Skip to main content
All CollectionsSupport for Integrations
Setting up Traceless with Duo
Setting up Traceless with Duo

Step-by-step instructions to use Traceless to send Duo MFA push notifications

Peter avatar
Written by Peter
Updated over 4 months ago

Traceless allows you to effortlessly send identity verification requests to your customers and teammates via Duo and other channels like Microsoft Authenticator. Our tool also allows your team transmit data and files leaving nothing behind for hackers to find.

Following these steps, you will be able to use Traceless to seamlessly send Duo MFA (Multi-Factor Authentication) push notifications directly from your Chat Client (Teams, Slack) or PSA (Professional Services Automation) - ServiceNow, CW PSA, Autotask, etc.

To get Duo set up with Traceless follow these steps:

  1. Generate an Accounts API key from your Duo MSP Parent Account (You must be an owner of this account for the Accounts API to appear in search under "Applications To Protect").

  2. Enter in credentials in Traceless and select which child accounts you would like to create Auth API integrations for

  3. Verify that your child accounts have usernames or aliases that will align with email addresses in your Chat Client or PSA

  4. Test Traceless by sending an mfa challenge via Duo

  5. Adding Credentials for Parent Accounts or other exceptions

NOTE: Please limit access to the IP list we provide when you are logged into Traceless and setting up Duo.

Step 1. Generate your Accounts API key

You will need to be in the parent Duo tenant that manages all your child accounts. If you do not manage your customers this way, skip to Step 5 at the bottom of this article or contact us and we can manually onboard you.

  • Search for "Accounts API" after clicking "Protect an Appication" in "Applications" section

  • Copy the Integration Key, Secret Key and Api Hostname details locally

  • Click "Save Changes"

Step 2. Enter the credentials in Traceless

Navigate to https://traceless.io/duo/connect/ and enter your credentials

  • Click "Connect." This will retrieve every Child Duo account you have access to.

  • Select which accounts to create an Auth API key for in Traceless.

  • Click "Submit." This will generate integrations for all selected Child Duo accounts. If there are errors the system will relay what the issue is. The primary issue that Traceless looks for is if you have users that have no email addresses assigned at all.

  • Once the process is complete you should be ready to test Duo in your PSA or Chat.

  • If you have questions about any errors you see, please contact us

3. Verify all accounts have accessible usernames

Traceless has a utility built in that will allow you to ensure that all your users have usernames or aliases that align with their work email. This way we can use the Auth API to associate their identities across applications. If you have seen errors for child accounts that read: "No email in aliases or username" this can be resolved by this step.

  • Click "Create Aliases." The UI will show all Child Accounts that you have added to Traceless. You can now select which account you'd like to add aliases for.

  • Click "Submit." The system will show you what accounts had aliases add and which accounts failed if any.

With this process complete, we can deliver push notifications to your customers with much higher confidence.

4. Test it out! Go to your PSA where you have already integrated Traceless and send a test Duo push to a customer or teammate that has it implemented.

That's it! If you have questions, please reach out to us using hello@traceless.io or clicking on the chat icon right over there --->

Step 5. Adding Credentials for Parent Accounts

If you'd like to use Traceless to send pushes to your coworkers (we recommend it!) You will need to set up api keys in the Parent Account as well.

You can also use this form to add Traceless to Duo accounts if:

  • you are not in the MSP program

  • There is an orphan account not under any parent tenant.

  • There is a child account still under another parent account.

In the Duo account to be used for sending pushes do the following:

  • Navigate to "Protect an Application"

  • Search for "Admin Api"

  • Click "Protect"

  • Name it something that will be useful for your team.

  • NOTE: Save the list of our ip addresses and limit access to just these.

  • NOTE: Grant only the permission "Grant read resource"

  • Enter in the credentials in Traceless

  • Navigate to "Protect an Application"

  • Search for "Auth Api"

  • Click "Protect"

  • Enter in the credentials in Traceless

  • Click the "Add Account" button in Traceless

This should allow you to send Duo Push notifications to the domains associated with the account. If there are multiple domains that need to be added, please contact us

Thanks for reading!

Did this answer your question?