Cisco DUO MFA for SIS

The end user experience

1. The user will enter their username and password as usual.  
2. After clicking the logon button, they will be redirected to DUO security to perform another factor of authentication.  This may be a DUO Push, a request for a 6 digit password or any other additional authentication factor that DUO has available.
3. When the user successfully completes the additional factor in DUO, DUO will redirect the user back to Genesis.

Buzz words

• Cisco DUO - Provides Multi Factor Authentication to other applications as a service.
• OIDC – OpenID Connect.  This is the protocol / standard that is used by Genesis to communicate with Cisco DUO to hand off the Multi Factor Authentication process.   OIDC is an extension to the OAuth 2 protocol that defines the mechanisms for Authentication. 
• https://openid.net/connect/
• OAuth 2.0 – OAuth 2.0 is the industry-standard protocol for authorization.  https://oauth.net/2/

Setup Process overview

• Create the Genesis Applications in DUO
• Configure Genesis to use the DUO MFA applications as OIDC Providers.
• Setup Genesis for MFA
• Setup individual Users to use the DUO MFA.

Create the Genesis Application in DUO

The following steps will not affect users logging into Genesis SIS.

1. Log into DUO as an administrator.
2. In the left panel, choose the Applications link.
3. Click the Protect an Application button or the Protect an Application link.
4. Click the Protect button for the Web SDK application in the list of applications.
5. Go to the Settings section and change the name of the application from Web SDK to Genesis SIS.

Configure Genesis to use the DUO MFA application as an OIDC Provider.

The following steps will not affect users logging into Genesis SIS.

1. Log into Genesis as an Administrator
2. Go to the Setup -> Security -> Single Sign-on and MFA -> Providers screen.
3. Click the Add Providerbutton. 
   1. Code: DUO_MFA_STAFF 
   2. Provider: Cisco DUO
   3. Description: DUO MFA
   4. Type: Multi-Factor Authentication
   5. Client Id: Copy and paste these fields from the Genesis application setup screen.
   6. Client Secret: Copy and paste these fields from the Genesis application setup screen.
   7. Click the Add button
   8. 
4. On the modify DUO_MFA_STAFF page, make the following changes: 
   1. Click the Enabled for Genesis checkbox
   2. Change the DNS name in the end point from https://CHANGEME.duosecurity.com to the one in the API hostname field in the Genesis application setup screen in DUO.
5. 

Configuring the public call back URLs

On the Edit Provider screen, there is an Important Information notecard.

If the URLs are displaying a warning icon, then click on the Logon Screen Settings to configure and test these URLs.

In the screen shot below, you will notice that the top 3 fields are blank.    Click the "Auto Set...." button and the fields will automatically be filled in with the best guess to your public URL (60% of the time it works every time).

Once the URLS are set, test buttons will appear next to them.   Clicking on them will open a new tab to and you should see a typical Genesis / Parents / Students logon screen.

Testing Connectivity between Genesis and DUO

Basic connectivity

Navigate back to the modify provider screen.

Click the Send OAuth 2.0 Ping button.   This will send a basic test ping to Cisco DUO.  You should get this as a response:

If you are not getting that as a response, the most likely problem is that a firewall in your organization is blocking the request to DUO.  Do not advance to the next step until this is working.

API Configuration Test

Click the DUO Health Check button.   This will send a more advanced ping that validates the application id and secret part of the protocol connection.

If you are not getting that as a response, the most likely problem is that one of the values in the Client Id, Client Secret or URL End Point Root is incorrect.  Do not advance to the next step until this is working.

Configuring Genesis Users to use DUO for MFA

Choose a user to test the MFA with Cisco DUO from the Setup -> Security -> Users screen.

Do not choose the user you are currently logged in as, you do not want to accidentally lock yourself out of the system if the feature is not setup correct;y.

Change the External MFA Provider drop down to the DUO MFA option and click save.

Be sure the Email field has the email address of a valid user in DUO.  If it is blank, the logon id will be used instead.

Using a different browser (or log out of your current session); attempt to login as this user.

Unable to log into Genesis using DUO 

WARNING: Not compatible with OAuth2

<CookieProcessor sameSiteCookies="strict" />