Migrate from the Duo Traditional Prompt to the Duo Universal Prompt
The Universal Prompt is an enhanced authentication experience for Duo Security users. It provides more secure and advanced authentication experience than the Traditional Prompt which has been the default experience in previous Splunk Enterprise versions.
Due to the announced deprecation of the Traditional Prompt, you must migrate from the Traditional to the Universal Prompt by taking the following steps.
1. Upgrade to one of the Splunk Enterprise versions that support the Duo Universal Prompt
Versions that support the Duo Universal Prompt include 9.1.6, 9.2.3, 9.3.1, or higher except versions 9.2.0, 9.2.1, 9.2.2, and 9.3.0.
After you upgrade, in the Duo Admin Panel, the Traditional prompt is enabled. You can check it in the following way:
- In the left panel, select Applications.
- Under All Applications, select Splunk.
- On the Splunk page, to see the status, scroll down to the Universal Prompt section.
2. Test with multiple users whether they are able to log in using Duo multifactor authentication (MFA)
- If users log in using Duo MFA, it means that the Duo Traditional Prompt works correctly with the upgraded Splunk Enterprise version. See universalPrompt setting - scenarios.
- If users are unable to log in using Duo MFA, roll back to the Traditional Prompt and start again.
Before you continue, make sure that users can log in using Duo MFA. Enabling the Universal Prompt can't be reversed.
Roll back to the Traditional Prompt
- On the Splunk Enterprise instance where you want to migrate to Duo Universal Prompt, open $SPLUNK_HOME/etc/system/local/authentication.conf file.
- Under the 2FA stanza, add the
universalPrompt
setting if it is not there, and set its value toFalse
. See Scenarios depending on the value of the universalPrompt setting. - If possible, restart the Splunk Enterprise instance.
- If restarting the Splunk Enterprise instance is impossible, take these steps:
- Create an appSecretKey by generating a SHA1 hash of a random value. Use one of the following ways to generate the SHA1 hash:
- Use the SHA1 Hash Generator page. See https://passwordsgenerator.net/sha1-hash-generator/#google_vignette.
- Run the following command:[Unset] echo `openssl rand -hex 20` | openssl dgst -sha1
- Run the following python script:
[Python] import hashlib import os str(hashlib.sha1(os.urandom(32)).hexdigest())
- To set the universalPrompt setting to the value of
False
, send the following request. Include theappSecretKey
that you created.
To obtain asecret_key
value, run thesplunk login
CLI command. To learn about administrative commands, see Administrative CLI commands in the Admin Manual.[Python] curl --request POST \ --url https://<sh_uri>:<mgmt_port>/services/admin/Duo-MFA/duo-mfa \ --header 'Authorization: Splunk <secret_key> \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data universalPrompt=false --data appSecretKey=<app_secret_key>
The Duo Traditional Prompt using the original working code has been enabled.
- Create an appSecretKey by generating a SHA1 hash of a random value. Use one of the following ways to generate the SHA1 hash:
- If users are still unable to log with Duo MFA, take these steps until your development team resolves the Duo MFA issues:
- Remove the 2FA stanza from the configuration file. To learn about the 2FA stanza, see Configure Duo multifactor authentication for Splunk Enterprise in the configuration file.
- Disable Duo MFA by deleting the following authentication settings from the configuration file:
externalTwoFactorAuthVendor = <Duo> externalTwoFactorAuthSettings = <2FA stanza name, usually 'duo-mfa'>
3. Enable the Duo Universal Prompt
- In the Duo Admin Panel, on the Splunk page, scroll down to the Universal Prompt section and select the See Update Progress link.
- Select the Activate Universal Prompt for 1 app button.
- Test with multiple users that they are able to log in using the Universal Prompt.
- If users log in using Duo MFA, you have successfully completed the migration.
- If users are unable to log in using Duo MFA, under Activate Universal Prompt, select Show Traditional Prompt. Next, investigate with your development team what causes issues when logging in using the Universal Prompt.
universalPrompt setting - scenarios
This table presents configuration scenarios depending on the value of the universalPrompt setting.
universalPrompt value - Splunk Enterprise | universalPrompt value - Duo Admin Panel | Triggered flow | Comments |
---|---|---|---|
True - default value after upgrading to version that supports the Universal Prompt | False - default value after upgrading to version that supports the Universal Prompt | Upgraded version with the Traditional Prompt | See 1. Upgrade to one the Splunk Enterprise versions that support the Universal prompt. |
False | False | Previous version with the Traditional Prompt | See 2. Test with multiple users if they are able to log in using Duo MFA. |
True | False | Upgraded version with the Traditional Prompt | See 3. Enable the Duo Universal Prompt. |
True | True | Upgraded version with the Universal Prompt | Migration completed successfully |
Troubleshoot a validation issue
Duo MFA token validation failed error
- This error may occur during login after you update the on-premises installation of Splunk Enterprise to version 9.1.6, 9.1.7, 9.2.3, or 9.3.1.
- It affects setups that require using username aliases or username normalization to log in. The username that Splunk Enterprise uses to validate the successful Duo Universal Prompt authentication does not match the username that you entered when logging in.
- To resolve the error, temporarily roll back to the Duo Traditional Prompt. See Roll back to the Traditional Prompt.
Configure Duo multifactor authentication for Splunk Enterprise in the configuration file | About multifactor authentication with RSA Authentication Manager |
This documentation applies to the following versions of Splunk® Enterprise: 9.1.6, 9.1.7, 9.2.3, 9.2.4, 9.3.1
Feedback submitted, thanks!