Skip to end of metadata
Go to start of metadata

Grouper has a change log consumer which can sync a folder in grouper and use the extensions of groups in the folder as group names in Duo.  It will also sync the group description to Duo. There is a daemon which will run periodically for a full refresh (nightly?).  The change log consumer will sync changes real time.

Why use this?

You can have groups in Duo which are required for integrations.  This is another layer of authorization and deprovisioning for your systems.  For instance, you could have a group for your IT department, and require that group for your IT dept VPN, RDP, SSH.  Someone not in that group would not be able to use those resources at the Duo level.

Architecture

Grouper duo integration

Configure

grouper-loader.properties

# these are properties to add to grouper-loader.properties
# group duo admin domain name credentials
grouperDuo.adminIntegrationKey = 
grouperDuo.adminSecretKey = 
grouperDuo.adminDomainName = 


# put groups in here which go to duo, the name in duo will be the extension here
grouperDuo.folder.name.withDuoGroups = a:b:c


# put the comma separated list of sources to send to duo
grouperDuo.sourcesForSubjects = someSource


# either have id for subject id or an attribute for the duo username (e.g. netId)
grouperDuo.subjectAttributeForDuoUsername = id


# is grouper the true system of record, delete duo groups which dont exist in grouper
grouperDuo.deleteGroupsInDuoWhichArentInGrouper = true


# configure the duo change log consumer
changeLog.consumer.duo.class = edu.internet2.middleware.grouperDuo.GrouperDuoChangeLogConsumer


#the quartz cron is a cron-like string.  it defaults to every minute on the minute (since the temp to change log job runs
#at 10 seconds to each minute).  it defaults to this: 0 * * * * ?
#though it will stagger each one by 2 seconds
# http://www.quartz-scheduler.org/documentation/quartz-1.x/tutorials/crontrigger
changeLog.consumer.duo.quartzCron = 


# Schedule full refresh
otherJob.duo.class = edu.internet2.middleware.grouperDuo.GrouperDuoFullRefresh
otherJob.duo.quartzCron = 0 0 5 * * ?


Install

This runs in the loader.  Get the grouper-misc/grouper-duo project.  Build (or download 2.1.5, 2.2.2) the jar for the grouper duo source.  Add in the duo client jars (4 of them).  Configure the grouper-loader.properties.  Note, the Duo client runs in Java7+.

  • No labels