Two-Factor Authentication for PeopleSoft using Duo Authentication Proxy
Duo integrates with your PeopleSoft application to add two-factor authentication to portal logins by protecting LDAP connections. In this type of configuration, users will receive an automatic push or phone call back during login. Users who need to use a passcode have the option to append it to their existing password when logging in. This configuration doesn’t support self-service enrolment. You’ll need to create your users in Duo ahead of time using one of our other enrolment methods, like directory sync or Duo integrates with your PeopleSoft application to add two-factor authentication to portal logins by protecting LDAP connections. In this type of configuration, users will receive an automatic push or phone call back during login. Users who need to use a passcode have the option to append it to their existing password when logging in.
This configuration doesn’t support self-service enrollment. You’ll need to create your users in Duo ahead of time using one of our other enrollment methods, like directory sync.
First Steps
You should already have a working primary LDAP authentication configuration for your PeopleSoft environment users before you begin to deploy Duo.
To integrate Duo with your PeopleSoft environment, you will need to install a local Duo proxy service on a machine within your network. This Duo proxy server will receive incoming LDAP requests from your PeopleSoft environment, contact your existing local LDAP/AD server to perform primary authentication, and then contact Duo’s cloud service for secondary authentication.
Locate (or set up) a system on which you will install the Duo Authentication Proxy. The proxy supports these operating systems:
Then you’ll need to:
- Sign up for a Duo account.
- Log in to the Duo Admin Panel and navigate to Applications.
- Click Protect an Application and locate LDAP Proxy in the applications list. Click Protect to get your integration key, secret key, and API host name. You’ll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options.
Install the Duo Authentication Proxy on Windows
The Duo Authentication Proxy can be installed on a physical or virtual host. We recommend a system with at least 1 CPU, 200 MB disk space, and 4 GB RAM (although 1 GB RAM is usually sufficient).
- Download the most recent Authentication Proxy for Windows from https://dl.duosecurity.com/duoauthproxy-latest.exe. Note that the actual filename will reflect the version e.g. duoauthproxy-5.5.0.exe. View checksums for Duo downloads here.
- Launch the Authentication Proxy installer on the target Windows server as a user with administrator rights and follow the on-screen prompts.
Configure the Proxy
After the installation completes, you will need to configure the proxy.
The Duo Authentication Proxy configuration file is named authproxy.cfg and is located in the conf subdirectory of the proxy installation. With default installation paths,for proxy version v5.0.0 and later, the proxy configuration file will be located at:
C:Program FilesDuo Security Authentication Proxyconfauthproxy.cfg
Start the Proxy
Open an Administrator command prompt and run:
net start DuoAuthProxy
Alternatively, open the Windows Services console (services.msc
), locate “Duo Security Authentication Proxy Service” in the list of services, and click the Start Service button.
Authentication Proxy v5.1.0 and later includes the authproxyctl
executable, which shows the connectivity tool output when starting the service. The installer adds the Authentication Proxy C:Program FilesDuo Security Authentication Proxybin
to your system path automatically, so you should not need to specify the full path to authproxyctl
to run it.
From an administrator command prompt run:
authproxyctl start
If the service starts successfully, Authentication Proxy service output is written to the authproxy.log file, which can be found in the log
subdirectory.
net stop DuoAuthProxy& net start DuoAuthProxy
To stop and restart the Authentication Proxy using authproxyctl, from an administrator command prompt run:
authproxyctl restart
If you modify your authproxy.cfg
configuration after initial setup, you’ll need to stop and restart the Duo Authentication Proxy service or process for your change to take effect.
Configure the LDAP Directory in PeopleSoft
- Access the “Configure Directory – Directory Setup” page (select “PeopleTools”, then select “Security”, then select “Directory”, then select “Configure Directory” and click the “Directory Setup” tab).
- Enter the following information:
Description | Enter a name for the Duo LDAP directory. |
Directory Product | Select ‘Microsoft Active Directory’ in the drop-down list. |
Default Connect DN | Enter the distinguished name of the service account used to bind to your Duo Authentication Proxy. This should match the DN configured as exempt_ou_1 in the Authentication Proxy LDAP configuration above. |
Password | The service account password. |
LDAP Server | The IP address or fully qualified DNS host name of your Duo Authentication Proxy server. |
Port | Duo Authentication Proxy server port for incoming LDAP requests. Default port is ‘389’ for CLEAR and STARTTLS and ‘636’ for LDAPS. If using STARTTLS or LDAPS then the ssl_cert_path and ssl_key_path options must be configured in the Authentication Proxy LDAP configuration above. |
Network Diagram
- Primary authentication initiated to PeopleSoft portal.
- PeopleSoft sends an authentication request to Duo Security’s authentication proxy.
- Primary authentication using Active Directory
- Duo authentication proxy connection established to Duo Security over TCP port 443
- Secondary authentication via Duo Security’s service
- Duo authentication proxy receives the authentication response
- PeopleSoft access granted