Customer(s) request: Duo integration

[kevindherman]

Source
Indian Hill (new) and several Ohio area customers like Montgomery, Oakwood, Miamisburg and possible others are part of a regional group that are trying to make Duo a standard for security.
Santa Ana also uses Duo for out of network logins.

Describe the solution you'd like
Allow customers to use their Duo instance as their ProudCity login.

Email from Indian Hill with their details/research

We recently worked with another vendor of ours to implement Duo MFA into their platform. I can maybe explain better over a call, but I will try to lay it out here via email.

The thought is that we would have the ability to connect our ProudCity instance to our existing Duo instance using Duo’s API. This functionality would only be offered to us by ProudCity because we are already using and paying for Duo for our organization. ProudCity wouldn’t offer the Duo integration for organizations who aren’t already using Duo. This means ProudCity isn’t responsible for any expenses for the Duo subscription, only the initial development, implementation, and integration of the API into ProudCity’s platform. I am fairly certain that the Duo API is free and open to use for you as a developer, we are the ones paying for the API functionality as a user.

This is the way it works with our other vendors that have integrated Duo: We set up a new application in our existing Duo dashboard which gives us an Integration key, Secret key, and API hostname. We then provide those 3 pieces of information to the vendor who enters it into their system which connects their application to our Duo instance. Then, when a user logs in to the vendor’s application, the application sends the username over to our Duo instance and requests approval before successfully logging the user in. All that is done through the API, so ProudCity wouldn’t have a Duo instance where you’d have to manage users, the organization would already have that. ProudCity would only maintain the backend of the API connection.

Some vendors like WordPress, Windows, Fortinet Firewalls & VPNs, and 1Password don’t charge us for the Duo integration. However, we have one vendor (our police records management system) that does charge us for the integration. However, we think it’s worth the extra cost because it eliminates hurdles for end users and keeps their MFA methods all in one place. Not saying you should charge for the integration, but if it came down to it, we would likely pay for it.

I hope that makes sense. I have included some links below that might be helpful:

https://wordpress.org/plugins/duo-universal/

https://duo.com/docs/wordpress

https://duo.com/docs/authapi

https://duo.com/docs/duoweb

Also, we’re more than willing to test this implementation with you so if want to loop us in on that, please let us know!

[curtismchale]

@kevindherman Duo is a replacement for Auth0 and based on the email they're not talking about only MFA. This work would mean custom development so that we either work with Auth0 or Duo depending on the customer. That type of feature is usually achieved by first asking for the email of the user, then changing the login flow to whatever the user uses.

If they just want MFA, that's coming.

If we want to offer Duo as another authentication method, we need to have a bigger talk about that and when we'd develop it with our current resources. It's certainly not outside the realm of possibility technically, but it is another system we'd have to keep track of and handle.

[kevindherman]

Great, that's very helpful.

Lets stick with MFA.

[kevindherman]

Also, wanted to document this in case it comes up again with Indian Hill.

I saw a Duo specific option on this Auth0 page but it does require PFO MFA which costs more.

https://manage.auth0.com/dashboard/us/proudcity/security/mfa