A step-by-step guide to getting started with the Duo Security integration with Gradient Reconcile.
Products Integrated Duo User License
Note that with the exception of users in the Trash folder or users in Pending Deletion status, users consume a seat license once they are added to the Duo Admin Panel. Click here for more information.
Connecting the Duo Security Integration
Disconnecting the Duo Security Integration
Step 1: Generate Vendor API Keys
The Duo Security integration requires the following credentials across the Admin API and Accounts API:
- Integration Key
- Secret Key
- API Hostname (e.g., API-xxxxxxxx.duosecurity.com)
Note that only administrators with the Owner role in the parent may contact Duo Support to request access to the Accounts or Admin API application, or can create or modify an API application in the Duo Admin Panel.
Accounts API
- Log in to the Duo Admin Panel and navigate to Applications.
- Click Protect an Application and locate the entry for Accounts API in the applications list. Click Protect to the far right to configure the application and get your integration key, secret key, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options.
Optional specify which IP addresses or ranges are allowed to use this Accounts API application in Networks for API Access. If you do not specify any IP addresses or ranges, this Accounts API application may be accessed from any network. Click here for more information.
Admin API
- Log in to the Duo Admin Panel and navigate to Applications.
- Click Protect an Application and locate the entry for Admin API in the applications list. Click Protect to the far right to configure the application and get your integration key, secret key, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options.
- Apply "Grant read resource" permission to this Admin API application. This is required to read information about resource objects such as end users, to retrieve seat license usage.
Step 2: Connect the Integration
- Login to Synthesize and navigate to the Integrations tab.
- Select the Duo Security Integration card and click Connect.
- Choose what module you wish to connect to, and press continue.
- Enter your vendor details from Step 1 and press authenticate.
- Press Next to complete the service and account mapping.
Note that you are only able to proceed until accounts, services and the integration status are set to "Pending." You may hit the Sync status button to check the status of the integration.
Step 3: Map Accounts and Services
- Map your accounts by dragging the card from Synthesize on the left to Duo Security on the right. When complete, press Next.
- We have auto-mapped any that are exact matches. The remaining can be searched by pressing the filter button or typing in the Synthesize search bar.
- Map your services by dragging the card from Synthesize on the left to Duo Security on the right. When complete, press Next.
- Services can be searched by pressing the filter button or typing in the Synthesize search bar.
- Review and Press Finish
- A pop-up will inform you that the setup is complete and that the syncing of usage can take a few seconds to several minutes.
Tip: Learn more about how to map within Gradient reconcile here.
Step 4: Reconcile
- You are now ready to start reconciling.
- To view only that vendor’s results, you can select the filter option and choose the vendor to display the imported values and reconcile.
Disconnecting the Integration
- Login to Synthesize and navigate to the Integrations tab.
- Filter to Connected Integrations
- Select the Duo Security Integration card and click Configure.
- Press Disconnect and Confirm.
- Navigate to the Vendor account and turn off your API keys.
Warning: disconnecting this integration will remove the authentication settings and all account and service mapping. You'll be able to reconnect this integration, but you'll need to remap your account and services.