So I just stumbled across the “Duo Network Gateway” which seems like yet another option to secure a web app with Duo Security 2FA.
This option seems to be one of the more complicated options, plus it requires a higher tier of Duo pricing, but it has the advantage that it allows you to secure access to any internal web app of any kind without having to do anything to the web app itself. I think it also has the advantage of not requiring a direct mapping between users in Duo and users in the web app.
In some cases, you might actually use the “Duo Network Gateway” only for remote users, but it also seems like you could use it in addition to other Duo integration even for the same app if you really wanted to be cautious, but potentially only require the 2FA through the Gateway something like once a day, while other Duo 2FA options might be configured for every login.
This option seems to make the most sense if you are planning to deploy this solution already for other existing applications, at which point BigFix WebUI Console, WebReports, Inventory, and any others could all be behind this auth mechanism.
This option shouldn’t be needed if the BigFix / Duo SAML integration is configured, but it might be a bit more flexible in some cases.
I still hope that BigFix <-> Duo SAML integration can be documented since it seems like the better option in most cases.
There is also this 3rd option that is specific to the WebUI only: Duo Security Integrated with WebUI
If this moves forward and ends up being released, it would only secure the WebUI itself, but in a more native way that could have a different set of advantages. It should also be easier to configure.
I currently use DUO 2FA for BigFix Console logins indirectly by only allowing console access from Terminal Servers which require DUO 2FA for RDP.