If you're having trouble at any stage please contact us at support@skyformation.com.
Preface
The goal of this guide is to add Duo Security connector to your SkyFormation Platform.
Prerequisites
- Mandatory
(0) Make sure you are a Duo administrator with the "Owner" role when you do
the following below steps (Other Duo administrator roles are not sufficient!)
(1) Verify you have the Duo "Admin API" application enabled at your company's Duo account
The "Admin API" is an application at Duo that allow API for administrative actions.
SkyFormation Duo connector needs these APIs enabled to work.
How to verify if the "Admin API" application is enabled at your Duo account
(a) Login into the Duo admin console
(b) Under the Applications section press the "Protect an Application" link
(c) See if you have in the list the "Admin API" application (see the diagram below)
If you do not see the "Admin API" application in your list (as shown above)
This means the "Admin API" application (APIs) is not "enabled" for your company's Duo.
To enable it you need to contact Duo company as described at: Duo Admin API overview
Once the Duo company enable the "Admin API" for your Duo account, please repeat step (1)
above and make sure you see the "Admin API" application at the list as shown in the above
diagram.
(2) Create a new "Admin API" protected application for the SkyFormation Duo connector
In this step we create an "Admin API" application instance, with its unique keys and permissions
that will be used by the SkyFormation Duo connector you are about to on-board.
How to add "Admin API" protected application for SkyFormation
(a) Login into the Duo admin console
(b) Under the Applications section press the "Protect an Application" link
(c) From the list of all available application to protect in Duo scroll to the "Admin API" app
and press its "Protect this Application" link (as shown below)
(d) From the new created "Admin API" application page opened extract the following information
(see diagram below)
- Integration key
- Secret key
- API hostname
(3) Give the new "Admin API" protected application created a meaningful name
From the new "Admin API" protected application page (see above) go to the "Settings" section and
at the "Name" text box enter a meaningful name for you that would reflect the SkyFormation connector
usage of the application/APIs.
See an example below at the diagram.
(3) Give the new "Admin API" protected application needed permissions
I this step you will grant the API the needed permission for the SkyFormation Duo connector to use.
From the new "Admin API" protected application "Settings" section check the following permission
grants:
- Grant administrators (needed by SkyFormation to read administrator identifying properties)
- Grant read log (needed by SkyFormation to read needed audit logs)
- Grant read resource (needed by SkyFormation to read users and groups information)
See below an example
You could now close Duo admin console.
Note: This connector syncs groups and users for enrichment of events. In order to do that the 'Grant read resource' permission needs to be enabled. You may not want to add the 'Grant read resource' permission for this service because of security reasons, so you may want to disable this configuration. You can find instructions for that here: https://support.skyformation.com/hc/en-us/articles/360014958060-How-to-Disable-Sync-of-Users-and-Groups-in-the-SkyFormation-Application.
(4) Make the following internet addresses available for outbound connection from the SkyFormation
application
*.duosecurity.com:443
You are ready to on-board the SkyFormation Duo connector (follow the below Steps)
Steps
1. Logon to your SkyFormation Platform:
2. Navigate via left navigation panel to "Settings" section
3. Navigate via New Settings left navigation panel to "Accounts" section
4. Click the "Add Account" bottom
5. At the "SELECT SERVICE TO ADD" choose "Duo"
You will see the below screen:
5. Fill in the following information:
- Account Name
Give this Duo cloud connector a meaningful name for you. This will become your cloud app
connector name displayed in the SkyFormation platform and added to entire events sent to your
SIEM/Log/Splunk system from this connector as identifier.
Example:
"Duo app for corp 2FA"
- Description
Add any text that describe the specific cloud app connector function and meaning for the business.
Example:
"Corporate SaaS application to add 2FA on core business applications"
- API Hostname
Put the "API hostname" value extracted from the Auth API application
Example (not a valid value to use)
api-4ef336ee.duosecurity.com
- Integration key
Put the "Integration key" value extracted from the Auth API application
Example (not a valid value to use)
DIMMTT229W44DZMQCHIW
- Secret key
Put the "Secret key" value extracted from the Auth API application
Example (not a valid value to use)
NqCCQjf33O22GGkkmmCk99cVVIGGaZ0t1dbpkeBM
- Click "SAVE" bottom
Make sure the "STATUS" of the new AWS MT connector in the table is OK and green.
Your are done !
Next Steps
Now you are ready to add a configure the events that would be sent to your SIEM/Splunk and the SkyFormation console from the just added SkyFormation Connector.
To learn more go to: How to: Configure A Cloud App Connector To Send Events To SIEM
Comments
0 comments
Please sign in to leave a comment.