Duo Security is a provider of 2-factor authentication or multi-factor authentication services. 2-factor authentication adds an extra layer of security to user accounts, preventing unauthorized access to the system even if a username and password are compromised. After users enter their username and password, they are asked to authenticate with Duo which typically involves receiving a push notification to a mobile device, a text message or a phone call as a method of verification.
Aeries can be configured to not only authenticate users with Duo when they log in, but also when they navigate to important pages like Gradebook, Grades, and Transcripts.
Before you start, you’ll need to make sure you have a Duo account available. You can obtain a free trial account or limited account to test it out. For more information visit duo.com.
Configuring Duo
After creating an account and logging into Duo, click on Applications, then click Protect an Application and click Protect for Aeries SIS.
After clicking Protect , a new application will be created and you will be taken to the settings page. An Integration Key (Client ID), Secret Key (Client Secret) and API hostname have been created for you.
Configuring Duo in Aeries
Log into Aeries as an administrator account and navigate to Security > Duo in the navigation. Enter the Client ID, Client Secret, and API hostname from the Duo application. Use the Test Duo button to verify Duo is working properly before continuing. You should see a sample Duo authentication screen.
IMPORTANT: Be sure to Test Duo before Enabling. While there is validation on the length of the Client ID and Client Secret, an error in the API Hostname URI can be saved. Then,if Duo has been enabled, the 2-factor authentication will fail and you will be locked out of the application.
Once you have tested the configuration, additional settings should be configured.
Re-Authentication Timeout Period - Users will be prompted for Duo authentication this many minutes after they last authenticated in a specific secured area. For example, if the user has authenticated for Grades under Student > Grades and then moves to Report Card History, if they stay more than the Timout Period, then navigate back to Grades, they will have to reauthenticate. A value of 0 will keep the authentication valid for their entire session.
Secure Areas Independently? - When this option is enabled, one Duo authentication prompt will occur per enabled security area/feature (that is configured below). Otherwise authenticating within one area (after login) will pass that Duo access to all secured areas, causing the user to only receive the authentication prompt once per session or until the re-authentication timeout period is reached.
Once Duo is enabled, access to the Duo page itself will ALWAYS require authentication to prevent unauthorized changes to the settings.
Also, Data Validations will always require authentication.
The following areas can be configured to prompt Duo authentication, either External or Internal by checking the appropriate box. Note: External sites are defined in your AppSettings.Config file with an <External>True</External>. Contact Aeries Support for assistance configuring this file if necessary.
- Login (Admins)
- Login (Teachers and Office Staff)
- Student Grades
- Gradebook
- Transcripts (only users with permission to change transcripts will be required to authenticate)
- Medical History
- Medications
- Medical. Includes:
- Log
- Daily Medical Log
- Medication Schedule
- Attendance. Includes:
- Classroom Attendance
- Assertive Discipline
- Discipline
- Teacher Emulation > Gradebook
- Portal Management > Portal Options, Create Substitute Accounts
- Security (All pages)
- Mass Change Attendance Codes
Once Duo Security has been configured, check Enable. Users will now be prompted to authenticate with Duo when entering the areas specified. For example, if Login (Teachers and Office Staff) has been turned on, the user will be prompted to log into Aeries, then authenticate with Duo.
The first time a user logs in they will be asked to choose their authentication method. The options available to users on the Duo authentication prompt are determined by configuration within your account with Duo.
Follow the prompts to complete your account setup. Contact your IT department if you need further assistance.