Pricing  Get Quote
 
 

How to configure multi-factor authentication with Duo Security

ADSelfService Plus wards off potential security threats by fortifying access to user accounts with multi-factor authentication (MFA), by adding an extra layer of security. When MFA is enabled, users are required to prove their identity through the enforced authenticators in addition to passwords.

MFA can be enforced for password self-service operations along with login attempts to the ADSelfService Plus end-user portal, endpoints, and applications. ADSelfService Plus supports fifteen advanced authentication techniques, including Duo Security, biometrics, YubiKey authenticator, SAML authentication, and RSA SecurID.

Multi-factor authentication via Duo Security

When multi-factor authentication using Duo Security is enabled, during every login, users will have to prove their identity through any one of the following methods:

  • Approving a push notification through the Duo Security mobile app.
  • Entering a security pass code received through a verification call.
  • Entering a security pass code generated during the login process.

Configuration

Duo Security-based multi-factor authentication can be configured in just three simple steps.

Step 1: Integrate Duo Security with ADSelfService Plus

  1. Log in to your Duo Security account (i.e., https://admin-3d5d33c0.duosecurity.com), or if you're a new user, sign up and log in.
  2. Navigate to Applications.
  3. Click Protect an Application.

    duo-security-configuration-application-tab-adselfservice-plus

  4. Search for Web SDK in the applications list.

    duo-security-configuration-web-sdk-search-adselfservice-plus

  5. Click the Protect this Application link from the search result.
  6. Copy the values of Integration key, Secret key, and API hostname from the Web SDK page that opens up.

    duo-security-configuration-web-sdk-adselfservice-plus

Configure Auth API (optional)

The Auth API configuration is used to verify a user's enrollment with Duo Security. If Auth API is not configured, it's mandatory to remove the user's enrollment in ADSelfService Plus on deleting a user's enrollment in Duo Security. If this isn't done, the user will be added back to Duo Security when it is used for authentication in ADSelfService Plus.

  • If Auth API is configured, then go back to Applications → Protect an Application.
  • Search for Auth API.
  • Copy the values of the Integration key and Security key.

configuring-duo-security-adselfservice-plus

Step 2: Configure Duo Security in ADSelfService Plus

  1. Log in to the ADSelfService Plus console using administrator credentials.
  2. Navigate to Configuration → Self-Service → Multi-factor Authentication → Authenticators Setup.
  3. Select Duo Security.

    duo-enabled-two-factor-authentication

  4. Paste the values that you copied previously from the Web SDK page in the Integeration Key, Secret Key, and API hostname fields.
  5. If Auth API is configured, go to Advanced Settings and paste the values that you copied in this step from the Auth API page in the Integration key and Secret key fields.
  6. Click Save.

configuring-duo-security-adselfservice-plus

Steps to enable multi-factor authentication for ADSelfService Plus' end-user portal login

  1. Navigate to Configuration → Self-Service → Multi-factor Authentication → MFA for Reset/Unlock.

    Steps to enable multi-factor authentication for ADSelfService Plus

  2. Choose the Policy from the drop-down.
    Note: ADSelfService Plus allows you to create OU- and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
  3. Use the Enable _ authentication factors option next to MFA for ADSelfService Plus Login,
  4. Select Duo Security and other necessary authenticators from the Select the authenticators required drop-down.
  5. Click Save Settings.

Steps to enable multi-factor authentication for password reset/account unlock

  1. Navigate to Configuration → Self-Service → Multi-factor Authentication → MFA for Reset/Unlock..

    Steps to enable multi-factor authentication for ADSelfService Plus

  2. Choose the Policy from the drop-down.
    Note: ADSelfService Plus allows you to create OU- and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
  3. Enable the Select the authenticators required checkbox
  4. Use the Enable _ authentication factors option next to MFA for Password Reset/Account Unlock to select the number of authenticators
  5. Select Duo Security and other necessary configured authenticators from the drop-down.
  6. Click Save Settings.

Steps to enable multi-factor authentication for endpoints

  1. Navigate to Configuration → Self-Service → Multi-factor Authentication → MFA for Endpoints.

    Steps to enable MFA for ADSelfService Plus

  2. Choose the Policy from the drop-down.
    Note: ADSelfService Plus allows you to create OU- and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
  3. MFA can be configured so additional authentication methods are required at the login screens of Windows, macOS, and Linux machines, when establishing a VPN connection or when a user tries to log in to Outlook Web Access (OWA).
    • For machine login:
      • Go to MFA for Endpoints.
      • Enable the Select the authenticators required checkbox
      • Use the Enable _ authentication factors option next to MFA for Machine Login to select the number of authenticators
      • Select Duo Security and other necessary configured authenticators from the drop-down.
      • Click Save Settings.
    • For OWA login: Select the Enable the second authentication factor option next to MFA for OWA Login, and select Duo Security from the drop-down.
  4. Click Save Settings.

 

Request Support

Need further assistance? Fill this form, and we'll contact you rightaway.

Highlights

Password self-service

Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console. 

One identity with Single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus! 

Password/Account Expiry Notification

Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.

Password Synchronizer

Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more. 

Password Policy Enforcer

Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.

Directory Self-UpdateCorporate Search

Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.

ADSelfService Plus trusted by

A single pane of glass for complete self service password management