Grouper has a change log consumer which can sync a folder in Grouper and use the extensions of groups in the folder as group names in Duo.  It will also sync the group description to Duo. There is a daemon which will run periodically for a full refresh (nightly?).  The change log consumer will sync changes real time.

Why use this?

You can have groups in Duo which are required for integrations.  This is another layer of authorization and deprovisioning for your systems.  For instance, you could have a group for your IT department, and require that group for your IT dept VPN, RDP, SSH.  Someone not in that group would not be able to use those resources at the Duo level.


Grouper duo integration


# these are properties to add to
# group duo admin domain name credentials
grouperDuo.adminIntegrationKey = 
grouperDuo.adminSecretKey = 
grouperDuo.adminDomainName = 

# put groups in here which go to duo, the name in duo will be the extension here = a:b:c

# put the comma separated list of sources to send to duo (values from subjectApi.source.<value>.id =<value>): minimum of 1 value is required.
grouperDuo.sourcesForSubjects = someSource,someOtherSource

# either have id for subject id or an attribute for the duo username (e.g. netId)
grouperDuo.subjectAttributeForDuoUsername = id

# is grouper the true system of record, delete duo groups which do not exist in grouper
grouperDuo.deleteGroupsInDuoWhichArentInGrouper = true

# configure the duo change log consumer
changeLog.consumer.duo.class = edu.internet2.middleware.grouperDuo.GrouperDuoChangeLogConsumer

#the quartz cron is a cron-like string.  it defaults to every minute on the minute (since the temp to change log job runs
#at 10 seconds to each minute).  it defaults to this: 0 * * * * ?
#though it will stagger each one by 2 seconds
changeLog.consumer.duo.quartzCron = 

# Schedule full refresh
otherJob.duo.class = edu.internet2.middleware.grouperDuo.GrouperDuoFullRefresh
otherJob.duo.quartzCron = 0 0 5 * * ?


This runs in the loader.  Get the grouper-misc/grouper-duo project.  Build (or download 2.1.5, 2.2.2) the jar for the grouper duo source.  Add in the duo client jars (4 of them). ( NOTE: 2.5 containers already have these jars.)  Configure the  Note, the Duo client runs in Java7+.

  • No labels