Skip navigation
Documentation

Protecting Applications

Contents

An application binds Duo's two-factor authentication system to one or more of your services or platforms, such as a local network, VPN (virtual private network), CMS (content management system), email system, or hardware device. You can protect as many applications as you need, and administer each independently.

Protecting an Application

Role required: Owner, Administrator, or Application Manager.

  1. Log into the Duo Admin Panel. To add a new application click Applications in the left sidebar, then click the Protect an Application button or the Protect an Application submenu item in the left sidebar. Alternatively, you can click the Add New... button in the top right of the Dahsboard page and then click Application.

    Protect an Application

  2. The "Protect an Application" page lists the different types of services you can protect with Duo.

    All Available Applications

    You can scroll down the page to browse all available applications, or start typing the name of your product in the space provided to filter the applications list. For example, type "ci" to view Cisco and Citrix solutions.

    Filter Application List

    Click Read the documentation underneath each application's name to review the requirements and configuration steps for integrating Duo into your service before adding the new application.

    If you don't see your specific product, use this table as a guide in selecting an appropriate application:

    To protect… Choose this application…
    Local and remote (ssh) logins on Unix systems UNIX Application
    SSL or IPSec VPN Logins Check for your specific brand of VPN
    Other VPNs and remote access solutions that support RADIUS authentication RADIUS
    Microsoft services like RDP or OWA Look for your named application
    Any device or system that supports authentication via LDAP LDAP Proxy
    Your own web applications WebSDK (requires some programming proficiency)

    If you're coding your own two-factor authentication using Duo's Auth API choose the Auth API application. The Accounts API and Admin API applications are available to Platform and Enterprise edition customers. Please contact us to request access to these APIs.

    When you've located the application you want to protect with Duo, click the Protect this Application link underneath the application's name. Your new application is added with a default name (like "Cisco SSL VPN").

    Success!

    If an application using the default name already exists, a number is appended to the new application's name to make it unique (e.g. "Cisco SSL VPN 1", "Cisco SSL VPN 2", etc.). Users see this application name each time they authenticate using Duo Push. You can change the application's name any time after creation from the "General" settings section of your application's properties page.

  3. You'll be taken directly to the new application's properties page after creation. Here you can update the application's name and phone greeting, or set policies for that application.

    The "Details" section near the top of the page shows your Integration key (ikey), Secret key (skey), and API hostname:

    Application Information

    The integration key and secret key uniquely identify a specific application to Duo. The API hostname is unique to your account, but shared by all of your applications. You'll need these keys and hostname when configuring your system to work with Duo. You may also need them if you contact Duo Support.

    Treat your secret key like a password

    Don't share it with unauthorized individuals or email it to anyone under any circumstances!

  4. The next step after adding an application is to configure your appliance, device, application, service, or system to work with Duo. You'll find a link to the appropriate documentation in the highlighted "Setup Instructions" section at the top of each application's properties page.

    Application Configuration

  5. You can also begin enrolling users now. Read Enrolling Users for details.

    Important

    Duo administrator accounts are only used to log on to the Admin Panel. They can't be used to access devices or applications using Duo two-factor authentication. Be sure to also enroll your Duo admins as users if they need to log on as end users of the application you just created.

Application Options

Role required: Owner, Administrator, or Application Manager.

A number of additional settings can be configured from an application’s properties page.

Policy

Policy settings are only visible to Platform and Enterprise edition customers. Platform customers can create and assign application and group policies that control device security, allowed authenticators, and more.

Platform Application with Policy

Enterprise customers may create a policy for an individual application that affects all users of that application, or use the Global Policy to manage settings for all applications.

Enterprise Application with Policy

See the Policy & Control documentation for more information about available policy restrictions and instructions for managing application policies.

Type and Name

The application "Type" shows what kind of Duo application you created. This field is read-only.

Users see the application's "Name" each time they authenticate using Duo Push. To update, type in a new name and click the Save Changes button at the bottom of the page when done.

Application Type and Name

Self-service Portal

Duo's self-service portal lets users add, update, and remove authentication devices. The self-service portal is an option for web-based and some SSL VPN applications that feature inline enrollment and authentication prompt. See the self-service portal documentation and Managing Your Devices in the Duo end user guide.

To enable this feature, check the Let users manage their devices box. Click the Save Changes button at the bottom of the page when done.

Self-service Portal

New User Policy

An application's "New user policy" can be one of the following:

  • Require enrollment - Users who are not enrolled in Duo see the inline self-enrollment setup process after entering their primary username and password. Users who are already enrolled in Duo are prompted to complete two-factor authentication. This is the default policy for new applications.
  • Allow access - Users who are already enrolled in Duo are prompted for two-factor authentication. Users not enrolled in Duo are not prompted to complete enrollment and are granted access without two-factor authentication. Platform edition customers see events for users that access an application without two-factor authentication as a result of this setting in the Authentication Log.
  • Deny access - Access is denied to users not enrolled in Duo. Users must be enrolled before attempting authentication, by using one of the automatic enrollment options, bulk self-enrollment, or manual enrollment by a Duo administrator.

The new user policy settings are especially important during a staged rollout or controlled deployment of Duo. You can initially enroll just a subset of your user base and set the policy to allow access, which will require two-factor authentication for just the enrolled testers while the rest of your users continue to log on normally. See our Deploying a Proof of Concept guide for more information.

To change the new user policy, click the radio button next to the desired setting. Click the Save Changes button at the bottom of the page when done.

New User Policy

If you're on Duo's Platform or Enterprise edition, use the policy editor to change the "New User Policy" setting globally, for specific applications, or for groups of users. See the Policy & Control documentation for more information.

New User Policy Settings

Trusted Devices

When the "Trusted devices" option is set, users are not challenged for Duo two-factor for the specified number of days after authenticating on that device. See the Using Trusted Devices & Trusted Networks Controls documentation for more information about configuring trusted devices.

To enable this feature, click the check box next to Allow users to remember their device for _ days and enter the desired number of days or hours — up to 365 days — in the space provided (the default is 30 days). Click the Save Changes button at the bottom of the page when done.

Trusted Devices

If you're on Duo's Platform or Enterprise edition, use the policy editor to change the "Trusted Devices" policy setting globally, for specific applications, or for groups of users. See the Policy & Control documentation for more information.

Trusted Devices Settings

Trusted Networks

When the "Trusted networks" option is configured, users are only challenged for two-factor authentication when accessing the application from outside the listed IP addresses, IP ranges, or CIDR networks. Refer to the Using Trusted Devices & Trusted Networks Controls documentation for additional details about trusted networks.

To configure this feature, check the Don't require two-factor authentication for logins from the following IPs: box and enter your network information in the space provided. You can choose whether unenrolled users accessing the application from a trusted network are required to complete Duo enrollment by checking the box next to Enroll new users logging in from trusted networks. Click the Save Changes button at the bottom of the page when done.

Trusted Networks

If you're on Duo's Platform or Enterprise edition, use the policy editor to change the "Trusted Networks" policy setting globally, for specific applications, or for groups of users. See the Policy & Control documentation for more information.

Trusted Networks Settings

Permitted Groups

With "Permitted Groups" Duo groups can be used to restrict active Duo user access to applications. See the Using Groups documentation for more information and detailed instructions.

To configure this setting, check the Only allow authentication from users in certain groups box and then click in the "Select groups" field to bring up a list of groups. Click on a group name to select it. You may also narrow down the group search results by typing a group name in the box. Click the Save Changes button at the bottom of the page when done.

Permitted Groups

Username Normalization

The "Username normalization" option controls whether or not usernames entered for primary authentication should be altered before trying to match them to a Duo user account. With normalization off, the usernames "jsmith," "DOMAIN\jsmith," and "jsmith@domain.com" would be three separate users in Duo. When username normalization is enabled any domain information is stripped from the username, so "jsmith," "DOMAIN\jsmith," and "jsmith@domain.com" would all resolve to a single "jsmith" Duo user.

To turn on username normalization, click the radio button next to Simple. Click the Save Changes button at the bottom of the page when done.

Username Normalization

Additional Settings

Click the Save Changes button at the bottom of the page after updating these settings.

Voice Greeting

The "Voice greeting" is read to users at the beginning of the verification phone call before the Duo authentication instructions. You may customize the greeting as you wish.

Voice Greeting

Notes

Enter any additional information about your application in the "Notes" field. The notes are only visible to administrators.

Notes

Removing Applications

WARNING: Removing an application may prevent user logins!

Be sure to remove Duo authentication from your product's configuration before you remove the corresponding application from the Duo Admin Panel.

To remove an application from Duo, view the application's configuration page in the Duo Admin Panel and click the Remove Application button at the top right.

Application Configuration

Confirm that you want to remove the application.

Remove Application Warning

The application is removed from Duo.

Troubleshooting

Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free