The goal of the additional work was to manage Duo Administrative Roles within an account. (REF: https://duo.com/docs/admin-roles )
By default the code should work the same as it did from the commit https://github.com/Internet2/grouper/commit/184c7fc114d68363a2d6cc61700fa5348cfe04ef ( v2.3 code base )..
AKA: We made additions without altering the core of the existing design/features.
So you need to configure and turn on the new stuff if you want to use it.
Code has some comments/docs included.
Config file has some comments/docs included.
Changes to grouper-loader.properties :
- If true, grouper will manage Duo administrators. Disabled by default.
- Your Duo application keys will require permissions to manage administrators.
grouperDuo.adminSyncEnabled = false
- The folder in which duo administrator groups will be located
- The attribute to assign to the user with their administrator id.
- The attribute assigned to the group containing the group's role
- The subject attribute for the name provided to Duo for new Administrator accounts
grouperDuo.subjectAttributeForName = name
- The subject attribute for the fallback number to be provided to Duo for new Administrator accounts.
- This value is only used if the user does not already have a phone number on a regular Duo account.
- If one exists, the primary phone on the user's regular Duo account will be used first.
grouperDuo.subjectAttributeForPhoneName = phone
- The subject attribute for the user's email address.
grouperDuo.subjectAttributeForEmailName = email
- A comma separated set of Duo roles to be managed. By default it includes all roles.
grouperDuo.manageableAdminRoles = Owner,Administrator,Application Manager,User Manager,Help Desk,Billing,Phishing Manager,Read-only
- The default password to assign to created administrator accounts. Must meet Duo's administrator password policies.
- If true, administrator accounts that are not managed by Grouper will be disabled.
grouperDuo.disableUnknownAdmins = false
- If true, disabled administrator accounts that are not managed by Grouper will be deleted.
- Only disabled administrator accounts will be deleted, so grouperDuo.disableUnknownAdmins should
- be set to true.
grouperDuo.deleteUnknownAdmins = false
- If grouperDuo.deleteUnkownAdmins is true, it will wait this many seconds since the user's last login
- before deleting the account. This is helpful when a user is switching roles, they do not have to
- register their device again.
grouperDuo.deleteUnknownAdminsAfterSeconds = 2592000
- Comma separated list of email addresses to ignore when managing Administrators.
- a group to receive emails when stuff (warn/error) "happens" in the integration.
FWIW: We used a single AttrDef with three AttrNames to fulfill these attributes (not required, but we did it this way) :
AttrDef should be assignable to 'Group/Role/Local Entity" and Member. ( Type= "String" ), Single assign, Single valued.
grouperDuo.attributeForAdminId = etc:attribute:....:adminId
grouperDuo.attributeForAdminRole = etc:attribute:...:adminRole
grouperDuo.attributeForAdminNameSuffix = etc:attribute:...:adminUserNameSuffix
The existing ChangeLogConsumer does the event processing for Administrator accounts/roles now.
- schedule a full sync for the DuoAdmin
otherJob.duoFullSync.class = edu.internet2.middleware.grouperDuo.GrouperDuoAdminFullRefresh
otherJob.duoFullSync.quartzCron = 0 1 6 * * ?
otherJob.duoFullSync.priority = 5