentication mechanism when creating an authentication profile.

Duo is an access security platform offering two-factor authentication. CyberArk Identity supports Duo as an authentication mechanisms so you can continue to use Duo if you already implemented it for other applications, or you can use it in addition to other supported authentication mechanisms.

Before you begin

Complete the following tasks before you begin.

Tasks to complete before you begin

Task	Description
Create a Duo Web SDK application	A Web SDK application provides an OIDC-compliant protocol to implement Duo's two-factor authentication with your web application. See https://duo.com/docs/duoweb for more information.
Obtain required information from your Duo tenant.	The following information is available on the Duo Admin Panel. Integration Key or Client ID Secret Key or Client secret API hostname See Duo's documentation for the Traditional Duo Prompt or the Duo Universal Prompt for more information.

Configure Duo in the Identity Administration portal

The following procedure describes how to configure Duo, and Duo Universal Prompt as an option, and how to select it as an authentication mechanism.

1. Go to Settings > Authentication > Duo Configuration, then select Enable Duo.

2. (Optional) Select Enable Duo Universal Prompt.

3. Enter the Integration Key (or Client ID), Secret Key (or Client secret), and API hostname in the appropriate fields.

   This information is available in your Duo Admin Panel.

4. Select the Active Directory attribute that you want to use to find the user in Duo.

   Your choices are User Principal or SAM Account. See Microsoft documentation for details.

5. Click Save.

   You can now select Duo as an authentication challenge when you create an authentication profile.

   If users haven't already set up Duo on their devices and they select it as an authentication challenge, they see a button to start the setup process.

   If they already have Duo configured, they have the following options for Duo Universal Prompt:

   • Duo Mobile

   • Security key

   • Phone number

   If they already have Duo configured, they have the following options for Traditional Duo Prompt:

   • Send Me a Push

   • Call Me

   • Enter a Passcode

   You can add other options after the initial registration for Duo Universal Prompt.
   By default, users have five minutes to complete the Duo setup process and the authentication flow.