This blogs describes how to use Duo MFA Authentication with Ivanti Password Director and/or Ivanti Identity Director.
Ivanti Identity Director comes with a Password Reset option. Password Reset can also be used in Ivanti Password Director. It’s the same software installation but uses a different license.
The Password Reset option or Ivanti Password Director needs the installation of two Ivanti products: Ivanti Identity Director and Ivanti Automation.
The Password Reset uses 3 scenario’s:
- Private E-mail Address
- Security Questions
- Verification Code
This blog describes how to use Duo Security as a scenario.
Duo Security is a Cisco company (acquired in 2018) and delivers a user-friendly Zero-Trust platform. Duo comes with 4 kind of licenses:
- Duo Free (up to 10 users)
- Duo MFA ($3 / User / Month)
- Duo Access ($6 / User / Month)
- Duo Beyond ($9 / User / Month)
This blog describes the Authentication API (Auth API application) of Duo and there is a need of a paid license. For more information about the Duo Security licenses check this link.
Requirements for Duo integration with Ivanti Password Director
Create a free account on https://signup.duo.com/. This account needs to be changed to a paid license to use the API solutions.
Duo Mobile app installed on Client phones (available for Apple and Android).
An installation of Ivanti Identity Director and Ivanti Automation.
Ivanti Identity Director Password Reset Building Blocks. Download from the Ivanti Marketplace.
Configuring Duo Security
After the account creation go to duo.com and select Admin Login at the right top of the website.
Use Duo security to logon. After login you’re in the Duo Dashboard.
Select Billing from the menu to change the license.
There is a 30-days paid trial license.
In this blog I’m not using the (Azure) Active Directory or (s)LDAP solution and created the users and devices manually. This is not discussed in this blog. Use this link to find all the documentation how to create users, 2FA devices, etc. In the future I will create blogs how to use Active Directory integration. But the Duo Documentation is
Create new Duo application for the Auth API.
Select Applications – Protect an Application from the menu. A long list with pre-defined applications and options is shown.
Type Auth API in the search box and select the Protect button behind Duo Auth API.
After selecting Protect a new application is created and an Integration key and Security Key are created. Also the API Hostname is shown. The API Hostname is for all applications equal but the Integration and Security Key are different for every application.
Scroll down and change the name of the application. This is the name users will see when authenticating with the Duo Mobile app.
Leave all other settings default.
The configuration for Duo Authentication with the API is finished.
Powershell script for Duo Authentication with API
On Github you can find multiple Duo API PowerShell scripts. But the PowerShell scripts are build as Modules and because we need to add the PowerShell script as a PowerShell task in Ivanti Automation I created a new PowerShell script without the use of Functions.
Check the founded Github PowerShell scripts for Duo:
Duo API uses Basic authentication and the Applications Integration Key is the Username. Generate the HTTP password as an HMAC request. Check this link for more information about HMAC.
To construct the signature, first build an ASCII string from the request. The following components are required for the signature:
- Date – Tue, 21 Aug 2012 17:29:18 -0000
- Method – POST
- Host – api-xxxxxxxx.duosecurity.com
- Path – /auth/v2/auth
- Params – device=auto&factor=push&username=<duo username>
All components needs to be on a separate line. See example.
Tue, 09 Mar 2021 19:12:59 -0000
POST
api-xxxxxxxx.duosecurity.com
/auth/v2/auth
device=auto&factor=push&username=<duo username>
Below the full script is shown and can be used with and without Ivanti Automation. Download below script with this link.
$method = "POST"
$path = "/auth/v2/auth"
$skey = "Duo Application Security Key"
$iKey = "Duo Application Integration Key"
$apiHost = "api-xxxxxxxx.duosecurity.com"
$Date = (Get-Date).ToUniversalTime().ToString("ddd, dd MMM yyyy HH:mm:ss -0000")
$username = "Duo username"
$factor = "push"
$device = "auto"
$StringAPIParams = "device=" + [uri]::EscapeDataString($device) + "&" + "factor=" + [uri]::EscapeDataString($factor) + "&" + "username=" + [uri]::EscapeDataString($username)
$DuoParams = (@(
$Date.Trim(),
$method.ToUpper().Trim(),
$apiHost.ToLower().Trim(),
$path.Trim(),
$StringAPIParams.Trim()
).Trim() -join "`n")
# generate the HMAC-SHA1 hash
$hmacsha = New-Object System.Security.Cryptography.HMACSHA1
$hmacsha.Key = [System.Text.Encoding]::UTF8.GetBytes($skey)
$hash_bytes = $hmacsha.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($DuoParams))
$hash_hex = [System.BitConverter]::ToString($hash_bytes)
$response1 = $hash_hex.Replace("-","").ToLower()
# Create HTTP Auth
$auth = "$ikey" + ":" + "$response1"
$auth = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($auth))
#Create our Parameters for the webrequest - Easy @Splatting!
$DUOWebRequestParams = @{
URI = ('Https://{0}{1}' -f $apiHost, $path)
Headers = @{
"X-Duo-Date" = $Date
"Authorization" = "Basic: " + $auth
}
Body = $StringAPIParams
Method = $method
ContentType = 'application/x-www-form-urlencoded'
}
$Response = Invoke-RestMethod @DUOWebRequestParams
If ($Response.stat -ne 'OK') {
Write-Warning 'DUO REST Call Failed'
Write-Warning ($StringAPiParams | Out-String)
Write-Warning "$method,$path"
}
$Output = $Response.response.result
Write-Output $Output
Make sure the Integration Key, Security Key, ApiHost and username are filled for testing.
Test the script before adding to Ivanti Automation. If the test is successful the Write-Output shows allow. This output will be captured in Ivanti Automation. But this later.
Below the login request on a mobile device when executing the script.
Implement Duo Authentication in Ivanti Automation and Ivanti Identity Director for Password Reset.
Ivanti Automation Configuration
Open the Ivanti Automation Console and select Variables from the Library.
Create a new folder and give this the name “Duo Authentication”.
Create 3 variables:
- ikey – Duo Auth –> Type Text
- skey – Duo Auth –> Type Password
- API Host – Duo Auth –> Type Text
Next select Modules from the Library.
Select New and name the Module. Select the Task tab and select Add. Select the task Windows PowerShell Script (Execute).
Create 2 Module parameters in the Module Parameters tab:
- username –> Type Text
- result –> Type Text
Copy/Paste the scripts as shown above in the Script tab. Make sure the PS variables:
$skey
$ikey
$apiHost
have the corresponding variable. And add the parameter username to $username variable. See below example.
$method = "POST"
$path = "/auth/v2/auth"
$skey = "^[ikey - Duo Auth]"
$iKey = "^[skey - Duo Auth]"
$apiHost = "^[API Host - Duo Auth]"
$contentType = “application/x-www-form-urlencoded”
$Date = (Get-Date).ToUniversalTime().ToString("ddd, dd MMM yyyy HH:mm:ss -0000")
$username = "$[Username]"
$factor = "push"
$device = "auto"
When finished select the Settings tab and configure the option Set parameter with standard output and select the parameter result from the list. See configuration below.
Next step is creating a RunBook because Ivanti Identity Director can only invoke Ivanti Automation RunBooks.
Select Run Books from Library and create a new folder with the name Duo Authentication. Select New and give the Run Book a name. Select the Jobs tab and select Add to select the Duo Authentication Module in the What field and select an Agent or Team in the Who field.
Select OK to continue. Select the tab Run book Parameters and select the option AutoCreate. Select Yes if the Links need to be created.
Select the Links tab and right click on the result parameter and configure the action to Both.
All other parameters doesn’t need to be changed. Select Ok and the Run Book is created.
Ivanti Identity Director Configuration
Open the Ivanti Identity Director management portal and login.
This blog expects the import the Password Reset building Blocks.
There are 2 Services available for the Password Reset. I’m not discussing the services imported which store additional information as Security Questions and Private E-mail Address.
- Reset Password and mail a new one
- Reset Password based on user input
Open both services and select Duplicate and rename the duplicated services by entering with Duo Authentication. Select the service Reset Password based on user input with Duo Authentication and select Attributes. Create a new Attribute based on Type and name it Result. Continue with selecting Workflow.
The workflow looks like below:
Select the + sign below the Provide Information action and select the Invoke Run Book action.
Select the Duo Authentication Run Book and wait till Run Book Parameters and Run Book Results appear.
Select the Run Book Parameters and add the Requester Username Value to the username parameter.
Select the Run Book Results and select the result parameter from the list and add to the Service Attribute Result.
Last step is building a check if the Duo Authentication is allowed or denied.
Select the + sign under the new created Invoke RunBook action and select the workflow action Compare Attributes.
Select the Service Attribute Result Value and equals this with allow (output from the Duo Auth API).
If the Duo Authentication is approved the service continue otherwise the service fails.
Save the service. The user needs to add the new password before the Duo Authentication is executed. This is because of the Password Input and Password Attribute.
Still working on new services to implement and move the Duo API PS script to the new PowerShell workflow action. This will make the service faster.
Please let me know if there are any questions.
Sander – Thank you for sharing this configuration. I have integrated Password Reset with Google Authenticator, but the DUO method looks to be more functional. Looking forward to setting this up in my lab environment.