Better Living Through Narratology

Connect AWS SSO to Duo MFA

Amazon’s Single Sign-On (SSO) service allows you to connect your directory / user store to several applications and AWS accounts.  The benefits are pretty obvious as you start to pile on lots of accounts and apps, but the AWS documentation on configuration is a little vague, so I thought I’d throw this out there for whoever it might help.

My MFA solution is Duo.  I often use Google Authenticator, but one of the requirements for MFA in my situation is to run a RADIUS server.  AWS SSO can be configured in many ways, but for the purposes of this article, I’m using an AWS AD Connector to connect to AWS Managed Microsoft AD.  I’ll assume that:

  1. You know your AD.
  2. You are mildly familiar with Duo.
  3. You have established network connectivity from your AWS SSO account to your AD user store (whether through VPC peering or Direct Connect, etc.).
  4. You have created a secret key to be used between RADIUS and SSO.

Let’s get right to it!

AWS CONFIG

View the AD Connector that is associated with your SSO service.  Take note of the AD Connector IP addresses.  You need to make sure that these IP addresses can reach your RADIUS / Duo server.

Find or create the Security Group that allows UDP 1812 access to your RADIUS / Duo server.  Add an Inbound Rule that allows UDP 1812 from your AD Connector.  Create another rule for the second AD Connector.  Make sure this Security Group is applied to the EC2 instance running your RADIUS / Duo server.  Take note of the private IP address of that server because you’ll need it soon.

Now that your AD Connectors are allowed to speak to the RADIUS / Duo server, let’s take a look at the Duo config.

DUO CONFIG

Because AWS SSO is only looking for “it worked” or “it didn’t work” response from RADIUS, we don’t have to worry about Duo carrying any of the authentication payload that a Duo authentication proxy might normally carry.  This mode is called “Duo only” or it should be.  Further information can be found on Duo’s site and they do a fantastic job with their documentation.  Our authproxy.cfg will look something like this:

[duo_only_client]
[radius_server_duo_only]
ikey=WhateverYourIntegrationKeyIs
skey=WhateverYourSecretKeyIs
api_host=api-yourcodehere.duosecurity.com
radius_ip_1=AD Connector #1 IP address
radius_ip_2=AD Connector #2 IP address
radius_secret_1=YourSecretKey
radius_secret_2=YourSecretKey
port=1812
client=duo_only_client

BACK TO AWS CONFIG

Now, we’re ready to enable MFA.  Find the Multi-factor authentication section of your directory and enable it.  The settings you’ll need to provide are:

  1. IP address of the RADIUS / Duo server
  2. Port 1812
  3. The secret key you have created for your connection
  4. Select the PAP protocol

Save your changes when you’re ready and you should be able to view the registration activity in the authproxy.log file on your RADIUS / Duo server.

Happy Hunting!

Posted in AWS, Duo, MFA, SSO | 1 Comment