Skip to content

Latest commit

 

History

History
37 lines (24 loc) · 1.56 KB

README.md

File metadata and controls

37 lines (24 loc) · 1.56 KB

keycloak-duo-spi

Keycloak integration for Duo Security MFA. Provides an authentication execution for keycloak that presents a Duo iframe, to be used after primary authentication. (https://duo.com/)

Build

You may need to modify the keycloak versions in the pom.xml to correspond to yours. I'm using 3.4.3.Final.

$ mvn clean test install

Install

(assumes keycloak is installed to /opt/keycloak)

$ cp target/keycloak-duo-spi-jar-with-dependencies.jar /opt/keycloak/standalone/deployments/
$ cp src/main/duo-mfa.ftl /opt/keycloak/themes/base/login/duo-mfa.ftl
# restart keycloak

Configure

You need to add Duo as a trusted frame-able source to the Keycloak Content Security Policy. Content-Security-Policy: frame-src https://*.duosecurity.com/ 'self'; ...

csp-example

Since you can't modify the default Authentication Flows, make a copy of Browser. Add Duo MFA as an execution under Browser Forms.

flow-example

When you hit Config you can enter your Duo ikey, skey, and apihost (get these from duo.com by adding a Web SDK app).

Then make sure to bind your Copy of Browser flow to the Browser Flow (on the Bindings tab).

Contributing

If you are interested in contributing some code to this project, thanks! Please first read and accept the Contributors Agreement.