Multi-factor authentication with Duo
You can use Cyral to require multi-factor authentication (MFA) for data users. Once you've configured a Duo integration in Cyral, you can add an access condition on any repository to require its users to complete Duo authentication each time they access the repository.
Supported repository types
MFA with Duo is supported on the following repository types: MariaDB, MongoDB, MySQL, Oracle, PostgreSQL, Redshift, and Microsoft SQL Server.
Prerequisites for setting up Duo MFA in Cyral
- Connect Cyral's SSO integration to your identity provider.
- Add a Duo integration to cyral
Prerequisites for authenticating users with Duo MFA
- To authenticate with Duo MFA, the user must log in with a username that matches their username in Duo. You can achieve this manually or by using directory synchronization between Duo and your SSO identity provider.
- For each combination of user and repository where MFA will be required, your repository configuration in Cyral must contain an identity map with a restrict-access condition requiring Duo integration.
- Each MFA-authenticated data user must have a mobile authenticator app from Duo Security:
For more information, see Login experience for data users, below.
Add a Duo integration to Cyral
First, in your Duo management console, create an application that will protect your repositories via Cyral:
- In the Duo management console, go to Applications
- Select Protect an Application
- Choose Partner Auth API and click Protect. Once you've done this,
Duo provides three pieces of information that you'll need in order to
connect Cyral and Duo. Copy these values to a safe location or keep
this tab open. The values are:
- integration key
- secret key
- API hostname
Next, in the Cyral control plane UI, add the Duo MFA integration:
- Click Integrations in the left panel of the Cyral control plane UI.
- Find the Duo card and click Setup or Configure.
- In the new window click New Integration.
- In the configuration form, provide the integration key, secret key, and API hostname you copied from Duo earlier. Name the integration as you like and click Add to complete the integration.
Duo MFA authentication will only be required for those user-repository combinations where you've enabled it. Proceed to the next section to require Duo MFA for one or more users of a repository.
Require Duo multi-factor authentication on a repository
For each combination of user and repository where MFA will be required, your repository configuration in Cyral must contain an identity map for the SSO user(s) who will authenticate with MFA on this repository, and each such identity map must contain a restrict-access condition that's set to use your Duo integration.
For a given repository protected in Cyral, there is no setting that enables MFA for all users of that repository. Instead, in the repository configuration in Cyral, you must add identity maps for the users who will authenticate with MFA on this repository, and each of these identity maps must contain the MFA requirement. If you wish to ensure that all users use MFA on the repository, check all the identity maps on the repository, making sure that each contains the Duo MFA requirement.
- In the Data Repos page of the Cyral control plane UI, click the name of the repository whose access you wish to manage. Click the Identity to Account Map tab, and click the ➕ (plus sign).
- Choose the Group or User as the Identity Type, and specify the group or user who will be required to authenticate with MFA. Use the group name or user name as it's written in your identity service.
- In the Local Account field, choose the name of the native repository account that the MFA-authenticated users will use to connect, as configured in Cyral. (For details, see SSO authentication for your users.)
- In the Duration field, set a length of validity for the access, or click Unlimited to grant access that will not expire automatically.
- In the Authentication section, choose your Duo MFA integration.
- Click Create.
Now that you've created the mapping for the SSO group or user you specified, Duo MFA authentication will be required anytime this user / a user from this group tries to connect to this repository. Repeat the above steps to require MFA for other repositories, or for other users on this repository.
Login experience for data users
When the user connects to and MFA-protected repository, their Duo mobile application will prompt them to complete the authentication on their mobile device.
See Prerequisites for authenticating users with Duo MFA, above.
Making MFA more usable for your users
DataGrip: Reducing the number of MFA prompts users see
When using DataGrip to connect to an MFA-protected database, users can reduce the number of MFA approval requests they receive by setting the single session mode option in DataGrip.
To set this up in DataGrip, edit your data source for the repository. In the properties of the data source, click Options and turn ON Single-session mode.
MongoDB: Reducing the number of MFA prompts users see
MongoDB users who connect with any tool that uses the MongoDB Node.js driver (MongoDB Compass, MongoDB Shell, etc.) will receive multiple MFA approval requests when connecting, as well as extra MFA approval requests when they submit queries. See our support article for a workaround.