Amazon SSO with MFA Using Duo

Amazon SSO is their suggested platform instead of SAML federation / ADFS. This works because you can very quickly deploy AD instances in two availability zones and then hook up their AD Connector so you can leverage SSO with on-prem AD (technically synced up to your Amazon, but I digress) and then can do MFA/2FA with a RADIUS server

The documentation with what they “need” from your RADIUS response is sparse. They don’t tell or elude how to setup the RADIUS side and as a result, you’re left with just figuring out the RADIUS component (or at least I was). What I found out was that when the RADIUS request comes in it just needs to respond true/false…

I wont go through all the details as this post makes some assumptions like very moderate experience with FreeRADIUS, setting up SSO in Amazon w/ MFA, and configuring in app in Duo to be protected

The way this was accomplished was simple: FreeRADIUS can exec scripts or commands with the exec module for authorization and authentication so I figured why cant I kick off sudo with login_duo. I am not guaranteeing the FreeRADIUS configuration is pretty or correct or would survive under load, however for me, I only had to authenticate basically myself

FreeRADIUS configuration

99% of the config from CentOS 7.3 freeradius install was left stock. I am also fairly confident that the FreeRADIUS project lead would have another forum mailing list aneurysm response based on my suggestions but with how huge, feature rich, and (somewhat) flexible it is, I had to do what eventually worked. The documentation is vast as well so its kind of like finding a needle in a haystack. The goal was simple, make login_duo the provider for authorize and authentication

I deleted all elements under authorize and authentication stanzas in /etc/raddb/sites-enabled/default and replaced it with the below (add the final })

authorize {
        update control {
                Auth-Type := radauthorize
        }
}
authenticate {
        Auth-Type radauthorize {
                loginduo
        }
}

Then created /etc/raddb/modules-enabled/loginduo which just uses the exec module with a wait period

exec loginduo {
	wait = yes
	shell_escape = yes
	program = "/usr/bin/sudo -u %{User-Name} /usr/sbin/login_duo"
	timeout = 30
}

Amazon SSO does not send the password – just the MFA code. This proved slightly annoying since then I couldn’t use PAM via RADIUS for the MFA (which is better than calls to login_duo command) and I was left with login_duo since the “password” field was populated with the MFA code. When you enter this in Amazon SSO, it can be garbage since you can use login_duo with autopush – it just means you can only support autopush

This is about all you need to get Amazon SSO with Duo MFA