Clariti Docs
Credentials5 minutes· easy

Duo Security

Identity & Access

Connects to Duo Security to pull MFA enrollment status, user inventory, and the apps protected behind Duo so Clariti can show your multi-factor authentication coverage and flag users without an enrolled factor.

What Clariti Collects

What You'll Need

  • Administrator access to the Duo Admin Panel
  • A Duo plan that includes Admin API access (Duo Beyond, Duo Access, or Duo MFA with API)
  • ~5 minutes to complete setup
  • Your Clariti account with adapter management permissions

Get Your Credentials

Log in to the Duo Admin Panel at admin.duosecurity.com. Navigate to Applications > Protect an Application and search for Admin API. Click Protect to create a new Admin API application.

The application page displays three values you'll need:

  • Integration key (ikey) — Duo's name for the public identifier of this API application. Goes into Clariti's Integration Key field.
  • Secret key (skey) — the private key used to HMAC-sign each request. Goes into Clariti's Secret Key field. Store securely; Duo does NOT show it again after you leave the page.
  • API hostname — looks like api-XXXXXXXX.duosecurity.com, unique per Duo customer. Goes into Clariti's API Hostname field.

In the Admin API application's Permissions section, enable Grant read resource so Clariti can read users, their enrolled MFA factors, and the integrations protected by Duo. Do not enable Grant write resource, Grant read log, Grant resource read, or any "write" permission — Clariti will never use them and granting them widens your blast radius if the integration key ever leaks.

Enter Credentials in Clariti

Click Connect now on the Duo card in the Clariti integrations catalog and paste the three values:

Value from vendor consolePaste into Clariti field
Integration key (ikey)Integration Key
Secret key (skey)Secret Key
API hostnameAPI Hostname

Verify Connection

Click Test Connection in Clariti. A successful connection returns a green checkmark. The first data sync typically completes within a few minutes.

Auth-log anomaly findings (optional — requires Grant Read Log)

In addition to MFA-coverage gaps, Clariti scans the last 24 hours of Duo authentication logs and emits one auth_anomaly finding per user with 5 or more failed MFA attempts in that window (10+ fails escalates to high severity). This is the canonical SMB indicator of credential stuffing, phishing-relayed prompt bombing, or a misconfigured client (e.g. an RDP gateway looping on a saved password).

FAILURE and FRAUD results both count toward the tally; SUCCESS and ERROR don't. Integration-level auth probes (RADIUS proxy, LDAP sync) that arrive without a username are ignored — they aren't actionable at the user level.

This requires the Grant Read Log permission on your Duo Admin API application (separate from Grant Read Resource which the rest of the adapter needs). If you don't enable it, Clariti degrades silently — the MFA-coverage finding still ships, the auth-anomaly findings just don't appear. Enable it in the Duo Admin Panel under your API application's settings, then re-poll.

Troubleshooting

  • 401 Unauthorized — Verify the Integration Key and Secret Key are copied exactly. The HMAC signature will fail if either value has trailing whitespace.
  • 403 Forbidden — Ensure the Admin API application has Grant Read Resource permissions enabled in the Duo Admin Panel.
  • 403 Forbidden on auth logs only — The integration key has Grant Read Resource but lacks Grant Read Log. The MFA-coverage signal still works; add Grant Read Log to unlock auth-anomaly findings.
  • Timeout — Check that the API hostname is entered correctly. Clariti retries automatically on transient failures.