Table of Contents
Cisco DUO allows to synchronize internal users from Active Directory into the own DUO Tenant to automatically enroll users with multi factor authentication. DUO uses its own Software called "DUO Authentication Proxy" for this.
Unfortunately, when using the proxy, the synchronization interval between the local Active Directory and DUO is hardcoded to 24 hours and cannot be changed. The only solution is to trigger a manual sync in the Dashboard.
Unfortunately, the DUO API does not allow to do a bulk synchronization of all users like it is possible in the directory config of the DUO GUI. It is necessary to download all users from DUO, compare with the local users in the AD synchronization group and trigger synchronization on a per-user basis.
So this script is used in combination with the DUO Authentication Proxy. The Script triggers the synchronization of a user in the DUO API, which then triggers the synchronization of the User through the Authentication Proxy.
To install the script, you simply have to download the repository to the Server where the DUO Authentication Proxy is installed.
The script wil create a folder called "usersync" in the default path of the DUO Authentication Proxy
C:\Program Files\Duo Security Authentication Proxy\usersync
Afterwards you have to start a powershell as administrator and switch to the downloaded script directory.
To allow the Script API Access, it is necessary to add the Admin API in the DUO Tenant. It is recommended, to create a new Application even when you already have a Admin API Application to further separate credentials and access rights.
See the Screenshot for the necessary permissions:
The Script has to be installed with the following parameter.
./sync.ps1 -install
This will install the RSAT AD DS Tools and ask for necessary data to allow the script query the DUO API.
The following data has is queried:
- Hostname of the DUO API tenant
- Admin API Integration Key
- Admin API Secret Key
- Directory Key of DUO
- Distinguished Name of local AD Group to Sync
- Username format in DUO (samAccountName or UserPrincipalName)
- Automatic Sync Interval value
The API Key, Integration Key and Directory Key are stored encrypted on the filesystem. The values are encrypted with a key which is also stored on the filesystem. It´s not possible to use SecureString because they are tied to a user account which prevents automatic sync as scheduled task.
The script will install a scheduled task to allow automatic synchronization. After the installation is finished, the script copied itself to the
C:\Program Files\Duo Security Authentication Proxy\usersync
location. The downloaded folder where the installer was started can now be deleted.
It´s also possible to manually trigger a sync.
./sync.ps1 -ManualSync
Every run of the script is logged
C:\Program Files\Duo Security Authentication Proxy\usersync\sync-log.txt
- Add Readme
- Try the script in a bigger scope with more users to see if any problems occure (API rate limit, pagination, ...)
- Think about a solution to not run the scheduled task as NT AUTHORITY\SYSTEM
See the open issues for a full list of proposed features (and known issues).
Distributed under the MIT License. See LICENSE.txt
for more information.
Max Eizenberger - max.eizenberger@nts.eu