Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-2313

Duo integration does not manage Admin Roles



    • Improvement
    • Resolution: Fixed
    • Minor
    • 2.3.0.patch
    • None
    • duo
    • None


      The goal of the additional work was to manage Duo Administrative Roles within an account. (REF: https://duo.com/docs/admin-roles )


      By default the code should work the same as it did from the commit https://github.com/Internet2/grouper/commit/184c7fc114d68363a2d6cc61700fa5348cfe04ef  ( v2.3 code base )..

      AKA: We made additions without altering the core of the existing design/features.

                      So you need to configure and turn on the new stuff if you want to use it.

          Code has some comments/docs included.

          Config file has some comments/docs included.


      Changes to grouper-loader.properties :

      1. If true, grouper will manage Duo administrators. Disabled by default.
      1. Your Duo application keys will require permissions to manage administrators.

      grouperDuo.adminSyncEnabled = false


      1. The folder in which duo administrator groups will be located



      1. The attribute to assign to the user with their administrator id.



      1. The attribute assigned to the group containing the group's role



      1. The subject attribute for the name provided to Duo for new Administrator accounts

      grouperDuo.subjectAttributeForName = name


      1. The subject attribute for the fallback number to be provided to Duo for new Administrator accounts.
      1. This value is only used if the user does not already have a phone number on a regular Duo account.
      1. If one exists, the primary phone on the user's regular Duo account will be used first.

      grouperDuo.subjectAttributeForPhoneName = phone


      1. The subject attribute for the user's email address.

      grouperDuo.subjectAttributeForEmailName = email


      1. A comma separated set of Duo roles to be managed. By default it includes all roles.

      grouperDuo.manageableAdminRoles = Owner,Administrator,Application Manager,User Manager,Help Desk,Billing,Phishing Manager,Read-only


      1. The default password to assign to created administrator accounts. Must meet Duo's administrator password policies.

      grouperDuo.defaultAdminPassword =


      1. If true, administrator accounts that are not managed by Grouper will be disabled.

      grouperDuo.disableUnknownAdmins = false


      1. If true, disabled administrator accounts that are not managed by Grouper will be deleted.
      1. Only disabled administrator accounts will be deleted, so grouperDuo.disableUnknownAdmins should
      1. be set to true.

      grouperDuo.deleteUnknownAdmins = false


      1. If grouperDuo.deleteUnkownAdmins is true, it will wait this many seconds since the user's last login
      1. before deleting the account. This is helpful when a user is switching roles, they do not have to
      1. register their device again.

      grouperDuo.deleteUnknownAdminsAfterSeconds = 2592000


      1. Comma separated list of email addresses to ignore when managing Administrators.

      grouerDuo.ignoreAdminEmails =


      1. a group to receive emails when stuff (warn/error) "happens" in the integration.

      grouperDuo.emailRecipientsGroupName =




      FWIW: We used a single AttrDef with three AttrNames to fulfill these attributes (not required, but we did it this way) :

                      AttrDef should be assignable to 'Group/Role/Local Entity" and Member. ( Type= "String" ), Single assign, Single valued.


                      grouperDuo.attributeForAdminId = etc:attribute:....:adminId

                      grouperDuo.attributeForAdminRole = etc:attribute:...:adminRole

                      grouperDuo.attributeForAdminNameSuffix = etc:attribute:...:adminUserNameSuffix



      The existing ChangeLogConsumer does the event processing for Administrator accounts/roles now.


      1. schedule a full sync for the DuoAdmin

      otherJob.duoFullSync.class = edu.internet2.middleware.grouperDuo.GrouperDuoAdminFullRefresh

      otherJob.duoFullSync.quartzCron = 0 1 6 * * ?

      otherJob.duoFullSync.priority = 5




            chris.hyzer@at.internet2.edu Chris Hyzer
            carey.black@at.internet2.edu Carey Black (osu.edu)
            0 Vote for this issue
            2 Start watching this issue