Two Factor Auth using Duo with Keycloak

These are the steps to setup two factor authentication with Duo using Keycloak.

Install Keycloak Duo SPI

  1. Clone the Keycloak Duo SPI repo

    git clone https://github.com/OSC/keycloak-duo-spi.git
    cd keycloak-duo-spi
    git submodule update --init
    
  2. Edit pom.xml and ensure keycloak.version matches the version of Keycloak you are running.

  3. Build (with Docker) - produces target/keycloak-duo-spi-jar-with-dependencies.jar

    docker run --rm -it -v $(pwd):/keycloak-duo-spi -w /keycloak-duo-spi \
      ohiosupercomputer/keycloak_duo_spi_buildbox:latest mvn clean test package
    
  4. Build (without Docker) - produces target/keycloak-duo-spi-jar-with-dependencies.jar

    yum -y install maven
    cd build/duo_java/DuoWeb
    mvn clean test install
    cd ../../..
    mvn clean test package
    
  5. Copy the JAR file and necessary template files to Keycloak and instruct Keycloak to install the SPI

    sudo install -o keycloak -g keycloak -m 0644 target/keycloak-duo-spi-jar-with-dependencies.jar \
      /opt/keycloak-9.0.0/standalone/deployments/keycloak-duo-spi-jar-with-dependencies.jar
    sudo install -o keycloak -g keycloak -m 0644 src/main/resources/duo-mfa.ftl \
      /opt/keycloak-9.0.0/themes/base/login/duo-mfa.ftl
    sudo install -o keycloak -g keycloak -m 0644 /dev/null \
      /opt/keycloak-9.0.0/standalone/deployments/keycloak-duo-spi-jar-with-dependencies.jar.dodeploy
    

Configure Duo SPI

  1. Log into your Keycloak instance

  2. Choose the realm to configure in upper left corner, eg ondemand

  3. Choose Realm Settings in the left menu then Security Defenses tab

  4. Add frame-src https://*.duosecurity.com/ 'self'; to the beginning of the value for Content-Security-Policy

  5. Choose Authentication in the left menu

  6. While on Flows tab ensure the dropdown for the flow name is Browser and click Copy

  7. Name the new flow browser-with-duo

  8. For all items below Username Password Form delete them by choosing Actions then Delete

  9. Choose Actions for Browser-with-duo Forms and choose Add Execution

  10. Select the Duo MFA provider and click Save

  11. Click Actions for Duo MFA and select Config. Fill in all values as appropriate and select Save.

  12. Select Required for Duo MFA

  13. Choose the Bindings tab and set Browser Flow to browser-with-duo and choose Save

Users logging into Keycloak will be required to verify their identity using Duo.