Skip navigation

Duo Security is now a part of Cisco

About Cisco


Thycotic Secret Server

Last Updated: April 3rd, 2019


Thycotic Secret Server now includes Duo Security's two-factor authentication via Duo Push, phone call, or passcode.

Duo and Secret Server

Duo Security’s authentication platform secures access to the Thycotic Secret Server Admin web console.

Connectivity Requirements

This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.

First Steps

  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and navigate to Applications.
  3. Click Protect an Application and locate Thycotic Secret Server in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. (See Getting Started for help.)

Treat your secret key like a password

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Configure Secret Server

  1. Log into your Secret Server as an administrator, and navigate to Admin → Configuration.
  2. Click on the Login tab, then check the "Enable Duo Integration" option and enter your Duo application information from the Admin Panel.

    Integration Key Your integration key
    Secret Key Your secret key
    API Hostname Your API hostname (i.e.

    Secret Server Login Settings

  3. Next, enable Duo authentication for your users. Navigate to Admin → Users. You can either enable Duo for an individual by editing that user account's properties, or enable Duo for multiple users by selecting them from the user list and using the Enable Duo Two Factor bulk operation.

    Enable Duo for User Accounts

Please see Thycotic's knowledge base article Configuring Duo for Two Factor for additional information about enabling Duo two-factor authentication in Secret Server.

Test Your Setup

To test your setup, browse to the Secret Server login page. After you complete primary authentication a Duo Security prompt appears. You can select one of the authentication options by clicking any of the buttons, or enter a passcode from Duo Mobile, SMS, or a token in the Pin Code field.

Enable Duo for User Accounts

If you have more than one device enrolled in Duo you need to select the one you want to use to authenticate.

Enable Duo for User Accounts

If you haven't set up any authentication devices in Duo yet you'll be given a link to complete enrollment.


Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.

Network Diagram

Secret Server Network Diagram

  1. Secret Server connection initiated
  2. Primary authentication
  3. Secret Server connection established to Duo Security over TCP port 443
  4. Secondary authentication via Duo Security’s service
  5. Secret Server receives authentication response
  6. Secret Server session logged in

Ready to Get Started?

Sign Up Free