Skip to main content

Duo MFA

Duo Two-Factor Authentication

Duo’s Trusted Access platform verifies the identity of your users with two-factor authentication and security health of their devices before they connect to the apps you want them to access.

The Duo authentication extension allows users to be additionally verified against the Duo service before the authentication process is allowed to succeed.

  1. Sign in to the EC2 instance as user ec2-user and change to the directory /home/ec2-user/guaws.

  2. Enable the Duo extension by linking the extension into the extensions folder.

    sudo ln -s ../available-extensions/guacamole-auth-duo-1.5.2/guacamole-auth-duo-1.5.2.jar \
      /home/ec2-user/guaws/guacamole/etc/extensions/

  3. Sign up for Duo and sign in as the account administrator at https://admin.duosecurity.com/login

  4. Create and enroll a new user guacadmin (user names in Guacamole must match the user names in Duo) Enroll

  5. Add a new application of type "Web SDK" and click on "Protect this Application" Application

  6. Configure Duo by adding the following lines to /home/ec2-user/guaws/guacamole/etc/guacamole.properties

    # the following three configuration keys are provided by Duo
    duo-api-hostname=api-xxxxxxxx.duosecurity.com
    duo-integration-key=
    duo-secret-key=

    # a random key that is used by Guacamole to secure the session. Must be at least 40 characters long.
    duo-application-key=

  7. Restart Guacamole by executing guawsctl restart guac. If Guacamole does not come back after the restart command, review the log files by executing guawsctl logs -f guac.

  8. After signing in to Guacamole you will be redirected to Duo where you will have to complete the two-factor challenge to successfully sign in.