Child pages
  • Grouper Duo admin users
Skip to end of metadata
Go to start of metadata

This is a contrib from Ohio State in patch 2.4.0 api #73. GRP-2313 

The goal of the additional work was to manage Duo Administrative Roles within an account. (REF: https://duo.com/docs/admin-roles )

By default the code should work the same as it did from the commit https://github.com/Internet2/grouper/commit/184c7fc114d68363a2d6cc61700fa5348cfe04ef  ( v2.3 code base )..

These additions do not alter the core of the existing design/features. Configure and turn on the new stuff if you want to use it.

It uses a single AttrDef with three AttrNames to fulfill these attributes (not required, but we did it this way) :

AttrDef should be assignable to 'Group/Role/Local Entity" and Member. ( Type= "String" ), Single assign, Single valued.

grouperDuo.attributeForAdminId = etc:attribute:....:adminId

grouperDuo.attributeForAdminRole = etc:attribute:...:adminRole

grouperDuo.attributeForAdminNameSuffix = etc:attribute:...:adminUserNameSuffix


               

Configure

Changes to grouper-loader.properties :

# If true, grouper will manage Duo administrators. Disabled by default. 
# Your Duo application keys will require permissions to manage administrators.
grouperDuo.adminSyncEnabled = false

# A comma separated set of Duo roles to be managed. By default it includes all roles.
grouperDuo.manageableAdminRoles = Owner,Administrator,Application Manager,User Manager,Help Desk,Billing,Phishing Manager,Read-only

# The default password to assign to created administrator accounts. Must meet Duo's administrator password policies.
grouperDuo.defaultAdminPassword = 

# If true, administrator accounts that are not managed by Grouper will be disabled.
grouperDuo.disableUnknownAdmins = false

# If true, disabled administrator accounts that are not managed by Grouper will be deleted.
# Only disabled administrator accounts will be deleted, so grouperDuo.disableUnknownAdmins should
# be set to true.
grouperDuo.deleteUnknownAdmins = false

# If grouperDuo.deleteUnkownAdmins is true, it will wait this many seconds since the user's last login
# before deleting the account. This is helpful when a user is switching roles, they do not have to 
# register their device again.
grouperDuo.deleteUnknownAdminsAfterSeconds = 2592000

# Comma separated list of email addresses to ignore when managing Administrators.
grouerDuo.ignoreAdminEmails = 



  • No labels