Duo without Keycloak?

Just curious if it is now possible to set up 2FA without using Keycloak? How are other sites doing this? Right now we are using basic LDAP auth. We may move to another federated authentication option like ADFS.

Thank you

Yes we run Keycloack with DUO MFA.

I’m guessing we use this plugin GitHub - mulesoft-labs/keycloak-duo-spi: Keycloak integration for Duo Security MFA @tdockendorf ?

I would highly recommend moving to ADFS or Keycloak as basic LDAP is very insecure. Indeed you could setup Dex with LDAP now get quite a boost in security - while using the same user database.

I forked that plugin and added group support: GitHub - OSC/keycloak-duo-spi: Keycloak integration for Duo Security MFA as well ability to build the SPI .jar using Docker container via make commands. At OSC we only enforce Duo for members of the “duo” group so that’s the reason for the fork.

Reading through issues on upstream Keycloak Duo SPI I found this: GitHub - instipod/DuoUniversalKeycloakAuthenticator: Keycloak Authenticator for Duo's new Universal Prompt.

OMG Sorry @rgas20 I’m just now reading this with the smart part of my brain.

Looks like ADFS does have support for it. Dex doesn’t support any MFA.