Two-Factor Authentication with Duo Security

This Bloomreach Experience Manager feature requires a standard or premium license. Please contact Bloomreach for more information.

Bloomreach Experience Manager offers integration with Duo Security to add a second layer of security for accessing the CMS, verifying the identity of the user using a second factor (like a phone or other mobile device). This document describes the steps required to install this integration module.

Watch video

You can see a demo of logging in with Two-Factor Authentication in the video about Log in Options on this video page.

Sign up with Duo Security

Before anything you need to sign up for a Duo Security account. At the time of this writing Duo Security is free for up to ten users so you can try it out and test it before committing yourself. In the Duo Security admin panel create a new Web SDK integration and enroll your users. Note that usernames in Duo Security must match the usernames in Bloomreach Experience Manager.

Add the Duo Security integration module dependency

Add the following dependency to the cms/pom.xml file:

<dependency>
  <groupId>com.onehippo.cms7</groupId>
  <artifactId>hippo-addon-2fa-duosecurity</artifactId>
</dependency>

Configure the Duo Security integration Servlet Filter

Add the following filter definition to the cms/src/main/webapp/WEB-INF/web.xml file:

<filter>
  <filter-name>DuoSecurity</filter-name>
  <filter-class>com.onehippo.cms7.twofa.duosecurity.DuoSecurityTwoFAFilter</filter-class>
</filter>

And in the same file the following filter mapping:

<filter-mapping>
  <filter-name>DuoSecurity</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>
Define this filter mapping above the CMS filter mapping. It needs to be executed first.

Configure the Duo Security Resource Servlet

To serve the duo security javascript file from the server you need to add the following servlet definition:

<servlet>
  <servlet-name>DuoWebResourcesServlet</servlet-name>
  <servlet-class>org.onehippo.cms7.utilities.servlet.ResourceServlet</servlet-class>
  <init-param>
    <param-name>jarPathPrefix</param-name>
    <param-value>/duoweb</param-value>
  </init-param>
  <init-param>
    <param-name>allowedResourcePaths</param-name>
    <param-value>
      ^/.*\..*
    </param-value>
  </init-param>
  <init-param>
    <param-name>cacheTimeout</param-name>
    <param-value>0</param-value>
  </init-param>
</servlet>

And the following servlet mapping:

<servlet-mapping>
  <servlet-name>DuoWebResourcesServlet</servlet-name>
  <url-pattern>/duoweb/*</url-pattern>
</servlet-mapping>

Configure the Duo Security integration Servlet Filter

The Duo Security integration servlet filter is configured with a separate properties file, for example with the name 2fa.properties. The properties file should contain the folllowing properties:

duo.enabled=true
duo.contextPath=/cms
duo.akey=...
duo.ikey=...
duo.skey=...
duo.host=api-....duosecurity.com
// optional, since 14.7.1
// no entry or using 'from-request' will retrieve the URL from request headers 
duo.cmsUrl=from-request | https://cms.example.com

The context path is typically /cms when running locally and / when running behind a proxy, with no context path in the CMS URL.

The integration key (duo-ikey), the secret key (duo-skey) and the API host are listed on the integration details page in the Duo Security admin panel. The duo-akey is a key of at least 40 characters long that you keep secret from Duo Security and that you must generate yourself. You can for example generate a random string in Python with:

import os, hashlib 
print hashlib.sha1(os.urandom(32)).hexdigest()

The duo-enabled parameter allows to disable duo security two-factor authentication by setting it to false. Default is  true.

The servlet filter can find the properties file when specified by the system property 2fa.config. The latter should contain the absolute path to the properties file. 

To pass the system property to tomcat via cargo use -Dcargo.jvm.args="-D2fa.config=/path/to/2fa.properties"
Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?