From 9cae521150ddec794871b4004fa4b5a8f711b85b Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Tue, 13 Aug 2019 20:08:08 +0200
Subject: [PATCH] Duo

---
 .../manual-sources/chapter-selfService.xml    | 59 +++++++++++++++++--
 1 file changed, 53 insertions(+), 6 deletions(-)

diff --git a/lam/docs/manual-sources/chapter-selfService.xml b/lam/docs/manual-sources/chapter-selfService.xml
index cab1f47a..43b43b69 100644
--- a/lam/docs/manual-sources/chapter-selfService.xml
+++ b/lam/docs/manual-sources/chapter-selfService.xml
@@ -325,6 +325,10 @@
           <listitem>
             <para><ulink url="https://www.yubico.com/">YubiKey</ulink></para>
           </listitem>
+
+          <listitem>
+            <para><ulink url="https://duo.com/">Duo</ulink></para>
+          </listitem>
         </itemizedlist>
 
         <para>privacyIDEA:</para>
@@ -339,6 +343,19 @@
             <para>User name attribute: please enter the LDAP attribute name
             that contains the user ID (e.g. "uid")</para>
           </listitem>
+
+          <listitem>
+            <para>Optional: By default LAM will enforce to use a token and
+            reject users that did not setup one. You can set this check to
+            optional. But if a user has setup a token then this will always be
+            required.</para>
+          </listitem>
+
+          <listitem>
+            <para>Disable certificate check: This should be used on
+            development instances only. It skips the certificate check when
+            connecting to verification server.</para>
+          </listitem>
         </itemizedlist>
 
         <para>YubiKey:</para>
@@ -362,15 +379,45 @@
             <para>Secret key: this is only required for YubiKey cloud. You can
             register here: https://upgrade.yubico.com/getapikey/</para>
           </listitem>
+
+          <listitem>
+            <para>Optional: By default LAM will enforce to use a token and
+            reject users that did not setup one. You can set this check to
+            optional. But if a user has setup a token then this will always be
+            required.</para>
+          </listitem>
+
+          <listitem>
+            <para>Disable certificate check: This should be used on
+            development instances only. It skips the certificate check when
+            connecting to verification server.</para>
+          </listitem>
         </itemizedlist>
 
-        <para>Optional: By default LAM will enforce to use a token and reject
-        users that did not setup one. You can set this check to optional. But
-        if a user has setup a token then this will always be required.</para>
+        <para>Duo:</para>
 
-        <para>Disable certificate check: This should be used on development
-        instances only. It skips the certificate check when connecting to
-        verification server.</para>
+        <para>This requires to register a new "Web SDK" application in your
+        Duo admin panel.</para>
+
+        <itemizedlist>
+          <listitem>
+            <para>User name attribute: please enter the LDAP attribute name
+            that contains the user ID (e.g. "uid").</para>
+          </listitem>
+
+          <listitem>
+            <para>Base URL: please enter the API-URL of your Duo instance
+            (e.g. api-12345.duosecurity.com).</para>
+          </listitem>
+
+          <listitem>
+            <para>Client id: please enter your integration key.</para>
+          </listitem>
+
+          <listitem>
+            <para>Secret key: please enter your secret key.</para>
+          </listitem>
+        </itemizedlist>
 
         <screenshot>
           <mediaobject>