I have been battling nextcloud/duo for the past two weeks and am feeling beyond hopeless at this point. My bosses have given me a series of requirements: Get Nextcloud installed into our network, and integrate Duo onto it. We have individuals we occasionally contract out into SCIFs so Duo needs to play with the hardware tokens as an option for those that can’t push to their phone for 2FA.
Some people may suggest using another platform in either department. My company is insisting on needing Nextcloud. It is a solution for large data transfers (to large for email) between our contracting companies that doesn’t require them needing accounts into our network. Duo is something we are to far invested into at this point to just start buying some other companies hardware tokens or to just swap 2FA providers. My company choose to go with them to meet 2FA for NIST reasons prior to me being employed and has it integrated in nearly everything at this point as well as purchasing their hardware tokens…
My current setup is the Duo LDAPS Proxy which is working great except for 1 small factor. I log into Nextcloud with my Active Directory (AD) account which is configured to push to my DUO LDAP proxy. The Proxy authenticates to the Active Directory and if accepted, pushes to Duo for a auto-push or hardware token acceptance if the password had the delimiter. When user accepts (or if hardware token is correct) duo accepts and sends back to proxy which sends back to Nextcloud.
This is all functioning correctly. The 1 small factor is that after I log in, it apparently periodically re-requests authorization. So I will be working within Nextcloud and all the sudden get a prompt for Duo from the LDAP proxy. It will not load the file/page until I accept. This leads me to believe that nextcloud is resending authorization packets periodically which triggers the whole authentication process again, and since the user has no option to add a delimiter on the auto authentication, it auto-pushes to the phone. Which is an issue for SCIF people. They can’t re-authenticate and therefore will be kicked off.
Is there any way of configuring Duo to not push when Nextcloud sends the LDAP re-authorization until the user logs off or for XX minutes? I see that it can be done for web browsers if DUO played with Nextcloud (which i cant get it to hence the LDAP proxy route). Or is there a way to use the LDAP proxy for initial login and the actual AD for re-authentication requests?
(This is a cross post from Nextcloud community – https://help.nextcloud.com/t/nextcloud-ldap-and-duo-help/30358)