Cisco Duo is a Multi-Factor Authentication (MFA) and security platform that enhances digital access security by requiring users to provide multiple forms of verification before they can access systems, applications, and data. The Universal Prompt offers a simplified Duo experience compared to the traditional prompt, enabling faster login to applications.

This article provides an introduction to how to implement Duo Universal prompt with Okta. 

• Multi-Factor Authentication (MFA)
• Cisco Duo - Universal Prompt
• OpenID Connect IDP

Adding Duo Universal Prompt as an available authenticator to allow end-users to leverage Duo MFA involves setting up a custom OIDC IdP authenticator. Once this is configured, this authenticator can be assigned to users in the enrollment policy, and users can choose to use the Identity Provider for an added verification step. When selected, users will be taken to the Identity Provider to complete the verification instead of using a different non-password method like Okta Verify.

To get started, Admins will need to ensure their Duo account is properly configured to integrate with Okta. For detailed instructions, reference Duo's documentation here: Duo Multifactor for Okta.

Follow the steps or video below.

A. Collect API info from the Duo Admin panel

1. Log into the Duo admin panel and click Protect an Application > Okta OR select the existing Okta integration from the integrations list.
2. At the top of the details page, see the Integration Key, Secret Key and API Hostname.

• NOTE: Once authenticated against the new setup, the Integration key and Secret key labels in the Duo admin panel will be renamed to Client ID and Client Secret, respectively.

B. Create an OIDC factor in the Okta admin panel

1. To create a custom OIDC factor via the Okta Admin UI, navigate to Security > Identity Providers and choose the option to "Add Identity Provider".

2. Next, choose the OpenID Connect IDP identity provider.

3. Next, use the examples below to configure the IDP for Duo.

C. Okta OIDC IDP configuration for Duo:

General Settings

1. Name: How this OIDC integration should be called in the Okta admin UI.
2. IdP usage: Factor Only.
3. Client ID: Duo Integration Key.
4. Client Secret: Duo Secret Key.
5. Remove the email and profile scopes by clicking the X (do not remove OpenID).

Endpoints: (API hostname from the Duo Admin panel is used in all of the fields)

1. Issuer: https://<Duo API hostname>/oauth/v1/token.
2. Authorization endpoint: https://<Duo API hostname>/oauth/v1/authorize.
3. Token endpoint: https://<Duo API hostname>/oauth/v1/token.
4. JWKS endpoint: https://<Duo API hostname>/frame/<Duo integration key>/.well-known/jwks.json (Duo integration key from the admin panel).

5. Save the changes by clicking Add Identity Provider.

D. The Okta IDP ID is required for the API calls in the next section

On the Okta Identity Providers screen, click the carrot to expand the newly created IDP, then copy the IDP ID:

 

Related References

• Configure the IdP authenticator
• External Duo Documentation - Duo Multifactor for Okta
• Features required for DUO as an Open ID Connect IdP Factor