External System
- Grouper Duo admin roles
- Grouper Duo provisioner configuration start with scaffolding
- Grouper Duo Provisioning groups and membership
Movie
Demo video of provisioning groups and memberships to Duo
Provisioning attributes
Advice
- Provisioning type is membershipObjects
- Use group and entity link (since there are uuids in the target for groups and entities that need to be looked up)
Group attributes. API
Grouper name | Type | Required? | Duo API | Duo UI | Description |
---|---|---|---|---|---|
id | String | required | group_id | (in URL) | This is the UUID read from Duo. Select only. This should not be translated from Grouper and the target attribute should be cached. |
name | String | required | name | Group Name | This is the name of the group on the Duo side. |
description | String | optional | desc | Description | This is the description in Duo |
Entity attributes. API
Grouper name | Type | Required? | Duo API | Duo UI | Description |
---|---|---|---|---|---|
id | String | required | user_id | (in URL) | This is the UUID read from Duo. Select only. This should not be translated from Grouper and the target attribute should be cached. |
loginId | String | required | username | Username | This is the username in Duo. Note if you have upper case letters in this, you need to set the loginId attribute: advanced → value settings → case sensitive compare: false |
name | String | optional | realname | Full name | First and last name |
String | optional | Email address for user | |||
firstname | String | optional | firstname | NA | First name of user |
lastname | String | optional | lastname | NA | Last name of user |
alias1 | String | optional | alias1 | Username alias 1 | Username alias 1 - It cannot be the same as username or any other username aliases |
alias2 | String | optional | alias2 | Username alias 2 | Username alias 2 - It cannot be the same as username or any other username aliases |
alias3 | String | optional | alias3 | Username alias 3 | Username alias 3 - It cannot be the same as username or any other username aliases |
alias4 | String | optional | alias4 | Username alias 4 | Username alias 4 - It cannot be the same as username or any other username aliases |
Logging
Generally you will have logging setting set to off unless you are troubleshooting something.
If you want to see the HTTP traffic going to and from duo, set one of these options
You will see container logs that look like this
2021-11-06 13:54:04,854: [Thread-36] INFO GrouperProvisioningLogCommands.infoLog(25) - - Command log for provisioner 'duoTest' - 'u5ydv5lk', retrieveAllData: HTTP method: get HTTP URL: https://api-84f782e2.duosecurity.com/admin/v1/groups?limit=100&offset=0 HTTP request header: Authorization: ******* HTTP request header: Date: Sat, 06 Nov 2021 17:54:02 +0000 HTTP request header: Content-Type: application/x-www-form-urlencoded HTTP response code: 200, took ms: 913 HTTP response header: Transfer-Encoding: chunked HTTP response header: Strict-Transport-Security: max-age=31536000 HTTP response header: Server: Duo/1.0 HTTP response header: Cache-Control: no-store HTTP response header: Etag: W/"198da276e78d748b76b7123456" HTTP response header: Content-Security-Policy: default-src 'self'; frame-src 'self' ; img-src 'self' ; connect-src 'self' HTTP response header: Connection: keep-alive HTTP response header: Pragma: no-cache HTTP response header: Date: Sat, 06 Nov 2021 17:54:03 GMT HTTP response header: Content-Type: application/json { "metadata":{ "total_objects":11 }, "response":[ { "desc":"", "group_id":"DGUCVTMOMM3UK7YHQ7ZE", "mobile_otp_enabled":false, "name":"duoGroupFromGrouper", "push_enabled":false, "sms_enabled":false, "status":"Active", "voice_enabled":false }, { "desc":"This is a description", "group_id":"DGCVKVG5GQNG0Z4ZF13G", "mobile_otp_enabled":false, "name":"duoGroupFromGrouper2", "push_enabled":false, "sms_enabled":false, "status":"Active", "voice_enabled":false } ], "stat":"OK" }
You can load duo users into grouper database into grouper_prov_duo_user table as shown below.
grouper_prov_duo_user table is shown below