Introduction and General Instructions
MyAccess Lookup (https://myaccess.ucsf.edu/lookup) is a tool for cross-referencing UCSF affiliation information with computing account details. With this you can find the Active Directory accounts associated with a given employee, affiliate or student and details related to their associations with the University.
In the input field below you can enter the first name, last name, display name, email, SFID (SF######), or UCSF ID number (02#######) to search for the details described above. After entering the search term, click the "Search" button.
Below, the search term is "Smith" and it returned 764 entries with "smith" in first name, last name, display name, email, SFID, or UCSF ID. When the initial list is returned, the first result in the list on the left, highlighted yellow, has its record's details displayed in the tabs on the right side of the page. Use the scroll bar near the middle of the page (on the right side of the list of results) to scroll through the returned entries. When you click on one there will be a popup to help pass the moments as the website retrieves that person's record. When the new records are retrieved they will be displayed in the tabs on the right, replacing the previous set of records/tabs that were there before.
This section has not yet been completed.
Active Directory Tabs
This section has not yet been completed.
The Duo Tab shows the the details of each Duo account provisioned through Active Directory syncing that is related to the person selected in the list of results on the left.
The example below shows a person with three Duo accounts, each related to a distinct AD account. The first is a regular Campus AD domain related Duo account. The second one is for an elevated (i.e. admin) account, also in the Campus domain. The third is a regular Medical Center AD domain Duo account. You can find can handy FAQ for Duo Administration here.
The attributes for each record are as follows:
- Username: the Duo username, which should match an AD username (sAMAccountName). The username value is a convenient link to the Duo accounts detail page on DuoSecurity.com
- AD Domain: the AD domain for which this Duo account was provisioned
- AD Groups: AD Groups which establish the AD ↔ Duo synchronization relationship. The Duo sync process knows to provision an account from AD when an AD user is placed into one of one or more of a chosen set of AD groups. The group or groups listed within this row tell you that this AD account caused a related Duo account to be provisioned because it was placed into the listed AD group and the Duo sync system picked it up.
- Email: the email address that Duo uses to communicate with the owner of this account. It is almost always the case that this is the same email address of the mail-enabled AD account of the person who owns this Duo account.
- Status: this status only reflects the the state of this Duo account, not the AD account. So, while the related AD account may be active, the Duo account can be inactive, through becoming locked out or manually disabled by an administrator.
- Phones: The list of phones with numbers that can perform 2FA for this Duo account
- Tokens: The list of tokens or keys (e.g. YubiKeys) that can perform 2FA for this Duo account
Duo Provision Button
Theis for initiating the processing of adding an existing AD account into Duo. It is important to understand that this button does not directly create the account in Duo. Rather, the button slates the AD account to be provisioned by a scheduled (asynchronous) process that occurs every 10 minutes. So, after you click this button for a given AD account in Lookup the account should be provisioned in Duo within 10 minutes. When the actual provisioning occurs the customer should expect to receive a welcome/setup email from UCSF's Duo instance and they can begin to go through the tunnel for adding devices, etc. A reasonable formula for helping customers is to click the button and then let them know to wait at least 15 minutes for the welcome email to arrive.
Not Yet Provisioned
This screen shot shows the typical situation where an AD account is not yet provision in Duo.
After pressing the button, a popup will appear explaining that Lookup is scheduling the given AD account for Duo provisioning. When the scheduling is complete, if all goes well, the popup will change to show:
Once you click the "Close" button, the Duo Provision Status should have changed from "Not yet provisioned" with the provision button to only "Pending..."
Any other behavior should be reported to the Identity & Access Management team.
This status indicates that a provision request has recently been submitted and should complete within the next 10 minutes. Please refer the above section on "Not Yet Provisioned" for more details.
"Provisioned" means that this AD account already has an analogous, provisioned account in Duo. If you see this status but cannot find an account in Duo of the same name as the related AD username, please contact the Identity & Access Management team.
Duo does not sync with this domain
This status will appear for accounts that reside in AD domains which do not synchronize with Duo. Even if a Duo account exists with the same username as this AD account, this status will appear.
Currently the only Active Directory domains which sync with Duo are:
- Medical Center (UCSFMC)
- School of Medicine (SOM)
Duo does not sync with BCHO Core (Core), BCHO Research (RSCH), UDAR nor SDE.
Under The Hood
When you click the button in Lookup, two things happen:
- The AD account is (supposedly*) moved to the proper AD group.
- A record is made in the Duo provision log (a database table) for that AD account to be synced to Duo.
Then, on IAM’s data processing server, a task happens every 10 minutes which:
- Finds all pending records in the Duo provision log
- Sends sync requests to Duo for each pending AD account retrieved from the Duo provision log
- The Duo provision log records the successful reply from Duo. If the sync request was unsuccessful for any reason, this is recorded in the log and marked for reprocessing. A maximum of two more attempts will be made to reprocess such records in subsequent executions of the data processing server task. If after a total of three tries the AD account still cannot be synced with Duo, the request log entry will be marked as an error, with comments.
* Moving the AD account to the proper AD group is tagged as "supposedly" because it has been shown that changes in AD can take an inordinate amount of time propagate to the applicable parts of the AD forest, sometimes on an order of hours. This can cause Duo to not see the account in the group when attempting to sync. Originally, the Duo provision button was meant to take care of adding the account to the group and then immediately prompting Duo to sync the individual account. Because of this potential delay the process was split into the two asynchronous processes described above.