The Duo web application may only be used when accessing CyberArk Password Vault Web Access (PVWA) from a web browser. If you'd like to apply Duo MFA to Vault client logins, configure Duo authentication via RADIUS or LDAP.
Once configured, the CyberArk WebSDK integration takes a username context and passes it to Duo, and then prompts the user to complete Duo multifactor enrollment or authentication. If Password Vault Web Access is using IIS integrated Windows authentication and the client system is joined to the Active Directory domain as the PVWA server, the logged-in Windows username is passed to Duo. If integrated Windows authentication isn't used, then PVWA prompts for a username to pass to Duo.
After successful Duo approval, CyberArk performs primary authentication. If IIS integrated Windows authentication is configured on the PVWA server, then the logged-in Windows credentials are used. If you are not using Windows authentication, the user must enter their RADIUS or LDAP Vault authentication password (whichever method you specify when configuring Duo on the CyberArk server).
This page provides an overview of the Duo WebSDK installation process on your CyberArk PWVA deployment. The detailed instruction steps you will need to follow are in the CyberArk PVWA Authentication via Duo WebSDK document available for download from the CyberArk Support Vault (as described in step 4 in the next section.)
The Duo WebSDK integration works with PAS versions 9.8 and higher. Note that additional configuration is required for the login page to work on v10, as described in the CyberArk PVWA Authentication via Duo WebSDK document.
If you have issues configuring or using the CyberArk Duo WebSDK integration on your Password Vault deployment, please contact CyberArk's technical support.
Create an application key for use later when configuring the CyberArk WebSDK integration. The application key is a string that you should generate and keep secret from Duo. It should be at least 40 characters long. You can generate a random string in Python with:
import os, hashlib print hashlib.sha1(os.urandom(32)).hexdigest()
The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!
The new Universal Prompt provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.
|Universal Prompt||Traditional Prompt|
Read the Universal Prompt Update Guide for more information about the update process and the new login experience for users.
Migration to Universal Prompt for your CyberArk Privileged Account Security application is a two-step process:
CyberArk PAS needs an update to support the Universal Prompt, but the update isn't available yet. The "Universal Prompt" section reflects this status as "Waiting on App Provider" with the activation options inaccessible. Please contact CyberArk to request Duo Universal Prompt support for CyberArk Privileged Account Security.
In the meantime, you can use Duo with CyberArk Privileged Account Security and the traditional prompt experience.
After CyberArk makes the necessary changes available you may need to install an application update on your server, or log in to CyberArk Privileged Account Security as an admin to enable Duo Universal Prompt support.
You'll return later to the settings on this page to activate the Universal Prompt for your CyberArk Privileged Account Security users after installing the necessary update.
Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications in-scope for Universal Prompt support. You can also activate the new prompt experience for multiple supported applications from the report page instead of visiting the individual details pages for each application.
Before you begin, you should have obtained the Duo Security WebSDK Authentication zip file and the Duo MFA Web SDK Authentication Integration Guide document from the CyberArk Marketplace as described in First Steps - step 4 above.
Review the Duo MFA WebSDK document from CyberArk first and determine if you want to use integrated Windows Authentication (IWA) in IIS for access to PWVA, or if you want to require RADIUS or LDAP authentication in PWVA after Duo authentication.
You will also need Remote Desktop or console access to your Password Vault server, and administrator access to Password Vault Web Access via your browser.
Copy the Duo Security WebSDK Authentication.zip file to your CyberArk Password Vault Web Access server and extract the contents.
Refer to the Duo MFA Web SDK Authentication Integration Guide document you downloaded earlier for detailed installation and configuration instructions. Follow the directions to deploy Duo in your CyberArk Password Vault environment.
web.configfile to add the Duo integration key, secret key, and API hostname you copied from the Duo Admin Panel, the application key you generated, and to reference the "DuoSecurity" IIS module.
If you are using Password Vault version 10, be sure to change the logon page from v10 to v9 as specified in the "USING THE CYBERARK V10 INTERFACE" section of the Duo MFA Web SDK Authentication Integration Guide document.
For additional information about adding the Duo Web authentication method, including IIS instructions for Windows integrated authentication, please refer to the CyberArk PVWA Authentication via Duo WebSDK document available for download from the CyberArk Support Vault, as well as the "Defining Authentication Methods in PVWA", "Windows Authentication", "RADIUS Authentication", "LDAP Authentication" sections in the "CyberArk Privileged Account Security Installation Guide".
Navigate to the Privileged Account Security web login page and click the new Duo login option (this name matches the "DisplayName" you specified when configuring the Duo authentication method).
In this example, the Duo authentication method was configured to use LDAP authentication so PVWA must prompt for a username to pass to the Duo service.
After successful Duo authentication, PVWA prompts for the LDAP primary password. Note that the username is the same one originally provided to Duo, so the Duo username and PVWA usernames should match.
If you're using IIS's integrated Windows authentication for PVWA logins, Windows will automatically provide a username to the Duo service for secondary authentication and perform primary authentication after Duo using the logged in Windows credentials.
If you plan to permit use of WebAuthn authentication methods (security keys, U2F tokens, or Touch ID), Duo recommends enabling hostname whitelisting for this application and any others that show the inline Duo Prompt before onboarding your end-users.
If you have any issues with installing the CyberArk WebSDK integration, configuring your Password Vault authentication methods, or questions about IIS integrated authentication for PVWA, please contact CyberArk support. See the "DEBUGGING" section in the CyberArk PVWA Authentication via Duo WebSDK document.
Additionally, you may find the "CyberArk Privileged Account Security Installation Guide" documentation available from CyberArk helpful.