Send username to Duo

Discussion in 'LiquidFiles General' started by Paul Hirose, Jan 18, 2020.

  1. Paul Hirose

    Paul Hirose New Member

    Joined:
    Jan 10, 2020
    Messages:
    17
    Likes Received:
    0
    https://man.liquidfiles.com/security/two_factor_authentication.html

    I'm using LQ 3.3.19 and have LDAP authentication (against our local Active Directory) and that's been working fine for years. I recently enabled Duo and it works great for folks if their username is the same as their email address (presumably the left-hand side of the @.) So if my loginid is domain\meow and my emailaddress is meow@company.com, it works.

    But for folks whose loginid isn't the same as the left-hand side of their email, it doesn't. The above documentation refers to that in the last paragraph: "We need to send a username to authenticate to Duo. The default is to use your email address as username, but you can also specify to use a specific strong authentication username for each user."

    But I don't know where to configure this. I didn't see anything obvious in the Users or Groups section of Liquidfiles. I don't see anything in the Configuration -> Strong Auth Duo menu. Ideally, I guess it would be the sAMAccountName field in LDAP, I suppose.

    Thanks,
    PH
     
  2. Wisco24

    Wisco24 New Member

    Joined:
    Dec 15, 2018
    Messages:
    4
    Likes Received:
    0
    Paul, Go to a User-> Edit, Then at the bottom, change "Strong Auth" to Duo. Click "Save" then a field will appear to let you enter in the username that LiquidFiles should send to Duo for that user.
     

    Attached Files:

  3. Paul Hirose

    Paul Hirose New Member

    Joined:
    Jan 10, 2020
    Messages:
    17
    Likes Received:
    0
    Yep, found that ,thanks. Was essentially confused since that field doesn't appear until after you click and change the auth mechanism.

    We basically got to the point where we use the Liquidfiles users API to get the full userlist, compare each user against our internal LDAP server, and for the cases where the email address differs from the user's loginid/username, we then use the API to set that field. We run this script periodically (we don't have that much churn in our licensed users.) Admittedly, I had hoped for something easier, but using the API wasn't all that bad either

    Thanks again,
    PH
     

Share This Page