Two Factor Auth using Duo with Keycloak¶
These are the steps to setup two factor authentication with Duo using Keycloak.
Have Keycloak perform authentication through SSSD running on the Keycloak server.
Follow the Keycloak docs for using SSSD except use a modified
auth required pam_sss.so auth required pam_duo.so account required pam_sss.so
Because Keycloak doesn’t actually know there is a possible challenge response using SSSD you have to configure Duo’s
prompts=1so that the 2FA automatically sends a push notification to the person’s phone.
(Optional) Require Duo based on group membership or username list
If you want to make Duo optional you could do so via group memberships. This works by changing
/etc/duo/pam_duo.confto something like
You can also limit based on group membership using the contents of a file that lists users that require Duo. This is done by modifying the keycloak PAM stack. The file
/etc/security/ondemand-duo.confis a list of usernames, one username per line, that must use Duo to authenticate with Keycloak. The modified PAM configuration at
auth required pam_sss.so auth [default=1 success=ok] pam_listfile.so onerr=fail item=user sense=allow file=/etc/security/ondemand-duo.conf auth required pam_duo.so account required pam_sss.so