### Embed Duo Security Video (With Voiceover) - HTML
Source: https://help.duo.com/s/article/getting-started-video
This HTML embed code integrates the Duo Security 'Getting Started' video with voiceover, guiding users through device enrollment for two-factor authentication. It utilizes Wistia's responsive embed capabilities.
```html
```
--------------------------------
### Start Duo Authentication Proxy Service (Linux)
Source: https://help.duo.com/s/article/3618
This snippet shows how to start the Duo Authentication Proxy service on Linux systems using an init script. The exact command may vary depending on the Linux distribution.
```bash
sudo service duoauthproxy start
```
--------------------------------
### Example: Generate EXE Install Debug Logs (Windows)
Source: https://help.duo.com/s/article/1332
An example demonstrating how to generate debug logs for a Duo Windows installer (EXE). This shows a practical application of the command-line arguments, specifying concrete paths for the installer and the log file.
```bash
c:\temp\duoauthproxy-6.4.2.exe /l*v! c:\temp\duo-install-log.txt
```
--------------------------------
### Embed Duo Security Video (Without Voiceover) - HTML
Source: https://help.duo.com/s/article/getting-started-video
This HTML embed code allows you to integrate the Duo Security 'Getting Started' video, which explains device enrollment for two-factor authentication, into your website. It uses Wistia's responsive player.
```html
```
--------------------------------
### Example: Generate MSI Install Debug Logs (Windows)
Source: https://help.duo.com/s/article/1332
An example demonstrating how to generate debug logs for a Duo Windows installer (MSI). This shows a practical application of the command-line arguments, specifying concrete paths for the MSI installer and the log file.
```bash
msiexec.exe /i c:\temp\duo-owa-1.1.9.msi /l*v! c:\temp\duo-install-log.txt
```
--------------------------------
### CSV Import Example for Adding Duo Username Aliases
Source: https://help.duo.com/s/article/aliases-guide
Provides an example CSV file content for adding two new username aliases to existing users without modifying other user attributes. This facilitates targeted updates for alias management.
```text
username,alias1,alias2
jason,jas3343,jason@example.com
sally,sal7725,sally@example.com
jack,jac8132,jack@example.com
```
--------------------------------
### Duo API Demonstration Clients in Multiple Languages
Source: https://help.duo.com/s/article/2059
Duo Security provides demonstration clients on GitHub to help developers interact with Duo API methods. These examples cover various popular programming languages, allowing users to understand how to make API calls. It's important to note that Duo does not troubleshoot custom code, but these examples serve as a starting point.
```python
# Example Python code for Duo API (placeholder)
# Refer to Duo's GitHub for actual examples
```
```java
// Example Java code for Duo API (placeholder)
// Refer to Duo's GitHub for actual examples
```
```csharp
// Example C# code for Duo API (placeholder)
// Refer to Duo's GitHub for actual examples
```
```ruby
# Example Ruby code for Duo API (placeholder)
# Refer to Duo's GitHub for actual examples
```
```perl
# Example Perl code for Duo API (placeholder)
# Refer to Duo's GitHub for actual examples
```
```php
// Example PHP code for Duo API (placeholder)
// Refer to Duo's GitHub for actual examples
```
--------------------------------
### Example PAM Stack Configuration (Before Duo Integration)
Source: https://help.duo.com/s/article/4942
This code snippet shows the general pattern for user authentication within a PAM stack before integrating Duo. It includes modules for environment variables, primary Unix authentication, user ID checks, and denial.
```pam
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succed_if.so uid >=500 quiet
auth required pam_deny.so
```
--------------------------------
### Alternative Duo Unix Compilation on AIX
Source: https://help.duo.com/s/article/4497_nocache=https%3A%2F%2Fhelp.duo
Provides alternative commands for compiling Duo Unix on IBM AIX when the default build process encounters linking errors. It guides users through configuring, compiling, and installing Duo Unix with specific CFLAGS and library paths.
```bash
# Navigate to the Duo Unix source directory
$ cd /duo_unix-1.10.1
# Configure the build with specific CFLAGS and OpenSSL path
$ ./configure CFLAGS="-nostdinc -I/usr/include" --with-pam --prefix=/usr --with-openssl=/usr
# Compile the main Duo Unix package
$ make
# Navigate to the login_duo directory
$ cd login_duo
# Compile login_duo with gcc, linking necessary libraries
$ /bin/sh ../libtool --tag=CC --mode=link gcc -g -O2 -o login_duo login_duo.o ../lib/libduo.la ../compat/libcompat.la -L/usr/lib -lssl lcrypto
# Return to the main directory and complete the installation
$ cd ..
$ make
$ make install
```
--------------------------------
### Generate EXE Install Debug Logs (Windows Command Line)
Source: https://help.duo.com/s/article/1332_nocache=https%3A%2F%2Fhelp.duo
This command generates debug logs for an EXE installer on Windows. It requires administrator privileges and specifies the path to the installer and the desired output log file. The '/l*v!' flags enable verbose logging.
```batch
_[path-to-exe-file]_ /l*v! _[path-to-log-output-file]_
```
```batch
c:\temp\duoauthproxy-6.4.2.exe /l*v! c:\temp\duo-install-log.txt
```
--------------------------------
### Interpreting Windows Install Logs (Text Editor)
Source: https://help.duo.com/s/article/1332_nocache=https%3A%2F%2Fhelp.duo
This outlines the process of analyzing Windows installation log files using a text editor to identify the specific action that caused an installation failure. It focuses on searching for 'return value 3' to locate the error. This method is language-agnostic as it involves manual text file analysis.
```text
1. Open the log file in a text editor.
2. Search the log file for the string "return value 3". This should take you to a section in the log that lists the action that failed and caused an issue during installation.
3. Examine the log entries above the "return value 3" string to see which action failed.
```
--------------------------------
### Check .key File Format using OpenSSL pkey Utility
Source: https://help.duo.com/s/article/3802_language=en_US
This command uses the OpenSSL pkey utility to check the format of a .key file. It is used when dealing with private key files, distinct from certificate files. The output will vary based on the key file's format and content.
```bash
openssl pkey -in
```
--------------------------------
### Generate MSI Install Debug Logs (Windows Command Line)
Source: https://help.duo.com/s/article/1332_nocache=https%3A%2F%2Fhelp.duo
This command generates debug logs for an MSI installer on Windows. It uses the `msiexec.exe` utility with administrator privileges, specifying the installer path and the desired output log file. The '/l*v!' flags enable verbose logging.
```batch
msiexec.exe /i _[path-to-msi-file]_ /l*v! _[path-to-log-output-file]_
```
```batch
msiexec.exe /i c:\temp\duo-owa-1.1.9.msi /l*v! c:\temp\duo-install-log.txt
```
--------------------------------
### Example PAM Stack Configuration (After Duo Integration)
Source: https://help.duo.com/s/article/4942
This code snippet demonstrates how to modify a PAM stack to include Duo authentication. 'pam_duo.so' is added after the primary authentication module ('pam_unix.so' in this case), ensuring Duo is invoked for two-factor authentication.
```pam
auth required pam_env.so
auth required pam_unix.so nullok try_first_pass
auth sufficient pam_duo.so
auth requisite pam_succeed_if.so uid >=500 quiet
auth required pam_deny.so
```
--------------------------------
### Troubleshooting Duo Unix Configuration on AIX
Source: https://help.duo.com/s/article/4497_nocache=https%3A%2F%2Fhelp.duo
Offers commands to diagnose issues with Duo Unix configuration on IBM AIX. It includes checks for OpenSSL installation and version, listing installed software, and reviewing configuration logs.
```bash
# Check if OpenSSL is installed and its location
$ type openssl
# Check the installed OpenSSL version
$ /usr/bin/openssl version
# List all installed software packages on AIX
$ lslpp -l -a
# Example of a config.log file content (location may vary)
# config.log typically resides in the Duo Unix source directory (e.g., ~/duo_unix-1.10.1/config.log)
```
--------------------------------
### CSV Header for Duo Username Aliases (Eight Aliases)
Source: https://help.duo.com/s/article/aliases-guide_nocache=https%3A%2F%2Fhelp.duo
This example demonstrates the CSV header row for importing users with up to eight distinct username aliases. It uses 'alias1' through 'alias8' for multiple aliases.
```csv
username,realname,alias1,alias2,alias3,alias4,alias5,alias6,alias7,alias8,email,status
```
--------------------------------
### Python: Duo Preauthentication HTTP POST Example
Source: https://help.duo.com/s/article/2953_nocache=https%3A%2F%2Fhelp.duo
An example of an HTTP POST request made to the Duo API for preauthentication. This is often logged when the authentication proxy communicates with Duo's service.
```python
http POST to https://api-xxxxxxxx.duosecurity.com:443/rest/v1/preauth: failmode=safe&ipaddr=0.0.0.0&user=bwillis
```
--------------------------------
### Group Policy Software Installation with MST Transform
Source: https://help.duo.com/s/article/9474
This describes the steps within the Group Policy Management console to create a software installation package for Duo Windows Command Line Protection, utilizing an MST transform file for configuration. This ensures the client is installed with the correct settings during the computer startup process.
```powershell
# Navigate to: Computer Configuration\Policies\Software Settings\Software installation
# Right-click -> New -> Package
# Select the Duo MSI installer
# Choose 'Advanced' deployment method
# In Properties -> Modifications tab, click 'Add' and select your .mst transform file.
# Apply the GPO to the desired OU.
```
--------------------------------
### Duo Proxy Factory Initialization and Stopping
Source: https://help.duo.com/s/article/2953_nocache=https%3A%2F%2Fhelp.duo
These log entries illustrate the lifecycle of the Duo proxy's HTTP client factory, showing when it starts and stops for both authentication and pre-authentication requests. This is part of the internal communication flow within the Duo authentication proxy.
```log
2020-01-03T09:00:52-0500 [duoauthproxy.lib.http._DuoHTTPClientFactory#info] Starting factory <_DuoHTTPClientFactory: https://api-xxxxxxxx.duosecurity.com:443/rest/v1/auth>;;
2020-01-03T09:00:52-0500 [duoauthproxy.lib.http._DuoHTTPClientFactory#info] Stopping factory <_DuoHTTPClientFactory: https://api-xxxxxxxx.duosecurity.com:443/rest/v1/preauth>;;
```
--------------------------------
### Batch Script for Visual C++ Redistributable Installation
Source: https://help.duo.com/s/article/9205
This batch script automates the installation of the Microsoft Visual C++ Redistributable package. It checks the system's architecture (32-bit or 64-bit) and executes the appropriate installer EXE located in the same directory as the script. This is useful for deploying the prerequisite when using endpoint management tools that support EXE deployment.
```batch
@echo off
setlocal
REM Check if running on 64-bit Windows
if defined ProgramFiles(x86) (
echo Detected 64-bit Windows. Installing 64-bit Visual C++ Redistributable.
start /wait vc_redist.x64.exe /quiet /norestart
) else (
echo Detected 32-bit Windows. Installing 32-bit Visual C++ Redistributable.
start /wait vc_redist.x86.exe /quiet /norestart
)
if %errorlevel% equ 0 (
echo Visual C++ Redistributable installed successfully.
) else (
echo Visual C++ Redistributable installation failed with error code %errorlevel%.
)
endlocal
exit /b %errorlevel%
```
--------------------------------
### Default PAM Authentication Stack Structure
Source: https://help.duo.com/s/article/4942_nocache=https%3A%2F%2Fhelp.duo
This code snippet shows a typical structure for user authentication within a PAM configuration file on Unix-like systems. It outlines the order and type of modules used for authentication, including environment setup, primary authentication (pam_unix.so), access control, and denial.
```shell
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >=500 quiet
auth required pam_deny.so
```
--------------------------------
### Generate EXE Install Debug Logs (Windows)
Source: https://help.duo.com/s/article/1332
This command-line snippet generates detailed debug logs for an EXE installer on Windows. It requires administrative privileges and specifies the path to the executable and the desired output log file. The '/l*v!' flags enable verbose logging.
```bash
_[path-to-exe-file]_ /l*v! _[path-to-log-output-file]_
```
--------------------------------
### Download and Silently Install Duo Windows Logon with .exe
Source: https://help.duo.com/s/article/1090
This command combines downloading the latest Duo for Windows Logon installer and then silently installing it with specified parameters using PowerShell. It includes options for auto-push, fail-open, smart card, and RDP-only protection. Replace placeholders with your actual credentials.
```powershell
curl https://dl.duosecurity.com/duo-win-login-latest.exe -o C:\Users\Administrator\Downloads\duo-win-login-latest.exe ; C:\Users\Administrator\Downloads\duo-win-login-latest.exe /S /V" /qn IKEY="XXXXXXXXXXXXXXX" SKEY="XXXXXXXXXXXXXXXXXXXXX" HOST="XXXXXXXXXXXXXX" AUTOPUSH="#1" FAILOPEN="#1" SMARTCARD="#1" RDPONLY="#1""
```
--------------------------------
### Run Powershell Command for Security Agent Issues
Source: https://help.duo.com/s/article/7740_nocache=https%3A%2F%2Fhelp.duo
This PowerShell command retrieves information about antivirus products installed on the system. It's used to gather data for troubleshooting security agent-related issues with Duo Desktop.
```powershell
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
```
--------------------------------
### Verify Duo SELinux Module Installation (Bash)
Source: https://help.duo.com/s/article/6329_nocache=https%3A%2F%2Fhelp.duo
Command to list installed SELinux modules and verify that the `authlogin_duo` module is present. This confirms the successful installation of Duo's SELinux policies.
```bash
$ semodule -l | grep duo
authlogin_duo 2.1.0
```
--------------------------------
### Extract Duo Desktop Version from Debug Logs
Source: https://help.duo.com/s/article/7867
This snippet shows a typical log entry from Duo Desktop's debug logs where the application start event includes the installed version. This method is useful for troubleshooting and confirming the version when other methods are unavailable.
```log
2022-10-12 06:29:19.5336|INFO|DuoDeviceHealth.App|**Starting application with version 3.1.0**
```
--------------------------------
### Import Hardware Tokens - Duo Admin Panel
Source: https://help.duo.com/s/article/7704
This snippet demonstrates the format for importing hardware tokens into the Duo Admin Panel. It includes an example serial number and a 40-character hexadecimal secret key for TOTP tokens.
```text
32, a9b6c7938cfc0a2033b24a144babafc14fbcf887
```
--------------------------------
### Generate MSI Install Debug Logs (Windows)
Source: https://help.duo.com/s/article/1332
This command-line snippet generates detailed debug logs for an MSI installer on Windows. It uses the 'msiexec.exe' utility with administrative privileges, specifying the MSI file path and the desired output log file. The '/l*v!' flags enable verbose logging.
```bash
msiexec.exe /i _[path-to-msi-file]_ /l*v! _[path-to-log-output-file]_
```
--------------------------------
### Find Auth Proxy Version in Windows Log File
Source: https://help.duo.com/s/article/3356_language=en_US
This example shows how to search for the 'Init Complete' string within the `authproxy.log` file on Windows to identify the running Duo Authentication Proxy version. The log file location varies based on the installed version.
```text
Duo Security Authentication Proxy 2.4.19 - Init Complete
```
--------------------------------
### Troubleshoot Duo Proxy Startup Failure: Invalid Protected SKEY
Source: https://help.duo.com/s/article/2953_nocache=https%3A%2F%2Fhelp.duo
This snippet addresses errors preventing the DuoAuthProxy service from starting due to an invalid or incorrect protected SKEY. It indicates a configuration error and suggests checking Windows Event Viewer logs for more information and corrective actions.
```text
!!! If an invalid or incorrect protected SKEY is specified, newer versions of the auth proxy will fail to start. A Windows Event Viewer Log (Application) will be generated with more information on corrective actions
```
--------------------------------
### CSV Header for Duo Username Aliases (Single Alias)
Source: https://help.duo.com/s/article/aliases-guide_nocache=https%3A%2F%2Fhelp.duo
This example shows the CSV header row for importing users with a single username alias. It includes standard user fields along with the 'alias' column.
```csv
username,realname,alias,email,status
```
--------------------------------
### Silent Duo AD FS Installation Command
Source: https://help.duo.com/s/article/4907
This command demonstrates how to silently install Duo for AD FS version 2.3.0 and higher using msiexec.exe. It includes essential parameters for client ID, secret, and host. The /qn flag ensures a quiet installation, and /l*v logs the installation process.
```powershell
msiexec.exe /i duo-adfs3-2.x.0.msi DUO_CLIENT_ID="DIDIXXXXXXXXXXXXXXXXXXXX" DUO_CLIENT_SECRET="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" DUO_HOST="api-xxxxxxxx.duosecurity.com"/qn /l*v InstallLog.log
```
--------------------------------
### Silent Duo for OWA Installation (v2.0.0+)
Source: https://help.duo.com/s/article/4826
This command installs Duo for OWA silently with default options for versions 2.0.0 and later. It requires specific client ID, secret, host, and authentication key. The MSI filename will vary based on the version.
```powershell
msiexec.exe /i duo-owa-2.0.0.msi DUO_CLIENT_ID="DIDIXXXXXXXXXXXXXXXXXXXX" DUO_CLIENT_SECRET="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" DUO_HOST="api-xxxxxxxx.duosecurity.com" DUO_AKEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" /qn
```
--------------------------------
### PAM Configuration for Kerberos + Duo (System Auth)
Source: https://help.duo.com/s/article/5085_nocache=https%3A%2F%2Fhelp.duo
This PAM configuration for 'sshd' includes the system authentication stack, which in turn includes specific rules for Kerberos, local Unix users, and Duo. It also includes a deny rule. This setup requires careful ordering of authentication methods.
```bash
auth include system-auth
```
--------------------------------
### Silent Install Duo Windows Logon with .exe Installer
Source: https://help.duo.com/s/article/1090
This command demonstrates how to silently install Duo Authentication for Windows Logon using the .exe installer. It configures auto-push, fail-open, smart card support, and protects both RDP and console logons. Ensure you replace placeholder values with your actual integration keys and host.
```powershell
duo-win-login-5.1.1.exe /S /V" /qn IKEY="DIXXXXXXXXXXXXXXXXXXXX" SKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" HOST="api-xxxxxxxx.duosecurity.com" AUTOPUSH="#1" FAILOPEN="#1" SMARTCARD="#1" RDPONLY="#0"
```
--------------------------------
### Silent Duo for OWA Installation (Up to v1.3.3)
Source: https://help.duo.com/s/article/4826
This command installs Duo for OWA silently with default options for versions up to 1.3.3. It requires integration key, secret key, host, and authentication key. The MSI filename will vary based on the version.
```powershell
msiexec.exe /i duo-owa-1.3.2.msi DUO_IKEY="DIDIXXXXXXXXXXXXXXXXXXXX" DUO_SKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" DUO_HOST="api-xxxxxxxx.duosecurity.com" DUO_AKEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" /qn
```
--------------------------------
### Modified PAM Authentication Stack with Duo
Source: https://help.duo.com/s/article/4942_nocache=https%3A%2F%2Fhelp.duo
This code snippet demonstrates how to modify a PAM authentication stack to include Duo. It shows the insertion of `pam_duo.so` after the primary authentication module (`pam_unix.so` in this example), ensuring that Duo is used for secondary authentication without being skipped by preceding modules.
```shell
auth required pam_env.so
auth required pam_unix.so nullok try_first_pass
auth sufficient pam_duo.so
auth requisite pam_succeed_if.so uid >=500 quiet
auth required pam_deny.so
```
--------------------------------
### Silent MSI Install with PowerShell for Duo Epic
Source: https://help.duo.com/s/article/1113
This snippet demonstrates how to silently install Duo Authentication for Epic using a PowerShell command with the MSI installer. It requires the Integration Key, Secret Key, and API Hostname as parameters.
```powershell
cmd.exe /c DuoEpic.msi DUO_IKEY=_Integration Key_ DUO_SKEY=_Secret Key_ DUO_HOST=_API Hostname_
```
--------------------------------
### Verify Duo SELinux Module Installation
Source: https://help.duo.com/s/article/6329
Command to list installed SELinux modules and filter for Duo-related policies. This verifies that the `authlogin_duo` module has been successfully installed, confirming SELinux configuration updates.
```bash
$ semodule -l | grep duo
```
--------------------------------
### Silent Install Duo Windows Logon with MSI Installer
Source: https://help.duo.com/s/article/1090
This command shows how to silently install Duo Authentication for Windows Logon using the 64-bit MSI installer. It specifies essential parameters like IKEY, SKEY, HOST, and various configuration options for authentication behavior. Replace placeholder values with your specific integration details.
```powershell
msiexec.exe /i DuoWindowsLogon64.msi IKEY="Integration Key" SKEY="Secret Key" HOST="API Hostname" AUTOPUSH="#1" FAILOPEN="#1" SMARTCARD="#1" RDPONLY="#0" /qn
```
--------------------------------
### Install and Build Duo SELinux Policy (Bash)
Source: https://help.duo.com/s/article/6329_nocache=https%3A%2F%2Fhelp.duo
Commands to install the `selinux-policy-devel` package and build/install the Duo SELinux modules. This allows the Duo module to make necessary outgoing HTTP connections for authentication.
```bash
sudo make -C pam_duo semodule
sudo make -C pam_duo semodule-install
```
--------------------------------
### Example Error for Incorrect Format Check (DER on PEM)
Source: https://help.duo.com/s/article/3802_language=en_US
This example shows the error message received when attempting to check a PEM formatted certificate file using the DER format option with OpenSSL. This indicates that the file is not in DER format.
```text
test@LAB % openssl x509 -in KEY.crt -inform DER
unable to load certificate
8731640128:error:0DFFF0A8:asn1 encoding routines:CRYPTO_internal:wrong tag:/AppleInternal/Library/BuildRoots/9e200cfa-7d96-11ed-886f-a23c4f261b56/Library/Caches/libressl/libressl-3.3/crypto/asn1/tasn_dec.c:1167:
8731640128:error:0DFFF03A:asn1 encoding routines:CRYPTO_internal:nested asn1 error:/AppleInternal/Library/BuildRoots/9e200cfa-7d96-11ed-886f-a23c4f261b56/Library/Caches/libressl/libressl-3.3/crypto/asn1/tasn_dec.c:337:Type=X509
```
--------------------------------
### Citrix Gateway and Admin Panel Setup
Source: https://help.duo.com/s/article/7705_nocache=https%3A%2F%2Fhelp.duo
Detailed steps for configuring both the Citrix Gateway and the Duo Admin Panel to establish the SAML integration.
```APIDOC
## Configure SAML Server on Citrix Gateway
### Description
Steps to add and configure a SAML server on the Citrix Gateway with information from the Duo Generic Service Provider application.
### Method
N/A (Configuration Steps)
### Endpoint
N/A
### Parameters
#### Path Parameters
* **Web UI** - Access point for configuration.
#### Request Body
* **Server Name** (string) - Required - A relevant name for the SAML server (e.g., "DuoHostedSSO").
* **Redirect URL** (string) - Required - URL from the Duo Single Sign-on URL.
* **Single Logout URL** (string) - Required - URL from the Duo Single Log-out URL.
* **IDP Certificate Name** (string) - Required - A relevant name for the certificate (e.g., "hostedsso-cert").
* **Certificate-Key Pair Name** (string) - Required - Name for the certificate-key pair.
* **Certificate File** (file) - Required - The downloaded certificate from Duo.
* **SAML User** (string) - Required - Set to "NameID".
* **Signature Algorithm** (string) - Required - Set to "RSA-SHA256".
### Request Example
N/A
### Response
#### Success Response (200)
- **Exported SAML Metadata** (file) - Metadata containing Entity ID and ACS URL.
#### Response Example
N/A
```
```APIDOC
## Configure Duo Admin Panel with Citrix Gateway Details
### Description
Steps to update the Duo Generic Service Provider application settings with the Entity ID and ACS URL exported from Citrix Gateway.
### Method
N/A (Configuration Steps)
### Endpoint
N/A
### Parameters
#### Request Body
* **Entity ID** (string) - Required - Copied from Citrix Gateway.
* **ACS URL** (string) - Required - Copied from Citrix Gateway AssertionConsumerService redirect URL.
* **NameID format** (string) - Required - Set to "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress".
* **NameID attribute** (string) - Required - Set to "userPrincipalName".
* **Signature algorithm** (string) - Required - Set to "SHA256".
* **Signing options** (boolean) - Required - "Sign response" and "Sign assertion" should be checked.
* **Application Name** (string) - Required - A descriptive name for the application.
### Request Example
```json
{
"Entity ID": "https://citrix.example.com/SAML/metadata",
"ACS URL": "https://citrix.example.com/SAML/assertionConsumerService",
"NameID format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"NameID attribute": "userPrincipalName",
"Signature algorithm": "SHA256",
"Signing options": {
"Sign response": true,
"Sign assertion": true
},
"Application Name": "Citrix Gateway SSO"
}
```
### Response
#### Success Response (200)
- **Application Saved** (status) - Confirmation of saved application settings.
#### Response Example
N/A
```
```APIDOC
## Add Advanced Authentication Policy on Citrix Gateway
### Description
Steps to create an advanced authentication policy on Citrix Gateway that uses the previously configured SAML server.
### Method
N/A (Configuration Steps)
### Endpoint
N/A
### Parameters
#### Request Body
* **Policy Name** (string) - Required - A relevant name (e.g., "saml-hostedsso-adv-policy").
* **Action Type** (string) - Required - Set to "SAML".
* **Action** (string) - Required - The SAML server created earlier.
* **Expression** (string) - Required - Set to "true".
### Request Example
N/A
### Response
#### Success Response (200)
- **Policy Created** (status) - Confirmation of policy creation.
#### Response Example
N/A
```
```APIDOC
## Add Authentication Virtual Server on Citrix Gateway
### Description
Steps to create an authentication Virtual Server on Citrix Gateway and bind the advanced authentication policy.
### Method
N/A (Configuration Steps)
### Endpoint
N/A
### Parameters
#### Request Body
* **Virtual Server Name** (string) - Required - A relevant name (e.g., "vAAAserver-saml-hostedsso").
* **IP Address** (string) - Required - Set to "Non Addressable.".
* **Server Certificate** (certificate) - Required - A valid certificate matching the hostname.
* **Authentication Policy** (policy) - Required - The advanced authentication policy created previously.
* **GoToExpression** (string) - Required - Set to "END.".
### Request Example
N/A
### Response
#### Success Response (200)
- **Virtual Server Created and Bound** (status) - Confirmation of Virtual Server creation and policy binding.
#### Response Example
N/A
```
```APIDOC
## Create Authentication Profile on Citrix Gateway
### Description
Steps to create an authentication profile on Citrix Gateway, which is necessary for the authentication flow.
### Method
N/A (Configuration Steps)
### Endpoint
N/A
### Parameters
#### Request Body
* **Profile Name** (string) - Required - An appropriate name (e.g., "vAAA-saml-hostedsso-profile").
### Request Example
N/A
### Response
#### Success Response (200)
- **Profile Created** (status) - Confirmation of profile creation.
#### Response Example
N/A
```
--------------------------------
### Deploy Duo-Hosted Single Sign-on
Source: https://help.duo.com/s/article/7705_nocache=https%3A%2F%2Fhelp.duo
Steps to deploy and configure Duo-hosted Single Sign-on for the Generic Service Provider integration.
```APIDOC
## Deploy Duo-Hosted Single Sign-on
### Description
Initial configuration steps to enable Duo Single Sign-On for your Duo account and configure a working authentication source. This includes mapping attributes for Active Directory and OpenLDAP.
### Method
N/A (Configuration Steps)
### Endpoint
N/A
### Parameters
#### Request Body
* **Duo Attribute** (string) - Required - Attribute name in Duo.
* **Active Directory** (string) - Required - Corresponding attribute in Active Directory.
* **OpenLDAP** (string) - Required - Corresponding attribute in OpenLDAP.
### Request Example
```json
{
"Duo Attribute": "mail",
"Active Directory": "mail",
"OpenLDAP": "mail"
}
```
### Response
#### Success Response (200)
N/A
#### Response Example
N/A
```
```APIDOC
## Add Generic Service Provider Hosted by Duo Application
### Description
Steps to add the 'Generic Service Provider Hosted by Duo' application from the Duo Admin Panel catalog and download necessary configuration files.
### Method
N/A (Configuration Steps)
### Endpoint
N/A
### Parameters
#### Query Parameters
* **Search Term** (string) - Required - "Generic"
### Request Example
N/A
### Response
#### Success Response (200)
- **Certificate** (file) - Downloadable certificate file for Citrix Gateway.
- **XML** (file) - Downloadable XML metadata file for Citrix Gateway.
#### Response Example
N/A
```
--------------------------------
### Example Error During Duo OpenVPN Installation
Source: https://help.duo.com/s/article/3603
This is an example of the full error message encountered when the 'cc' command is not found during the compilation of the Duo OpenVPN package. It shows the 'make' utility failing because it cannot locate the C compiler.
```bash
:~/duosecurity-duo_openvpn-463f56e$ make cc -DPREFIX='"/opt/duo"' -fPIC -c duo_openvpn.c make: cc: Command not found
Makefile:14: recipe for target 'duo_openvpn.o' failed
make: *** [duo_openvpn.o] Error 127
```
--------------------------------
### Duo Unix PAM Config: Group-Based Authentication Examples
Source: https://help.duo.com/s/article/2225_nocache=https%3A%2F%2Fhelp.duo
Examples of the 'groups' parameter in pam_duo.conf or login_duo.conf to control which users require Duo 2FA. Supports wildcards, negation, and multiple group patterns.
```ini
[duo]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXX
host=api-xxxxxxxx.duosecurity.com
pushinfo=yes
autopush=yes
groups=users,!wheel,!*admin guests
```
```ini
groups=group1,group2,!wheel
```
```ini
groups=group1,group2,!wheel,!*admin privusers
```
```ini
groups=*,!specificgroup
```
```ini
groups=*,!Group\ One,!Group\ Two
```
--------------------------------
### Enable Installing Unknown Apps on Android
Source: https://help.duo.com/s/article/2211
Illustrates the steps to enable the 'Allow from this source' setting in Android's File Manager (or Google's Files) to permit the installation of applications from downloaded APK files. This is a necessary step for sideloading.
```text
1. Tap the**File Manager** app or Google's **Files.**
2. Enable the **Allow from this source** setting to allow "unknown apps" to download.
```
--------------------------------
### Silent Install Duo for Windows Logon via EXE
Source: https://help.duo.com/s/article/1090_nocache=https%3A%2F%2Fhelp.duo
This command demonstrates how to silently install Duo Authentication for Windows Logon using the .exe installer. It configures auto-push, fail-open, smart card support, and protects both RDP and console logons. Ensure you replace placeholder values for IKEY, SKEY, and HOST with your actual integration details. The parameters are enclosed within a single /V parameter, with double quotes required.
```powershell
duo-win-login-5.1.1.exe /S /V" /qn IKEY="DIXXXXXXXXXXXXXXXXXXXX" SKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" HOST="api-xxxxxxxx.duosecurity.com" AUTOPUSH="#1" FAILOPEN="#1" SMARTCARD="#1" RDPONLY="#0""
```
--------------------------------
### Finding Credential Provider GUIDs
Source: https://help.duo.com/s/article/4041
This example shows the registry path where you can find the GUIDs for all registered credential providers on a Windows system. These GUIDs are necessary to populate the `ProvidersWhitelist` value.
```plaintext
HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
```
--------------------------------
### Batch Script for Visual C++ Redistributable Installation
Source: https://help.duo.com/s/article/9205_nocache=https%3A%2F%2Fhelp.duo
A batch script designed to automatically detect the system architecture (32-bit or 64-bit) and install the appropriate Microsoft Visual C++ Redistributable package. Assumes the EXE installers are in the same directory as the script.
```batch
@echo off
REM Check if running on 64-bit Windows
IF DEFINED PROGRAMFILES(x86) (
ECHO Installing 64-bit Visual C++ Redistributable...
start /wait "" "vc_redist.x64.exe" /install /quiet /norestart
) ELSE (
ECHO Installing 32-bit Visual C++ Redistributable...
start /wait "" "vc_redist.x86.exe" /install /quiet /norestart
)
ECHO Visual C++ Redistributable installation complete.
PAUSE
```
--------------------------------
### Registry Key for Duo Credential Providers Whitelist
Source: https://help.duo.com/s/article/4041
This example demonstrates how to configure the Windows Registry to allow specific third-party credential providers to be accessible during Windows logon when Duo Authentication for Windows Logon is installed. This registry value, ProvidersWhitelist, is of type REG_MULTI_SZ and accepts GUIDs of the desired credential providers.
```registry
HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv
ProvidersWhitelist (REG_MULTI_SZ): "{GUID_1}" "{GUID_2}" ...
```
--------------------------------
### Install MSOnline Powershell Module
Source: https://help.duo.com/s/article/8028_nocache=https%3A%2F%2Fhelp.duo
This command installs the MSOnline Powershell module, which is required for Duo SSO for Microsoft 365 scripts. It uses the '-force' flag to ensure installation even if a version is already present.
```powershell
install-module msonline -force
```
--------------------------------
### DNG DNS Record Configuration Example
Source: https://help.duo.com/s/article/7342
This example shows the correct configuration for an A record pointing to the Duo Network Gateway (DNG) host. It specifies the record type, name, value (IP address), and Time To Live (TTL).
```text
A record for dng.example.com is pointing to DNG host at IP 111.211.222.42
Type| Name| Nameserver/Value| TTL (seconds)
A| dng| 111.211.222.42| 300
```
--------------------------------
### DNS A Record Configuration Example
Source: https://help.duo.com/s/article/7342_nocache=https%3A%2F%2Fhelp.duo
This example shows a typical DNS A record configuration for the Duo Network Gateway (DNG). Ensure the 'Name' and 'Nameserver/Value' fields correctly point to your DNG's hostname and IP address.
```text
A| dng| 111.211.222.42| 300
```
--------------------------------
### Shell: Example "make: cc: command not found" error during Duo OpenVPN installation
Source: https://help.duo.com/s/article/3603_nocache=https%3A%2F%2Fhelp.duo
This is an example of the full error message encountered when attempting to build the Duo OpenVPN integration from source, specifically when the 'make' utility cannot find the 'cc' compiler. It indicates a missing prerequisite for the compilation process.
```shell
make: cc: Command not found
Makefile:14: recipe for target 'duo_openvpn.o' failed
make: *** [duo_openvpn.o] Error 127
```
--------------------------------
### Generate Duo Authentication Key (Session Key)
Source: https://help.duo.com/s/article/4826
This PowerShell script generates a secure session key (DUO_AKEY) required for non-interactive Duo for OWA installations. The key is essential for the installation to function correctly when not being manually configured.
```powershell
$bytes = new-object "System.Byte[]" 30
(new-object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($bytes)
[Convert]::ToBase64String($bytes)
```
--------------------------------
### Silent Install with Logging for Duo Windows Logon
Source: https://help.duo.com/s/article/1090
This command demonstrates a silent installation of Duo Authentication for Windows Logon with logging enabled. It requires updating the executable version number and specifying a path for the log file. Various integration parameters like IKEY, SKEY, HOST, and feature flags can be configured.
```command-line
duo-win-login-5.1.1.exe /S /V" /qn IKEY="DIXXXXXXXXXXXXXXXXXXXX" SKEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" HOST="api-xxxxxxxx.duosecurity.com" AUTOPUSH="#1" FAILOPEN="#1" SMARTCARD="#1" RDPONLY="#0" /l*v! [path-to-log-output-file]"
```
--------------------------------
### Silent Install Duo Authentication Proxy on Linux
Source: https://help.duo.com/s/article/5040
This command performs a silent installation of the Duo Authentication Proxy on Linux. It requires administrative privileges (sudo) and specifies the installation directory, service user, log group, and whether to create an init script. Ensure the user and group names match your system's configuration if not using defaults.
```bash
sudo ./duoauthproxy-build/install --install-dir /opt/duoauthproxy --service-user duo_authproxy_svc --log-group duo_authproxy_grp --create-init-script yes
```
--------------------------------
### Visual C++ Redistributable GUIDs for Duo Windows Logon
Source: https://help.duo.com/s/article/9205_nocache=https%3A%2F%2Fhelp.duo
Provides the Globally Unique Identifiers (GUIDs) for the Microsoft Visual C++ 2022 Redistributable components, useful for scripting or advanced deployment scenarios.
```text
{2E15F519-4FDA-4834-B4EE-7EFCE7D8D4EE} Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.42.34438
{E528AD94-12D7-42C4-91A3-908BE28E9BD2} Microsoft Visual C++ 2022 X64 Additional Runtime - 14.42.34438
```
--------------------------------
### Example icacls Command Output
Source: https://help.duo.com/s/article/3456_nocache=https%3A%2F%2Fhelp.duo
This demonstrates the typical output when running icacls commands to grant permissions. It shows the files processed and the success status of the operation.
```text
c:\>icacls "C:\Program Files\Duo Security Authentication Proxy\log" /grant DUO\ldapuser:(M) /T
processed file: C:\Program Files\Duo Security Authentication Proxy\log
processed file: C:\Program Files\Duo Security Authentication Proxy\log\authevents.log
processed file: C:\Program Files\Duo Security Authentication Proxy\log\authproxy.log
processed file: C:\Program Files\Duo Security Authentication Proxy\log\connectivity_tool.log
processed file: C:\Program Files\Duo Security Authentication Proxy\log\ssoevents.log
Successfully processed 5 files; Failed processing 0 files
C:\>icacls "C:\Program Files\Duo Security Authentication Proxy\bin" /grant authproxy\administrator:(RX) /T
processed file: C:\Program Files\Duo Security Authentication Proxy\bin
processed file: C:\Program Files\Duo Security Authentication Proxy\bin\api-ms-win-crt-convert-l1-1-0.dll
processed file: C:\Program Files\Duo Security Authentication Proxy\bin\api-ms-win-crt-environment-l1-1-0.dll
processed file: C:\Program Files\Duo Security Authentication Proxy\bin\api-ms-win-crt-filesystem-l1-1-0.dll
processed file: C:\Program Files\Duo Security Authentication Proxy\bin\api-ms-win-crt-heap-l1-1-0.dll
processed file: C:\Program Files\Duo Security Authentication Proxy\bin\api-ms-win-crt-locale-l1-1-0.dll
```
--------------------------------
### Certificate Configuration Example with SAN
Source: https://help.duo.com/s/article/7357_nocache=https%3A%2F%2Fhelp.duo
This example demonstrates the required format for a certificate configuration, emphasizing the inclusion of both Common Name (CN) and Subject Alternative Name (SAN) fields. The SAN is crucial for proper validation, even for single-URL setups.
```text
commonName = rdp-relay.company.com
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = rdp-relay.company.com
```
--------------------------------
### Automate Admin Onboarding/Offboarding with Duo Admin API
Source: https://help.duo.com/s/article/7713_language=en_US
This snippet demonstrates how to use the Duo Admin API to automate the process of onboarding and offboarding administrators. This is a recommended practice for maintaining efficient and secure access controls. Ensure you have the necessary API credentials and have installed the Duo Admin SDK for your chosen language.
```python
from duo_admin import DuoAdmin
# Replace with your integration key, secret key, and API host
api = DuoAdmin('DIAGNOSTIC_IKEY', 'DIAGNOSTIC_SKEY', 'api-XXXXXXXX.duosecurity.com')
# Example: Add a new administrator
def add_administrator(username, email, group_dn=None, phone=None):
try:
result = api.add_administrator(username, email, phone=phone, group_dn=group_dn)
print(f"Administrator {username} added successfully.")
return result
except Exception as e:
print(f"Error adding administrator: {e}")
return None
# Example: Remove an administrator
def remove_administrator(username):
try:
result = api.remove_administrator(username)
print(f"Administrator {username} removed successfully.")
return result
except Exception as e:
print(f"Error removing administrator: {e}")
return None
# Usage examples:
# new_admin = add_administrator('johndoe', 'john.doe@example.com', phone='123-456-7890')
# remove_administrator('janedoe')
```
--------------------------------
### Example NetScaler OAuth Action Configuration Output
Source: https://help.duo.com/s/article/8988
This is an example of the expected output when displaying a correctly configured NetScaler OAuth action for Duo integration. It shows that PKCE is disabled and the token endpoint authentication method is set to client_secret_jwt.
```text
Name: duo_oauth_server
OAuth Type: GENERIC
OAuth Status: INIT
Grant Type: CODE
Authorization Endpoint: https://api-xxxxxxxx.duosecurity.com/oauth/v1/authorize?scope=openid
Token Endpoint: https://api-xxxxxxxx.duosecurity.com/oauth/v1/token
IDToken Decryption Endpoint:
Client ID: Dxxxxxxxxxxxxxxxxxxx
Client Secret: removed from output
OAuth Misc Flags: EnableJWTRequest
Refresh Interval: 1440
Skew Time: 5
Authentication: ENABLED
Allowed Token Algorithms: HS256 RS256 RS512
PKCE: DISABLED
Token Endpoint Auth Method: client_secret_jwt
Metadata URL:
```