1.
Duo Administrator's Guide
What is Duo?How can I authenticate a customer with whom I am speaking or chatting? (Duo Push) The Customer's Experience
Other authentication methods When and where is Duo required? Provisioning and managing Yubikeys
How to provision a YubiKey
How are Duo users provisioned and de-provisioned? AD accounts and DualAuth groups Creating Duo users manually Duo Main Account & Sub-accounts
How can a Service Desk representative help a customer with Duo?
What's a "Duo Admin" account and how is it different from my Duo account? Review Duo account details
Add add, remove, activate and assign phones Passcodes and Bypass Codes
Provision and update a Duo user from an Active Directory user Contacting Support
Frequent Asked Questions, Encountered Issues & Answers
The Duo user is disabled, but there is no option to enable/reactivate or if there is it's grayed out. How can I re-enable this Duo user? Cannot provision an AD user into Duo because an the account name collides with a disabled AD user in another domain. What can I do? The customer's phone is not receiving pushes, passcodes or activations. How can I fix this?
The customer can use Duo just fine with their AA/elevated-account account, but they are told they do not have privileges/access when logging into a remote computer
How can I provision an AD user for EPCS in Duo? How do I get an AD account in the SDE domain into Duo?
What is Duo?
Duo is a brand of two-factor authentication (also called 2FA, MFA or multi-factor authentication). It adds a second layer of authentication after already using the first factor of a traditional username and password. This second factor generally involves the user having a device to which the Duo service sends additional authentication information and requiring a response. From UCSF MyAccess customer's perspective, this means:
2.
3. a. Select Duo push
Respond with a second-factor device
3.
b.
4.
1.
a.
Or, within the Duo app
And the application should proceed as logged in.
How can I authenticate a customer with whom I am speaking or chatting? (Duo Push)
Duo has a facility for sending a targeted push to a customer based upon Duo account and enrolled device.
Go to the Duo user detail page for the customer and note the "Send Duo Push". like at the upper right hand side, highlighted in blue
If you are already researching the customer's account in MyAccess Lookup, it is very easy to get to their account. Do to the MyAccess Lookup Duo tab for the customer and click on the username at the top row. A new browser tab or window will open taking you directly to
1.
a.
2.
3.
that Duo account's detail page. Note that if you are not already logged into your Duo Admin panel account you will be asked to log in first.
When you click this link a popup will appear give a choice of device to push to. Choose it and then push the "Send" button at the bottom left of the popup. Note the "Push Title" as this is will be part of the notification received by the customer. You can let them know, "I am sending you a push to authenticate you and it should say 'UCSF Support Request' as the title...".
4. If the customer takes to long, the message will turn red/pink and complain "An unexpected error occured". Simple pretty the "Try again" button. Once the customer successfully acknowledges the push you should see the following approval message.
The Customer's Experience
Other authentication methods
Beyond the basic the common push method, here are other options available to the customer when they are logging in and in managing their own Duo experience.
Passcode
The customer enters on of the passcodes he or she already has or can receive new passcodes in a SMS text by clicking the "Text me new codes" button. Below are more details on what passcodes are and how to obtain them.
Phone call
The phone number on the device chosen from the "Device" dropdown list will receive a phone call, asking to press any key to log in. Once the Duo call service detects the response, logging can proceeds. NOTE: this authentication option incurs a per use cost for UCSF
and is very expensive, especially for international users. Only recommend this option as a last resort when pushes and passcodes are not working for the customer.
When and where is Duo required?
Generally, IT's concern with Duo is centered on its integration with MyAccess SSO (Single Sign-on) and and AD FS (Active Directory). Customers who authentic to applications relying MyAccess SSO will also be required to authenticate with Duo if they are not on UCSF network or Pulse VPN. Conversely, they will not be required to authenticate with Duo if their computer is on a campus wired network, connected to campus WiFi or using Pulse VPN form anywhere in the world. Some examples of applications that rely on MyAccess SSO are
- MyAccess website (https://myaccess.ucsf.edu) - UC Learning Center (https://training.ucsf.edu/)
- HBS Time Keeping (https://hbswebcampus.ucsfmedicalcenter.org/tpweb/)
The same is true for customers who authenticate to application relying on AD FS. Some examples of application that rely on AD FS are - OWA (Outlook Web App or Outlook on the Web)
- Teams
- Outlook (desktop client)
Provisioning and managing Yubikeys
This section is incomplete and a work in progress... What is a Yubikey
What are they good for?
How does a customer request and obtain Yubikey? Common Yubikey questions
What to do when a customer loses a Yubikey How to verify the serial number of a Yubikey
How to provision a YubiKey
See How to prepare a YubiKey for provisioning in Duo
How are Duo users provisioned and de-provisioned?
AD accounts and DualAuth groups
Generally, Duo accounts are created in Duo by way of a process called DIrectory Sync. This works by placing an active AD account into one of a set of AD groups. The Duo cloud has been made aware of these and for each AD domain it will sync accounts from AD and into Duo once a day. This syncing process manages provisioning and de-provisioning. If the AD account is removed from all of the released AD groups or the AD account is disabled, the analogous Duo account will be sent to the trash upon the next sync. The Duo user will sit in the trash for a week and will then be permanently deleted, unless restore by a subsequent sync after the AD account is re-enabled and/or put in one of the Duo-related AD groups.
Domain Groups Schedule
Campus/Net DualAuthUsersNet DualAuthADMINUsersNet 2:00 PM PT MedCtr DualAuthUsersMedCtr DualAuthADMINUsersMedCtr 7:00 PM PT
SOM
DualAuthUsersSOM DualAuthADMINUsersSOM
11:00 AM PT
Limited SFID accounts in Duo
With few exceptions, as of March 2020, SFIDs are no longer useful for authentication with MyAccess because MyAccess now requires Duo and SFIDs are not provisioned into Duo... except for some exceptions. SFIDs come from a credential store outside of AD that does not have access to Duo's DIrectory Sync capability. An SFID gets into Duo one of two ways. 1) A Duo account of the same name of the SFID is created manually in Duo. This should be avoided because it creates a security risk down the road as there is no way to automatically de-provision these accounts. 2) An AD account of the same name as the SFID is created in AD, put into the proper DualAuth group and eventually syncs to Duo. The second method does not carry the same security risk as the AD account will be disabled is greatly preferred because, when a customer separates from UCSF, their affiliation expires, which causes their AD accounts to be disabled, which, in turn, will remote and related Duo accounts. If the account is created manually in Duo, there is a possible security risk as there is no process for automatically notifying someone to or an automated process that takes care of disabling or deleting the related Duo user.
RESOURCE accounts & Duo . How to add to Duo
Email Addresses and their importance for provisioning vs. self-enrolling
Creating Duo users manually
If you have user in a system/server that needs to be authenticated against Duo but it's not in AD, this Duo user needs to be added manually. Common use cases for such circumstances are for Linux or Windows user accounts which are not related to an AD account. Note that it is always preferred to use
Directory Sync because this ensures that when the system/server (e.g. AD) account is disabled that the analogous Duo account will be disabled. Manually created accounts do not benefit from this process and should be only used as a last resort. If possible, create the local user with the same username as an AD account that is synced with Duo.
For information on creating users by hand, see this.
Duo Main Account & Sub-accounts
Though we usually use the word "account" to mean a customer's access to a computing resource (like the username of your AD account), in Duo parlance "account" means UCSF's account with Duo. In UCSF's Duo account, we have a main account and sub-accounts. If you have Duo admin access in UCSF's main account, you can see the following drop down list when logged in to DuoSecurity.com:
Our main account is the one highlighted in the select list above, in blue ("UCSF DAY5..."). You enter this main account whenever you log into your Duo admin account. Here are some details on the entire set of accounts. The grayed out ones, you can ignore as they are either internal for Identity & Access Management use or are owned and managed by other UCSF departments.
BCH - Oakland – sub-account BCH Oakland, managed by CHO IT. e-Prescribe – primary sub-account for EPCS in Apex, managed by UCSF IT.
e-Prescribe (ID Proofing) – secondary sub-account for EPCS in Apex with integrated ID Proofing, managed by UCSF IT. This will probably
disappear within a year or so. Eureka
UCSF – Main account, managed by UCSF IT. ITSD will spend the vast majority of their time here.
UCSF - Dev UCSF -Test UCSF PharmChem
To switch between accounts, click the list at the top and the actual select drop-down appears. Then select the sub-account you want and click the "Switch" button.
How can a Service Desk representative help a customer with Duo?
What's a "Duo Admin" account and how is it different from my Duo account?
As a Duo administrator you will have at least two Duo users, probably more, associated with your UCSF Identity. At least one will be connect to your usual AD login username. Perhaps other will be connect to your AD 'AA' or elevated access account(s). Finally, you will have a Duo Admin account. Your Duo Admin account is completely separate and has nothing to do with your AD or any other MyAccess account. The username for a Duo Admin account is always an email address and does not have to be your official UCSF email (though we usually require it to be). The password for your Duo Admin account is separate from your regular Duo and AD users. Changing your AD password in the Hitachi password manager will not affect your Duo Admin account. To change your Duo Admin account password you must go to https://duosecurity.com and use the "forgot password" feature. Conversely, your AD username and password will not log you into the Duo Admin website.
Duo Admin accounts are always assigned to a role. A role represents the set of administration actions a Duo Admin can perform, such as update a Duo user's phone, sync a Duo user to AD or change Duo's overall configuration. Most of IT Service Desk representatives and other Duo Admins are given the Duo "Help Desk" role in Duo. With this role, you can:
Review Duo account details
Finding users and browsing account details Use the search field at the top left
Use the Users page found on the left-hand side menu, and then use the search field on the right. I find this method to be the easiest, as it is faster and show more complete results right away
Account detail fields
Username: the AD username for synced accounts Username aliases:
alias 1: The email address as synced from AD, facilitating applications with no username normalization alias 2 The left-hand side of the email address in AD – facilitating applications with username normalization
Full name: Synced from AD Email: Synced from AD
Status: Active, Bypass, Disabled. Help Desk level admins cannot change from active to disabled and vice versa within Duo, as
it is a reflection of the status of the AD account. If the account is disabled in AD or not in the proper AD group for Duo directory syncing it will be disabled here. To modify this status, go into ADUC and make sure the AD account is properly enabled.
Groups: This lists groups within Duo to which this Duo account belongs. However, for UCSF the most common use of groups
in Duo directly reflects groups of the same name in AD by way of Directory Sync. If you want to know through which AD group a Duo user was synced/provisioning into Duo, it's one of the Duo groups listed here
Notes: For our set up, this field is not editable for synced accounts. The information is synced from AD's employeeID attribute. At the moment, this field is very unfortunately not searchable – imagine how nice it would be to do one of the user search methods above by putting in the UCSF 02 ID and finding the Duo username. Fortunately, you can search by 02 in MyAccess Lookup and find the Duo tab with the link to the Duo user on the Duo website.
Add add, remove, activate and assign phones
Adding a phone, new or existing, to a Duo userActivating and reactivating a phone
While you can do the reactivation within the Duo Admin UI, you can more conveniently perform this function with MyAccess Lookup. The "Send Activation" button will resend the activation via SMS. *Note: This is currently not functioning properly and will be fixed in the near future.
Removing a phone from a Duo user
Scroll to the "Phones" section of the user's detail page and hit the small trashcan icon. If this phone is in use by other Duo users, the phone itself will be unaffected and remain in Duo. Otherwise, it will be deleted from Duo
Passcodes and Bypass Codes
What is a passcode? A passcode is a single-use code for logging in (see The Customer's Experience above). They are generated in batches of 10 codes and are sent to the customer via SMS. You will never see a customer's passcodes. The Duo authentication UI will ask for them in order ("The next passcode will begin with #"), as the codes' first digit is 0-9 for the 10 codes sent.
Sending SMS codes
Sending passcodes in the Duo Admin UI Click on one of the customer's phones
On the next screen you will see the phone number in a large font on the upper left. To the right side of the screen will be a link "Send SMS Passcodes..." Clicking that link will send the passcodes to that phone.
Sending passcodes with MyAccess Lookup. *Note: This is currently not functioning properly and will be fixed in the near future.
What is a bypass code? A bypass code is like a passcode but it can be set to expire (including never) and only for a given number of
uses (including unlimited), NOTE: Bypass codes may not be generated without express authorization from IT Directors, IT Security leadership, IT Service Desk Leadership or Identity & Access Management personnel.
1. 2. 3. 1. a. b. c. d. e. f. g. h. 2. a. b. 1.
Go to the Duo users detail page Scroll to the "Bypass Codes" section Click on "Add Bypass Code"
On the resulting screen, the default settings show as "Expires when used or in 60 minutes". In other words, the default options will generate a single user bypass code that is only viable for one hour. If other settings are desired, click on "Change options", where you can not only set expiration and usages, but also specify an exact, custom code.
Click on "Generate Bypass Code"
Removing a bypass code
Find the code listed on the Duo user's detail page and click the small trashcan icon on the right.
Provision and update a Duo user from an Active Directory user
See "How are Duo accounts provisioned and de-provisioned" Re-syncing an existing Duo user
Go to the Duo user's detail page
Click the "Sync This user" link near the upper right corner Add an AD account to Duo
The Easy Way, using MyAccess Lookup
See "The Duo Provision Button" for MyAccess Lookup.
Note: Do not use MyAccess Lookup to provision admin/aa-/elevated-access AD accounts into Duo as there is a known issue regarding those accounts with this tool. This will be fixed in the near future.
The Hard Way, using ADUC and Duo
Using ADUC, place the AD account into one of the DIrectory Sync AD groups (see the "AD Accounts and DualAuth Groups" section above)
From anywhere within the Duo Admin UI Click on "Users" in the left-hand column Click on Directory Sync
Click on the link with the AD domain where the AD account resides
In the "Sync Individual users text area, enter the AD username (or a list of coma-separated usernames) Click the "Sync Users" button
Contacting Support
Log into your Duo admin account
Scroll down and find the "Need Help?" section at the bottom of the left hand side menu. There you will find a support phone number to call and the "Account ID" for the Duo account you are currently logged into with your admin account. When you call the Duo support number you will be asked for the account ID before being able to continue speaking with a Duo support rep.
Frequent Asked Questions, Encountered Issues & Answers
The Duo user is disabled, but there is no option to enable/reactivate or if there is it's grayed out. How
can I re-enable this Duo user?
Make sure the related AD user is in one of the DualAuth groups Make sure the related AD user is not disabled in AD
Go to the Duo user's detail page and click the "Sync this user" link
Cannot provision an AD user into Duo because an the account name collides with a disabled AD user
in another domain. What can I do?
Remove the disabled, blocking user from Duo
In ADUC, remove the disabled user from any DualAuth* group. Go to Users Directory Sync
Click on the AD domain name of the disabled user. The result should say that the user is disabled or no longer part of a sync group and will be deleted.
Go to User (left hand menu) Trash (on the dashboard) Search for the user in the trash
Click the checkbox to the left of the username
At the top of the table of usernames is a menu called "Select (#)v". Just to the right of that drop down is a small "..." menu. Click it and choose "Permanently delete".
Now, start provisioning the active user by going back to Users Directory Sync Add the enabled, new user into Duo
Click on the domain name of the active user
Enter the user name in the "Sync individual users" text box and click "Sync Users"
The customer's phone is not receiving pushes, passcodes or activations. How can I fix this?
If not receiving activations is not the issue, try resending the activation. (See the "Add, Remove, activate and assign phones" section)2.
3. 4. 5.
If that does not help, have the user delete the account in question from the Duo app, that is from this screen in the app:
If that does not work, delete the entire Duo application from the phone and send the reactivation.
If all else fails, there may be an SMS reception issue with the customer's device. We have record of a customer (INC6186358) who had the RoboK app on her phone which was blocking SMS from Duo. Once the customer removed that app, Duo was working.
iller
If none of the above works, then assign a ticket to Identity & Access Management.
The customer can use Duo just fine with their AA/elevated-account account, but they are told they do
not have privileges/access when logging into a remote computer
The DualAuthAdmin* groups in AD are not just for Directory Sync but are also used by AD for authorizing users to log into remote computers. If the AD account in question is in a non-admin AD group (i.e. DualAuth without the Admin in the name of the group), that account will sync to Duo and be able to use Duo just fine. However, the computer will reject them. The solution is to remove the AD user from the non-Admin group and put them into the DualAuth
group for the domain in question. Then resync the customer's Duo account from within Duo Admin. Admin
How can I provision an AD user for EPCS in Duo?
1. Add the Med Center AD user to the EPCS group in that domain. If there is no rush, you can stop here and let automated DIrectory Sync provision the user
2. Log into Duo and switch to the e-Prescribe Duo account (see the Duo Main Account & Sub-Account section above). 3. Click on "Users" in the left-hand column
4. Click on Directory Sync
5. Click on the link with the AD domain where the AD account resides 6. In the "Sync Individual users text area, enter the AD username 7. Click the "Sync Users" button
How do I get an AD account in the SDE domain into Duo?
Identity & Access Management manages Duo for the Campus, Med Center and SOM AD domains. Academic Systems manages Duo for the SDE domain. Please contact Rhett Hillary ([email protected]) in IT EDW Operations.
