You can configure OneLogin to enable your users to use Duo Security for two-factor authentication. When your administrative configuration is complete, your users will be able to enroll themselves in Duo and register their Duo-enabled device with OneLogin.
End users can view enrollment and registration instructions at Duo Security for End Users.
- Sign up for a Duo account.
- Log in to the Duo Admin Panel and navigate to Applications.
Click Protect an Application and locate OneLogin in the applications list.
Click Protect this Application to get your integration key, secret key, and API hostname. (See Duo's Getting Started documentation for help.)
Adding Duo to OneLogin as an Authentication Factor
Log into your OneLogin account.
Go to Settings > Authentication Factors and click the New Auth Factor button.
Choose Duo Security.
Enter the following values on the Add Duo Security dialog and click Save.
You should have gathered these values when you performed the Prerequisites.
User Description A descriptive name for Duo authentication factor that will help end users when they select it as their secondary auth factor. For example, “Duo Security.” Integration Key Your integration key Secret Key Your secret key API Hostname Your API hostname (i.e.
Duo OTP Identifier The unique user ID that you use with Duo. Typically, this is Email, but your implementation of Duo may use a different unique identifier. The ID you choose here must be unique, must always be populated, and must be the ID in use for all already-existing Duo users. If you need to migrate existing Duo users to a different unique identifier, please contact Duo for guidance.
Confirm that the Authentication & Security page includes Duo Security in the authentication factors list.
Configuring and Applying a User Policy
Go to Settings > Policies and click the New User Policy button.
Give the new policy a descriptive name, such as Duo MFA Policy, and click the checkmark button next to the policy name field to apply.
Go to the MFA tab in the policy editor to configure OTP authentication settings.
Select the OTP Auth Required option.
- Select Duo Security from the list of Available factors.
Use the OTP required for dropdown to select which users you want to require to use Duo.
Select All users if you want to require everyone subject to this policy to enroll with Duo at login time. If you would like to give users the option to enroll with Duo from their OneLogin settings after logging in, select Configured users only.
Use the OTP required at dropdown to set when users are required to supply Duo authentication credentials.
If you want your users to complete Duo authentication at every login select At every login. Select Unknown browser to present your users with a “Browser not recognized” message after they complete Duo two-factor authentication. The user is asked whether to "Remember" or "Forget" the browser. If the user chooses to remember the browser, the next login using the same browser will not prompt for Duo authentication.
Bypass the Duo second-factor requirement for particular IP addresses (when, for example, you don't want to require Duo authentication for users within your firewall).
- Click Save to create the new policy.
Apply the new Duo MFA policy.
To make the new MFA policy the default for all users, click the More Actions button and select Set as default policy.
To apply the new Duo MFA policy to individual users, go to Users > All Users. Click a listed user to open the User Infopage, and change the Security Policy dropdown setting to your new Duo MFA policy. Click the Save User button to apply the change.
To apply the new Duo MFA policy to a subset of users, you can create a group, add those users to the new group, and apply the policy to that group. To create a new OneLogin group, go to Users > Groups. Click the New Group button. Give the new group a descriptive name, such as Duo Users, and click the checkmark button next to the group name field to apply. In the Group Security Policy section change the Security policy pull down menu option to the new Duo MFA group created earlier.
Return to the All Users page and edit the properties of individual users to add them to the new Duo group so they receive the new MFA policy.
For more information, see User Policies.
If your MFA user policy is set to require OTP for all users, the next time your users log in to OneLogin they will see the Duo New Enrollment prompt after entering the primary username and password. The enrollment wizard will prompt for a phone number and verify it with a simple phone call or text message.
The next time a user logs in after completing enrollment, Duo Security’s two-factor authentication will be ready to use! Users can approve a Duo Push authentication request from a smartphone or tablet, approve authentication over the phone, or enter a passcode generated via the Duo Mobile app, text message, or hardware token.
If your MFA user policy is set to require OTP for configured users only, your OneLogin users will need to manually configure Duo after login by clicking on the username in the top right side of the OneLogin window, and selecting Security from the menu.
The user sees that no Authentication Devices are registered. Click the plus sign icon to Add Device.
OneLogin presents the Duo enrollment or authentication prompt to the user.
After completing enrollment or authenticating with a previously enrolled device, the user’s Security properties shows Duo as a registered Authentication device.
The next time the user logs on to OneLogin, the Duo two-factor authentication prompt is shown after primary username and password submission.