Duo

Duo is a user-centric access security platform that provides integrated two-factor authentication (2FA) within Rippling. Duo’s modern access security is designed to safeguard all users, devices, and applications. As an integrated service within Rippling, Duo can be used to manage time-generated access codes, SMS-based verification codes, and notification-based authentication.

Duo is provided directly within the Rippling product as an optional two-factor authentication service provider, but Rippling’s Duo integration also supports API-based user provisioning to ensure full management of your user’s 2FA access from on-boarding to off-boarding.

With Duo, administrators gain more control and oversight of their user access management policies.

Integration Overview:

  • Utilize Duo as an 2FA Provider within Rippling
  • Manage your Duo accounts with API-based Provisioning and Deprovisioning

Duo’s 2FA in Rippling

What information do I need from Duo?

In order to connect your organization’s Duo account to Rippling for 2FA, the following items are required from your Duo Partner Auth API credentials. Instructions to retrieve these credentials can be found in the next section.

  • Auth API Integration Key
  • Auth API Secret Key
  • Auth API Hostname

How do I configure Duo for 2FA within Rippling?

First, log in to Rippling as an administrator for your organization. Once logged in, proceed to your ‘Company Settings’ tab and then ‘Security’. You will need to add 2FA Method Data for Duo from the ‘Security’ tab.

Please note, you will need to provide your Partner Auth API credentials from Duo to their respective fields within Rippling.

To access these values, you can generate a new Partner Auth API key or retrieve pre-existing credentials. Log in to your Duo account as an administrator of your Duo organization and select ‘Applications’.duo-login

Once on the ‘Applications’ tab, you will be able see your available API keys. Additionally, you have the capability to create a new API key, by selecting ‘Protect an Application’. Within the applications options, search for ‘Partner Auth API’.

Selecting ‘Protect’ will generate a new set of Partner Auth API credentials that can be used for 2FA within Rippling. Once you have selected or generated the appropriate Application credentials, copy the fields mentioned below using the ‘select’ button next to their values. This will ensure you copy the entire value.

Optional: If you’d like, rename the API credentials to ‘Rippling 2FA Credentials’. This can be helpful to identify the credentials later on.

Once you’ve copied the values, provide them to their corresponding fields within Rippling to enable the integrated use of Duo for 2FA.

Once you have configured your Duo account, you will need to add a Custom Policy for the use of Duo as an authentication mechanism.

From your ‘Authentication Settings’ page, modify your ‘Selected Authentication Policy’ to Custom Policy. Then ‘Add a custom rule’ to create a Duo Authentication Rule. Rippling provides a number of authentication setting options. Please create your authentication policy with the desired configuration.

Once you’ve saved your policy, your affected employees (those included within the authentication policy’s settings) will be directed to enroll in your Duo account for 2FA through Duo’s enrollment flow.

How is Duo used for 2FA?

Rippling leverages Duo for three primary 2FA protocols.

  1. Push Notifications: Duo Push allows users to simply tap ‘Approve’ on a push notification they receive to their phones to receive authentication.
  2. Time-Based One-Time Passcodes: Time-Based One-Time Passcodes are used to let users protect their accounts with a mobile-generated passcode that must be entered manually and will expire after a certain period of time.
  3. SMS Codes: SMS codes allow for users without Internet connectivity to authenticate using Duo’s SMS passcode option.

How do my employees enable Duo 2FA?

Your employees will enable Duo 2FA upon sign-in once you have configured Duo Custom Policy within your ‘Company Settings’. If your users do not have a Duo account, they will be asked to enroll in Duo. Once your users have completed the enrollment flow, they will be prompted to download the Duo App. This allows for Time-Based One-Time Passcode authentication. Users can choose any of the the available options for authentication, such as Time-Based One-Time Passcodes, Push Notifications, and SMS codes. Once the application has been appropriately downloaded, your employees can select the type of 2FA desired, dependent upon the custom rule you have created for your company’s authentication settings.

How do I change my Duo 2FA Configuration?

At any point in time,¬† you can edit your Duo 2FA Partner Auth API credentials to a new set of credentials from ‘Company Settings’ > ‘Security’ > ‘2FA Method Data’ > Edit.

Additionally, you can remove, add, or otherwise manage your custom Authorization rules from ‘Company Settings’ > ‘Security’ > ‘Authentication Settings’.

Provisioning your Duo account from Rippling

What information do I need from Duo?

In order to connect your organization’s Duo account to Rippling for provisioning, the following items will be required for a Duo Admin¬† API.

  • Admin API Integration Key
  • Admin API Secret Key
  • Admin API Hostname

How do I enable Duo for provisioning on Rippling?

To enable Duo for Rippling provisioning, you will need to retrieve Duo Admin API credentials. You can either generate a new Admin API key or retrieve pre-existing credentials. To do this, please log in to your Duo account as an administrator for your Duo organization’s account and select ‘Applications’. duo-login

Once on the ‘Applications’ tab, you should be able see your available API keys, along with the capability to create a new API key, by selecting ‘Protect an Application’. Duo-api-keys

To generate a new Admin API key, select ‘Protect an Application’. You will be brought to a list of supported applications. Within the applications options, search for ‘Admin API’.

Once you have selected or generated the appropriate Application credentials, copy the fields mentioned below using the ‘select’ button next to their values. This will ensure you copy the entire value. Then paste them within Rippling during the integration connection flow.duo-keys

Optional: If you’d like, rename the API credentials to ‘Rippling Admin Provisioning Credentials’. This can be helpful to identify the credentials later on.

Managing Duo Licenses

Duo licenses will assign automatically based on the authentication setting policies that you’ve defined within Rippling. You should ensure that you purchase the intended number of licenses. When you enable Rippling’s provisioning integration with Duo, you are also able to remove users from your Duo organization, resulting in the permanent removal of those employees’ accounts.

If you do not use the Rippling provisioning integration with Duo, you need to ensure that any users are properly deleted from directly within Duo when you off-board a user. This is to ensure that off-boarded users no longer have access to your company’s applications, nor incur charges on your account.

What if someone loses access to their Duo 2FA source?

There are two options when an employee loses access to their Duo 2FA device.

  1. If your employees lose access to their source of Duo 2FA (e.g. they lose their phone) you are able to delete the user’s account from directly within Duo. After you’ve deleted the user’s account, invite the user to join the organization again from within Duo. The user will then be taken through the enrollment flow.
  2. If your organization has installed the Duo provisioning application directly within Rippling, you can reset accounts from the application ‘Overview’ tab.

Can I block an employee’s Duo access manually?

Yes, you can block an employee’s Duo access manually. To do this, please go to the Duo web application for your organization and select on the specific user. You can then set the user’s status to ‘Disabled’ to automatically deny access for the employee.

How do I create Duo accounts for employees?

  1. Users will be automatically created within Duo when the log in to Rippling, so long as they meet the criteria of your company’s authentication policy and you have enabled Duo as a 2FA Custom Policy for your organization.
  2. Users can be created within the Duo provisioning application on Rippling, based on their employee attributes and the custom rules you have set for Duo account access.