Provisioning Duo with PingOne

Duo is a cloud-based security platform that provides multi-factor authentication (MFA) and access protection. By using the Duo connection in PingOne, you can provision users, groups, and memberships between Duo and PingOne.

Provisioning capabilities

The following table summarizes the inbound and outbound provisioning capabilities for each resource type:

Resource Capability Description Inbound Outbound

Resource	Capability	Description	Inbound	Outbound
User	Create	Generates a new user record in the destination.	Yes	Yes
Read	Retrieves or polls user attributes for synchronization.	Yes	Yes
Update	Modifies existing attributes, such as `job title`.	Yes	Yes
Delete	Deletes a user or temporarily suspends an account.	Yes	Yes
Group	Create	Provisions a new group in the target application.	No	Yes
Rename	Updates the display name or identifier of an existing group.	No	Yes
Delete	Removes a group from the target application.	No	Yes
Membership	Add and remove	Adds or removes users from groups.	No	Yes

User

Create

Generates a new user record in the destination.

Yes

Read

Retrieves or polls user attributes for synchronization.

Yes

Update

Modifies existing attributes, such as job title.

Yes

Delete

Deletes a user or temporarily suspends an account.

Yes

Group

Create

Provisions a new group in the target application.

Yes

Rename

Updates the display name or identifier of an existing group.

Yes

Delete

Removes a group from the target application.

Yes

Membership

Add and remove

Adds or removes users from groups.

Yes

Before you begin

Make sure that you have:

A Duo administrative account. Learn more in Duo.
The following from your Duo account:
- API Host
- Integration Key
- Secret Key
Users assigned to a specific population or group in PingOne designated for Duo provisioning. Learn more in Adding a user in PingOne and Managing groups.

Steps

Create a Duo connection:

In the PingOne admin console, go to Integrations > Provisioning.
Click and then click New Connection.
Click Select for Identity Store.
Click Select for the Duo connection, and click Next.
Enter a Name and Description for this provisioning connection.
Click Next.
In the Configure Authentication section, enter the following configurations from your Duo account:

Field Example

API Host

api-6c03959e.duosecurity.com

Integration Key

DIBCOIMTSBAGBE9T7GT6

Secret Key

E0TPcSrM2fu4juV6fN295dvSiu9QpRxAwAWq0xHD

Field	Example
API Host	`api-6c03959e.duosecurity.com`
Integration Key	`DIBCOIMTSBAGBE9T7GT6`
Secret Key	`E0TPcSrM2fu4juV6fN295dvSiu9QpRxAwAWq0xHD`

Click Test Connection to verify that PingOne can establish a connection to the Duo resource.

Result:

If there are any issues with the connection, a Test Connection Failed modal opens. Click Next to resume the setup with an invalid connection.

You can’t use the connection for provisioning until you’ve established a valid connection to Duo. If the connection fails, click Cancel in the Test Connection Failed modal, verify that you’ve entered the configuration details in step g correctly, and try again.

Click Next.

In the User Actions section, select the following as needed:

Field

Description

Enable users creation

Creates a user in the target identity store when the user is created in the source identity store.

Enable users updation

Updates user attributes in the target identity store when the user is updated in the source identity store.

If Enable users updation is selected, you can choose to select Enable users disable, which disables a user in the target identity store when the user is disabled in the source identity store.

Enable users deprovision

Deprovisions a user in the target identity store when the user is deprovisioned in the source identity store. If Enable users deprovision is selected, the following options appear:

Remove Action: Removes or disables a user in the target identity store when the user is deleted in the source identity store. Select Delete or Disable.

Remove Action is only available if you select Enable users disable.
Deprovision on rule deletion: Deprovisions users if the associated provisioning rule is deleted.

Click Save.
To enable the connection, click the toggle at the top of the details panel to the right (blue).

You can disable the connection by clicking the toggle to the left (gray).

Create an inbound or outbound rule and select the existing Duo connection as the target or source. You can optionally add attribute mappings.

For an outbound rule, you can use the following example attribute mappings as a starting point.

PingOne Directory Duo

Username

username

Email Address

email

Primary Phone

phones

Enabled

enabled

Given Name

realname

PingOne Directory	Duo
`Username`	`username`
`Email Address`	`email`
`Primary Phone`	`phones`
`Enabled`	`enabled`
`Given Name`	`realname`

Validation

Confirm users and groups are successfully provisioned to Duo. View the sync status to review synchronization results and any errors. You can find examples in Outbound provisioning sync summary examples.

Duo directory attributes

The following table lists common Duo attributes that can be mapped for user provisioning:

Attribute Description

username

The Duo username for the user.

email

The user’s primary email address.

phones

The primary telephone number for the user.

enabled

Indicates whether the Duo user account is enabled.

realname

The user’s display or real name in Duo.

userType

Determines the type of user created.

You must specify either user or admin for this attribute. Any other value causes the sync to fail.

Duo provisioning known limitations

The following limitations apply to Duo provisioning:

Currently, inbound group provisioning or group membership synchronization from Duo to PingOne isn’t supported.
After an attribute value is synchronized to Duo, it can’t be cleared. The value can only be updated to a new value.
When a user record is updated or deleted, the connection automatically removes any unused phone numbers. This automatic cleanup can’t be turned off.