This is a contrib from Ohio State in patch 2.4.0 api #73. GRP-2313
The goal of the additional work was to manage Duo Administrative Roles within an account. (REF: https://duo.com/docs/admin-roles )
By default the code should work the same as it did from the commit https://github.com/Internet2/grouper/commit/184c7fc114d68363a2d6cc61700fa5348cfe04ef ( v2.3 code base )..
These additions do not alter the core of the existing design/features. Configure and turn on the new stuff if you want to use it.
It uses a single AttrDef with three AttrNames to fulfill these attributes (not required, but we did it this way) :
AttrDef should be assignable to 'Group/Role/Local Entity" and Member. ( Type= "String" ), Single assign, Single valued.
grouperDuo.attributeForAdminId = etc:attribute:....:adminId
grouperDuo.attributeForAdminRole = etc:attribute:...:adminRole
grouperDuo.attributeForAdminNameSuffix = etc:attribute:...:adminUserNameSuffix
Changes to grouper-loader.properties :
# If true, grouper will manage Duo administrators. Disabled by default.
# Your Duo application keys will require permissions to manage administrators.
grouperDuo.adminSyncEnabled = false
# A comma separated set of Duo roles to be managed. By default it includes all roles.
grouperDuo.manageableAdminRoles = Owner,Administrator,Application Manager,User Manager,Help Desk,Billing,Phishing Manager,Read-only
# The default password to assign to created administrator accounts. Must meet Duo's administrator password policies.
# If true, administrator accounts that are not managed by Grouper will be disabled.
grouperDuo.disableUnknownAdmins = false
# If true, disabled administrator accounts that are not managed by Grouper will be deleted.
# Only disabled administrator accounts will be deleted, so grouperDuo.disableUnknownAdmins should
# be set to true.
grouperDuo.deleteUnknownAdmins = false
# If grouperDuo.deleteUnkownAdmins is true, it will wait this many seconds since the user's last login
# before deleting the account. This is helpful when a user is switching roles, they do not have to
# register their device again.
grouperDuo.deleteUnknownAdminsAfterSeconds = 2592000
# Comma separated list of email addresses to ignore when managing Administrators.