Skip to main content

How to configure passbolt to use Duo

Passbolt Pro Edition since v2.5 and CE since v3.9 support Duo as a multi factor authentication option.

Duo is a proprietary solution that is free for up to 10 users, and supports a bundle of authentication channels (such as HOTP, mobile push, phone calls, etc.) configurable by the Duo account administrator. Duo can be used in addition to another authentication method (such as username and password).

Duo website
fig. Duo website
important

Multi Factor Authentication requires HTTPS to work.

Security considerations

When using Duo as a form of multi-factor authentication, it is recommended to set up at least one additional multi-factor authentication method as a backup. Should the Duo service experience downtime, this measure guarantees that users can continue to access their accounts despite the malfunction of one authentication method.

In order to authenticate using Duo, the user will be redirected to Duo’s authentication page. Whether the authentication was successful, the user will be redirected back to passbolt. Make sure your users have access to internet or do not enable this authentication provider if you are running passbolt on a private network that is not connected to internet.

Install Duo app

To use this authentication service, users will need to have either:

info

Visit the Duo authentication methods page for more information.

Register to Duo

To allow users to authenticate via Duo in Passbolt, you must first obtain Duo application credentials by creating a Web SDK application for Passbolt within Duo.

Register Duo admin account

If you do not have a Duo administrator account yet, start by registering at https://signup.duo.com/.

Get Duo application credentials

Sign-in to the Duo Admin panel at https://admin.duosecurity.com/login and navigate to the applications management administration page: Left sidebar > Applications.

Manage Duo admin applications
fig. Manage Duo admin applications

Click on "Protect an application" then find the "Web SDK" application type in the proposed list and click on the adjacent "Protect" button.

Duo web sdk application for passbolt
fig. Duo web sdk application for passbolt

Note down the "Client ID", "Client secret", and "API hostname" details, as it will be request to you later to configure the Duo integration in passbolt.

Enable Duo access

Duo can be set up through either the administration interface or environment variables. Should both settings providers be utilized, the configurations made in the administration interface will take precedence over those specified by environment variables.

Generate a salt

info

Required only for passbolt server < 3.11.

Generating a random salt to configure Duo is mandatory, a salt is a random piece of data that is generated and used in the hashing process to protect sensitive information. It is generated and combined with the secret key before hashing it.

To generate a random salt, you can use the passbolt interface, generate a new password as shown below and use it as the generated salt.

Generate a salt with passbolt password generator
fig. Generate a salt with passbolt password generator

Enable Duo access via the interface

To enable Duo via the interface, navigate to the multi-factor authentication administration page: Administration > Multi Factor Authentication.

Subsequently, enable the "Duo" provider by moving the adjacent toggle to the on position and inputs the information provided by Duo at the previous step. Ensure you save these modifications to activate the provider.

Enable Duo in administration settings
fig. Enable Duo in administration settings

Enable Duo access via environment variables

If you are using docker, you can set these environment variables to enable Duo for your organization.

Variable nameDescriptionType
PASSBOLT_PLUGINS_MFA_DUO_CLIENT_IDClient IDstring
PASSBOLT_PLUGINS_MFA_DUO_CLIENT_SECRETClient Secretstring
PASSBOLT_PLUGINS_MFA_DUO_API_HOSTNAMEAPI Hostnamestring

Setup Duo as a user

To setup Duo as multi-factor authentication method, navigate to the multi-factor authentication user settings page: Avatar > Profil > Multi Factor Authentication. Select the provider "Duo MFA" to continue.

The next step will require you to start the Duo authentication process. Click on "Sign-in" when you are ready.

Duo welcome screen
fig. Duo welcome screen

If this is the first time you are using Duo with this user and this server, you will be asked to link one or more device(s) to Duo to authenticate with.

Duo authentication options
fig. Duo authentication options

Authenticate with Duo

After setting up Duo, each time you sign-in to Passbolt, you'll be prompted to plug authenticate with the method you have chosen during the setup. Additionally, if permitted by the "Multi-factor Authentication Policy", passbolt can remember your MFA authentication for a month.

Authenticate with Duo
fig. Authenticate with Duo