Amazon SSO with MFA Using Duo
Amazon SSO is their suggested platform instead of SAML federation / ADFS. This works because you can very quickly deploy AD instances in two availability zones and then hook up their AD Connector so you can leverage SSO with on-prem AD (technically synced up to your Amazon, but I digress) and then can do MFA/2FA with a RADIUS server
The documentation with what they “need” from your RADIUS response is sparse. They don’t tell or elude how to setup the RADIUS side and as a result, you’re left with just figuring out the RADIUS component (or at least I was). What I found out was that when the RADIUS request comes in it just needs to respond true/false…
I wont go through all the details as this post makes some assumptions like very moderate experience with FreeRADIUS, setting up SSO in Amazon w/ MFA, and configuring in app in Duo to be protected
The way this was accomplished was simple: FreeRADIUS can exec scripts or commands with the exec module for authorization and authentication so I figured why cant I kick off sudo with login_duo. I am not guaranteeing the FreeRADIUS configuration is pretty or correct or would survive under load, however for me, I only had to authenticate basically myself
FreeRADIUS configuration
99% of the config from CentOS 7.3 freeradius install was left stock. I am also fairly confident that the FreeRADIUS project lead would have another forum mailing list aneurysm response based on my suggestions but with how huge, feature rich, and (somewhat) flexible it is, I had to do what eventually worked. The documentation is vast as well so its kind of like finding a needle in a haystack. The goal was simple, make login_duo the provider for authorize and authentication
I deleted all elements under authorize and authentication stanzas in /etc/raddb/sites-enabled/default and replaced it with the below (add the final })
authorize { update control { Auth-Type := radauthorize } }
authenticate { Auth-Type radauthorize { loginduo } }
Then created /etc/raddb/modules-enabled/loginduo which just uses the exec module with a wait period
exec loginduo { wait = yes shell_escape = yes program = "/usr/bin/sudo -u %{User-Name} /usr/sbin/login_duo" timeout = 30 }
Amazon SSO does not send the password – just the MFA code. This proved slightly annoying since then I couldn’t use PAM via RADIUS for the MFA (which is better than calls to login_duo command) and I was left with login_duo since the “password” field was populated with the MFA code. When you enter this in Amazon SSO, it can be garbage since you can use login_duo with autopush – it just means you can only support autopush
This is about all you need to get Amazon SSO with Duo MFA
I am having difficulties configuring freeradius. I set it up to run as a docker container in AWS ECS. Where is the %{User-Name} coming from? Do I need to have the same AD username created in the freeradius server too?
Hello – are you still needing help with this? I know this is a year late but I seemed to never receive the email. Happy to help!