Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-2313

Duo integration does not manage Admin Roles

    XMLWordPrintable

Details

    • Improvement
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • None
    • 2.3.0.patch
    • duo
    • None

    Description

      The goal of the additional work was to manage Duo Administrative Roles within an account. (REF: https://duo.com/docs/admin-roles )

       

      By default the code should work the same as it did from the commit https://github.com/Internet2/grouper/commit/184c7fc114d68363a2d6cc61700fa5348cfe04ef  ( v2.3 code base )..

      AKA: We made additions without altering the core of the existing design/features.

                      So you need to configure and turn on the new stuff if you want to use it.

          Code has some comments/docs included.

          Config file has some comments/docs included.

       

      Changes to grouper-loader.properties :

      1. If true, grouper will manage Duo administrators. Disabled by default.
      1. Your Duo application keys will require permissions to manage administrators.

      grouperDuo.adminSyncEnabled = false

       

      1. The folder in which duo administrator groups will be located

      grouperDuo.folder.name.withDuoAdmins

       

      1. The attribute to assign to the user with their administrator id.

      grouperDuo.attributeForAdminId

       

      1. The attribute assigned to the group containing the group's role

      grouperDuo.attributeForAdminRole

       

      1. The subject attribute for the name provided to Duo for new Administrator accounts

      grouperDuo.subjectAttributeForName = name

       

      1. The subject attribute for the fallback number to be provided to Duo for new Administrator accounts.
      1. This value is only used if the user does not already have a phone number on a regular Duo account.
      1. If one exists, the primary phone on the user's regular Duo account will be used first.

      grouperDuo.subjectAttributeForPhoneName = phone

       

      1. The subject attribute for the user's email address.

      grouperDuo.subjectAttributeForEmailName = email

       

      1. A comma separated set of Duo roles to be managed. By default it includes all roles.

      grouperDuo.manageableAdminRoles = Owner,Administrator,Application Manager,User Manager,Help Desk,Billing,Phishing Manager,Read-only

       

      1. The default password to assign to created administrator accounts. Must meet Duo's administrator password policies.

      grouperDuo.defaultAdminPassword =

       

      1. If true, administrator accounts that are not managed by Grouper will be disabled.

      grouperDuo.disableUnknownAdmins = false

       

      1. If true, disabled administrator accounts that are not managed by Grouper will be deleted.
      1. Only disabled administrator accounts will be deleted, so grouperDuo.disableUnknownAdmins should
      1. be set to true.

      grouperDuo.deleteUnknownAdmins = false

       

      1. If grouperDuo.deleteUnkownAdmins is true, it will wait this many seconds since the user's last login
      1. before deleting the account. This is helpful when a user is switching roles, they do not have to
      1. register their device again.

      grouperDuo.deleteUnknownAdminsAfterSeconds = 2592000

       

      1. Comma separated list of email addresses to ignore when managing Administrators.

      grouerDuo.ignoreAdminEmails =

       

      1. a group to receive emails when stuff (warn/error) "happens" in the integration.

      grouperDuo.emailRecipientsGroupName =

       

       

      ###################

      FWIW: We used a single AttrDef with three AttrNames to fulfill these attributes (not required, but we did it this way) :

                      AttrDef should be assignable to 'Group/Role/Local Entity" and Member. ( Type= "String" ), Single assign, Single valued.

       

                      grouperDuo.attributeForAdminId = etc:attribute:....:adminId

                      grouperDuo.attributeForAdminRole = etc:attribute:...:adminRole

                      grouperDuo.attributeForAdminNameSuffix = etc:attribute:...:adminUserNameSuffix

       

       

      The existing ChangeLogConsumer does the event processing for Administrator accounts/roles now.

       

      1. schedule a full sync for the DuoAdmin

      otherJob.duoFullSync.class = edu.internet2.middleware.grouperDuo.GrouperDuoAdminFullRefresh

      otherJob.duoFullSync.quartzCron = 0 1 6 * * ?

      otherJob.duoFullSync.priority = 5

      Attachments

        Activity

          People

            chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
            carey.black@at.internet2.edu Carey Black (osu.edu)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Smart Checklist