Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4853
Views
0
Helpful
4
Replies

Where to add DUO AUTH API in php and NextCloud

CHBaker
Level 1
Level 1

‎05-01-2018 08:14 AM

I’m trying to add Duo to my NextCloud application. I’m not a php developer so I’m looking for some direction. I’ve found the Duo php api repo and I have no idea at which point in the auth flow of nextcloud I should be adding the duo api into the nextcloud code. NextCloud is fairly complex, and I have only a little syntax understanding of php.

Has anyone done this already? where should I add the API/SDK? I can’t figure out in which part of the auth flow to add the provider.

Labels:
0 Helpful
4 Replies 4

DuoKristina
Cisco Employee
Cisco Employee

‎05-04-2018 07:16 AM

You might want to review our Duo Web SDK instructions to understand how to add Duo to a web application, but that won’t give you integration tips specifically for NextCloud. I found this experimental Duo 2FA provider for NextCloud that might work for you or maybe at least give you some guidance for adding Duo auth yourself.

Another forum member added Duo auth to NextCloud via SAML, which doesn’t require custom development: Nextcloud, LDAP, Duo Integration - Help

Duo, not DUO.
0 Helpful

CHBaker
Level 1
Level 1
In response to DuoKristina

‎05-04-2018 07:20 AM

Thank you, unfortunately that repo has been archived and no longer works. The SAML method is not an option in my circumstances. I have looked through the SDK instructions and mostly I can’t figure out the authflow of nextcloud to add it. But thanks for reaching out, the search continues

0 Helpful

dcsteve24
Level 1
Level 1
In response to DuoKristina

‎05-04-2018 04:49 PM

Oh the irony. I was the requestor of the SAML solution and this poster is a coworker.

I spoke too soon on saying it worked. Our environment utilized vpn technology and our DC is only reachable inside it. So the SAML solution works for those on the vpn (which I was in) But those external to the vpn (other companies, people in scif, etc) do not work.

The reason is the website redirects to the adfs site which is hosted in vpn. There’s a couple routes to fixing that, but they are adamit about not exposing the dc I’m any way. I’m pushing for a web proxy now to redirect the request and act as a middle man. Still getting pushback on that as well.

So I threw this at the poster to see if he could develope something. And then we’ve gone full circle. To funny.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to dcsteve24

‎05-07-2018 02:23 PM

Oh, that is a funny coincidence!

I’m sorry to hear that SAML wasn’t the complete solution for you. Most orgs that deploy AD FS also deploy a stand-alone Windows server in their DMZ to run the Web Application Proxy (WAP) role as a front end for the AD FS server, so external connections never need to come all the way in to the internal segments where your ADFS and DC servers reside. Before I came to Duo I implemented this same architecture at my gov’t contractor employer (oh, your mention of SCIFs bring those memories back!).

To deploy WAP for AD FS in your DMZ you only need HTTPS/443 into the DMZ from external, and then HTTPS/443 from the WAP server in the DMZ to your internal AD FS server. The WAP doesn’t need to contact a DC directly.

Here’s some more info about best practices for publishing AD FS securely.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents