Documentation
Duo Two-Factor Authentication for Delinea Secret Server (formerly Thycotic)
Last Updated: March 20th, 2025Contents
Delinea has partnered with Duo Security to add two-factor authentication via Duo Push, phone call, or passcode to Secret Server.
These instructions apply to the standalone Delinea Secret Server product only. Users of Delinea Platform should not follow these steps, and instead refer to the Duo Authentication instructions for Delinea Platform.
Using the information on this page to configure Delinea Platform will result in authentication failures.
Duo and Secret Server
Duo Security’s authentication platform secures access to the Delinea (formerly Thycotic) Secret Server web console.
This application communicates with Duo's service on SSL TCP port 443.
Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review Duo Knowledge Base article 1337.
Effective June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites. See Duo Knowledge Base article 7546 for additional guidance.
First Steps
-
Log in to the Duo Admin Panel and navigate to Applications → Protect an Application.
-
Locate the entry for Delinea Secret Server with a protection type of "2FA" in the applications list. Click Protect to the far-right to configure the application and get your integration key, secret key, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications with Duo and additional application options.
Treat your secret key like a passwordThe security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!
-
No users can log in to new applications until you grant access. Update the User access setting to grant access to this application to users in selected Duo groups, or to all users. Learn more about user access to applications. If you do not change this setting now, be sure to update it so that your test user has access before you test your setup.
Configure Duo Security in Secret Server
Refer to Duo Security Authentication in the Secret Server Documentation on the Delinea site. Follow the directions to configure Duo 2FA for Secret Server logins.
Once you configure Duo for Secret Server logins, you can also configure Duo Push approval for secret access requests. See Duo Push Notifications in the Secret Server Documentation for instructions.
Users of IBM Security Verify Privilege (incorporating Secret Server) should refer to the "Duo Security Authentication" instructions in the IBM Security Verify Privilege documentation.
Test Your Setup
Log in to Secret Server as a user configured for Duo. You should see additional logon options as described in the Secret Server Documentation.
Grant Access to Users
If you did not already grant user access to the Duo users you want to use this application be sure to do that before inviting or requiring them to log in with Duo.
Troubleshooting
Need some help? Try searching our Knowledge Base articles or Community discussions. For questions about the Duo integration, try contacting Delinea Support. For further assistance with Duo, contact Duo Support.
Network Diagram
- Secret Server connection initiated
- Primary authentication
- Secret Server connection established to Duo Security over TCP port 443
- Secondary authentication via Duo Security’s service
- Secret Server receives authentication response
- Secret Server session logged in