cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
238
Views
0
Helpful
2
Replies

Duo /admin/v2/integrations API Call Not Working

pwilliams-ck
Level 1
Level 1

@Duo @DuoSecurity

We are trying to figure out why calling /admin/v1/integrations via the official Golang API client works, but /admin/v2/integrations does not. Unfortunately, Duo support staff are struggling to help. Does anyone have experience, or an example (in any programming language) of this working? More details below, thanks in advance.

We have the Golang API client connected to our internal API we are building, we are able to get users and integrations from v1 endpoints but we are struggling with 40103 errors when using /admin/v2/integrations endpoints.


This is a working code snippet, how do I change this to work with v2 endpoints? This is set up nearly identical to the user and group methods in the Golang API client repo Duo recommends to use.


func (c *Client) GetIntegrations(options ...func(*url.Values)) (*GetIntegrationsResult, error) {
params := url.Values{}
for _, o := range options {
o(&params)
}

cb := func(params url.Values) (responsePage, error) {
return c.retrieveIntegrations(params)
}
response, err := c.retrieveItems(params, cb)
if err != nil {
return nil, err
}

return response.(*GetIntegrationsResult), nil
}

func (c *Client) retrieveIntegrations(params url.Values) (*GetIntegrationsResult, error) {
_, body, err := c.SignedCall(http.MethodGet, "/admin/v1/integrations", params, UseTimeout)
if err != nil {
return nil, err
}

result := &GetIntegrationsResult{}
err = json.Unmarshal(body, result)
if err != nil {
return nil, err
}
return result, nil
}
 
We do not understand what is wrong. This works with v1, but not v2. Other user and group methods seem to work either way.
 
I also noticed this in the duosecurity/duo_client_python/duo_client/admin.py, on line 2595. Is this perhaps why it is not working? We need to use SSO params in the call so v2 is required.

        sso - <dict: parameters for generic single sign-on> (optional)
                New argument for unreleased feature. Will return an error if used.
                Client will be updated again in the future when feature is released.
1 Accepted Solution

Accepted Solutions

SOLUTION: Use v5 signing when making requests. The JSONSignedCall function uses v5. Here is the pull request.

https://github.com/duosecurity/duo_api_golang/pull/48

To use v5 signatures, you need to convert their params from type url.values to JSONParams.

    params := duoapi.JSONParams{}
	params["offset"] = "5"
	_, body, err := api.JSONSignedCall(http.MethodGet, "/admin/v2/integrations", params)
	if err != nil {
		println("Error")
		return
	}

	v2Result := &GetIntegrationsResult{}
	err = json.Unmarshal(body, v2Result)
	if err != nil {
		println("Error")
		return
	}

	fmt.Printf("%+v", *v2Result)

---

Reply to dwrice000:

You are not hijacking, I was having the exact same problem. The documentation is very lackluster and outdated, I am building some automation with their Golang Client, and I figured it out mostly.

Maybe you are not seeing the SSO integrations because you need to use v2 Admin API endpoints, not v1. In order to use v2 Admin API endpoints you need to use the v5 signing function. I know it's confusing but their authentication signing is on a different version schema. I really hate their documentation on this, it needs to be fixed.

I am using the Golang client so I don't have time to go back through the Python code but I believe I saw that there is logic to check if you are using v1 or v2 endpoints when you call the API. So I believe if you use v5 signing with v2 endpoints, you should be good.

You also need the correct permissions with the Admin API you are calling, perhaps that is why you can not see SSO params. You can change that quickly in the GUI. Also, what error codes and messages are you getting?

 

View solution in original post

2 Replies 2

dwrice000
Level 1
Level 1

Not trying to hijack your thread but I have issues with integrations v2 as well using Python client and I'm experiencing the same poor support from Duo.  The don't read the notes you put in the case.  In my case, the call works but does not return correct results.  I'm simply trying to list all integrations and it does not list any integrations using Duo SSO.  Here's my small code sample:

import duo_client

ikey = "xxxxxx"
skey = "yyyyyy"
hostname = "api-zzzzzzz.duosecurity.com"

testadmin = duo_client.Admin(ikey=ikey, skey=skey, host=hostname)

integrations = testadmin.get_integrations()
for integration in integrations:
    print(integration) 

SOLUTION: Use v5 signing when making requests. The JSONSignedCall function uses v5. Here is the pull request.

https://github.com/duosecurity/duo_api_golang/pull/48

To use v5 signatures, you need to convert their params from type url.values to JSONParams.

    params := duoapi.JSONParams{}
	params["offset"] = "5"
	_, body, err := api.JSONSignedCall(http.MethodGet, "/admin/v2/integrations", params)
	if err != nil {
		println("Error")
		return
	}

	v2Result := &GetIntegrationsResult{}
	err = json.Unmarshal(body, v2Result)
	if err != nil {
		println("Error")
		return
	}

	fmt.Printf("%+v", *v2Result)

---

Reply to dwrice000:

You are not hijacking, I was having the exact same problem. The documentation is very lackluster and outdated, I am building some automation with their Golang Client, and I figured it out mostly.

Maybe you are not seeing the SSO integrations because you need to use v2 Admin API endpoints, not v1. In order to use v2 Admin API endpoints you need to use the v5 signing function. I know it's confusing but their authentication signing is on a different version schema. I really hate their documentation on this, it needs to be fixed.

I am using the Golang client so I don't have time to go back through the Python code but I believe I saw that there is logic to check if you are using v1 or v2 endpoints when you call the API. So I believe if you use v5 signing with v2 endpoints, you should be good.

You also need the correct permissions with the Admin API you are calling, perhaps that is why you can not see SSO params. You can change that quickly in the GUI. Also, what error codes and messages are you getting?

 

Quick Links