Where to add DUO AUTH API in php and NextCloud


#1

I’m trying to add Duo to my NextCloud application. I’m not a php developer so I’m looking for some direction. I’ve found the Duo php api repo and I have no idea at which point in the auth flow of nextcloud I should be adding the duo api into the nextcloud code. NextCloud is fairly complex, and I have only a little syntax understanding of php.

Has anyone done this already? where should I add the API/SDK? I can’t figure out in which part of the auth flow to add the provider.


#2

You might want to review our Duo Web SDK instructions to understand how to add Duo to a web application, but that won’t give you integration tips specifically for NextCloud. I found this experimental Duo 2FA provider for NextCloud that might work for you or maybe at least give you some guidance for adding Duo auth yourself.

Another forum member added Duo auth to NextCloud via SAML, which doesn’t require custom development: Nextcloud, LDAP, Duo Integration - Help


#3

Thank you, unfortunately that repo has been archived and no longer works. The SAML method is not an option in my circumstances. I have looked through the SDK instructions and mostly I can’t figure out the authflow of nextcloud to add it. But thanks for reaching out, the search continues


#4

Oh the irony. I was the requestor of the SAML solution and this poster is a coworker.

I spoke too soon on saying it worked. Our environment utilized vpn technology and our DC is only reachable inside it. So the SAML solution works for those on the vpn (which I was in) But those external to the vpn (other companies, people in scif, etc) do not work.

The reason is the website redirects to the adfs site which is hosted in vpn. There’s a couple routes to fixing that, but they are adamit about not exposing the dc I’m any way. I’m pushing for a web proxy now to redirect the request and act as a middle man. Still getting pushback on that as well.

So I threw this at the poster to see if he could develope something. And then we’ve gone full circle. To funny.


#5

Oh, that is a funny coincidence!

I’m sorry to hear that SAML wasn’t the complete solution for you. Most orgs that deploy AD FS also deploy a stand-alone Windows server in their DMZ to run the Web Application Proxy (WAP) role as a front end for the AD FS server, so external connections never need to come all the way in to the internal segments where your ADFS and DC servers reside. Before I came to Duo I implemented this same architecture at my gov’t contractor employer (oh, your mention of SCIFs bring those memories back!).

To deploy WAP for AD FS in your DMZ you only need HTTPS/443 into the DMZ from external, and then HTTPS/443 from the WAP server in the DMZ to your internal AD FS server. The WAP doesn’t need to contact a DC directly.

Here’s some more info about best practices for publishing AD FS securely.