This JSON file will allow the mapping of Active Directory groups to CloudHealth Roles instead of the CloudHealth standard of using Active Directory Attributes.
This guide applies to the Duo Access Gateway however the AuthProc rules & regex can be modified to suit your needs
The goal for this was to remove the CloudHealth role e.g. cloudhealth-administrator from an Active Directory user attribute e.g. extensionAttribute1 and move it to a standardised group based membership. As a result, the management and reporting on user access roles is standardised alongside other reporting processes and far simpler to update.
Duo utilises SimpleSAMLPHP and therefore the Authentication Processing Filter attributealter is used to manipulate the SAMLResponse sent to CloudHealth.
This is achieved by the SimpleSAMLPHP library querying the groups assigned to the user in Active Directory and performs a regex query against them removing anything that doesn't fit the CloudHealth naming convention of "cloudhealth-ROLENAME" e.g. "cloudhealth-administrator"
- Create a new Application in the Duo Web Admin console as per usual with the correct settings
- Download the IKEY.json file from this repo
- Download the Duo CloudHealth Application config from the Duo Admin Console
- Open both and substitute the Jinja variables with the values in the downloaded config from Duo Admin Console
- Create AD groups matching the role ID's found in the CloudHealth admin console. E.g.
- cloudhealth-administrator
- cloudhealth-standard
- cloudhealth-power
- Add users to your AD groups and allow Duo to sync with Active Directory
- Import your updated IKEY.json file in to your Duo Access Gateway console
- Test logging in to CloudHealth via Duo
Ensure your users are a member of a single cloudhealth-* Active Directory group