Duo

Connect your Duo instance to use Opal to manage and review access.

Opal's integration with Duo supports the following, and more:

  • Users can request time-bounded access to your Duo groups.
  • Auditors can initiate access reviews that assign managers or group admins to periodically review users with long-lived access to Duo groups.
  • Admins can add resources from other Opal integrations to an Duo group so an Duo group's members can automatically gain birthright access to, for example, a GitHub repo, AWS IAM role, etc.
  • All access changes are tracked in a permanent audit log that can be logged to a Slack channel or exported to your favorite tools.

Requirements

To set up your Duo app:

  • You must be an Opal Admin
  • Your users must also have the optional email field populated in Duo to be imported to Opal
  • You must have the ability to set up Admin API credentials in Duo

1. Create a Duo app

To get started, go to the Inventory page, click + App at the top right. Then, click on the Duo tile.

2. Generate Admin API credentials

Opal requires Admin API credentials in order to manage your Duo Groups on your behalf. To learn more about setting up Admin API credentials, see the Duo documentation.

The following permissions must be granted for Opal to successfully manage access to your Duo instance. Admin API permissions can be found in the Duo Admin Portal under Applications > Admin API > Permissions.

  • Grant read information
  • Grant read log
  • Grant read resource
  • Grant write resource

3. Fill out Opal form

Back in the Opal app creation form, fill in the details about your Duo account and select Create. If this step is successful, you have completed setting up the Duo connection.