Cisco DUO User Sync Script

· Report Bug · Request Feature

Table of Contents

1. About the DUO User Sync Script
   • Built With
2. Getting Started
   • Prerequisites
   • Installation
3. Usage
4. Roadmap
5. License
6. Contact

About the DUO User Sync Script

Cisco DUO allows to synchronize internal users from Active Directory into the own DUO Tenant to automatically enroll users with multi factor authentication. DUO uses its own Software called "DUO Authentication Proxy" for this.

Unfortunately, when using the proxy, the synchronization interval between the local Active Directory and DUO is hardcoded to 24 hours and cannot be changed. The only solution is to trigger a manual sync in the Dashboard.

Unfortunately, the DUO API does not allow to do a bulk synchronization of all users like it is possible in the directory config of the DUO GUI. It is necessary to download all users from DUO, compare with the local users in the AD synchronization group and trigger synchronization on a per-user basis.

So this script is used in combination with the DUO Authentication Proxy. The Script triggers the synchronization of a user in the DUO API, which then triggers the synchronization of the User through the Authentication Proxy.

(back to top)

Getting Started

To install the script, you simply have to download the repository to the Server where the DUO Authentication Proxy is installed.

The script wil create a folder called "usersync" in the default path of the DUO Authentication Proxy

C:\Program Files\Duo Security Authentication Proxy\usersync

Afterwards you have to start a powershell as administrator and switch to the downloaded script directory.

Prerequisites

To allow the Script API Access, it is necessary to add the Admin API in the DUO Tenant. It is recommended, to create a new Application even when you already have a Admin API Application to further separate credentials and access rights.

See the Screenshot for the necessary permissions:

Installation

The Script has to be installed with the following parameter.

./sync.ps1 -install

This will install the RSAT AD DS Tools and ask for necessary data to allow the script query the DUO API.

The following data has is queried:

• Hostname of the DUO API tenant
• Admin API Integration Key
• Admin API Secret Key
• Directory Key of DUO
• Distinguished Name of local AD Group to Sync
• Username format in DUO (samAccountName or UserPrincipalName)
• Automatic Sync Interval value

The API Key, Integration Key and Directory Key are stored encrypted on the filesystem. The values are encrypted with a key which is also stored on the filesystem. It´s not possible to use SecureString because they are tied to a user account which prevents automatic sync as scheduled task.

The script will install a scheduled task to allow automatic synchronization. After the installation is finished, the script copied itself to the

C:\Program Files\Duo Security Authentication Proxy\usersync

location. The downloaded folder where the installer was started can now be deleted.

(back to top)

Usage

It´s also possible to manually trigger a sync.

./sync.ps1 -ManualSync

Every run of the script is logged

C:\Program Files\Duo Security Authentication Proxy\usersync\sync-log.txt

(back to top)

Roadmap

• Add Readme
• Try the script in a bigger scope with more users to see if any problems occure (API rate limit, pagination, ...)
• Think about a solution to not run the scheduled task as NT AUTHORITY\SYSTEM

See the open issues for a full list of proposed features (and known issues).

(back to top)

License

Distributed under the MIT License. See LICENSE.txt for more information.

(back to top)

Contact

Max Eizenberger - max.eizenberger@nts.eu

(back to top)