Duo Sync Issues: Staff/Student Employee user exists University and remains a Student

MDEllis549 · ‎10-29-2020

Hello All,
Michael Ellis - Project Manager from Boise State University. Leading the implementation for Duo at the University. Had a specific scenario and wanted to know if anyone else has encounter this and if so what actions their organization took to mitigate the issue.

Scenario : is a user leaves working at the University and stays on as a student. Due to Duo rules within the software unless manual intervention occurred the user in this scenario would not not have access for 7 days or until someone with the proper access deletes the trash (whichever is sooner).

Potential Process when an employee or student employee is off-boarding and is remaining as a student:

Off boarding Department personnel needs to notify IT Accounts of the user leaving
IT Accounts needs remove from the Active Directory group
IT Accounts needs to notify Duo Admin User
Duo Admin User pushes a manual sync to update to
Duo Admin User needs deletes the user from the ‘trash bin’

kapurs · ‎08-06-2021

Hi Michael, wondering if you were able to find an elegant solution for this. We are running into the same situation at our university where the ex-employee student is blocked for 7 days unless removed from trash. Not sure if there is a way to avoid, automate, or otherwise fix this.

Thank you for any pointers.

MDEllis549 · ‎08-10-2021

we use the API to delete users via script. We also use the API to setup alerts if the trash has any users in it.

kapurs · ‎08-10-2021

Thank you. Are you able to delete AD synched users via the API? I imagine you also need to remove them from the AD group so that they don’t synch over again.

I was also looking to see if the API can clear out the trash but does not appear there is one.

MDEllis549 · ‎08-10-2021

API cannot take out trash - we have asked Duo. They say we are not the first but it’s not even on the roadmap.
I’d put in a request to them so that they know about it and can add to the data to support this in the future.

kapurs · ‎08-10-2021

I saw that U Buffalo is somehow clearing out trash. They have created a UI that does it for them, thinking I might reach out to someone there.

Can our developers leverage your code by any chance? I know we regularly share with other institutions but totally fine if you don’t.

MDEllis549 · ‎08-10-2021

What University are you with?
Let me check.
–Michael

kapurs · ‎08-10-2021

We are Fairfield U… Thank you.

MDEllis549 · ‎08-10-2021

Will you send me your university contact information?
–Michael

kapurs · ‎08-11-2021

Just trying to find the best way to share that without letting the scrapers advertise it everywhere lol. Let’s make it cryptic: skapur at fairfield if that makes sense.

Thanks.

DuoKristina · ‎08-13-2021

Hey everyone,

You can absolutely use the Admin API to delete users put into the trash manually via a DELETE request to /admin/v1/users/userid. (Looking at that solution from buffalo.edu, that’s my guess at what they’re doing since you have to specify a single Duo username: use api to look up username to get the user_id, then delete the user_id).

What you can’t do with Admin API is put a user into the Trash, restore a user from the Trash, or permanently delete all users in the Trash in a single API operation.

You also can’t use the Admin API to perform most management operations on synced users, as we defer ownership of those objects to the sync.

Duo, not DUO.

kapurs · ‎08-13-2021

Hi, thank you for the details. The scenario for us is that users are put in trash by dir sync when they are disabled in AD. Will the DELETE request via API allow the user to be removed? Your last statement suggests we cannot do this for synced users.