Devolutions ForumDevolutions Forum

Duo SSO integration

Duo SSO integration

1 vote

avatar
aycockr

DVLS currently supports Duo as an MFA provider but not as an SSO provider. Integrating with Duo SSO provides more features (e.g. passwordless), more authenticators (e.g. passkeys), and a better user experience. We're moving to passwordless authentication, and the current integration will not support it. Duo SSO supports SAML 2.0 and OIDC, so generic support for those would also suffice.

All Comments (4)

avatar
François Dubois

Hello,

Thank you for your request. Which authentication type do you currently use? Are you using Microsoft Authentication (Entra ID)?

Would you expect to use Duo authentication only for authentication? I am not very familiar with Duo for authentication, but if it supports groups, would you expect to be able to apply security to those groups? If we want to implement security for these groups, we must be able to import groups from Duo, and this aspect is often custom for each provider. We will investigate to see what is possible.

Best regards,

François Dubois

avatar
aycockr

We are using Duo SSO synced with our on-prem AD. We're not using Entra. We mostly authenticate with push notifications to the Duo Mobile app, with a few users using Webauthn. Our security team just launched a "passwordless" authentication initiative, which Duo can do with Duo SSO and their Universal Prompt feature.

My request would be at minimum to allow user authentication via Duo SSO Universal Prompt with either a custom Duo integration or a customizable generic SAML/OIDC option.

Group membership info would be a nice to have. For other applications, I'm able to pass group memberships via a SAML attribute like "memberOf". I then create matching groups in the application which match up with the groups in the SAML attribute. There is no importing of groups into the applications, just a mapping. For instance, this is how the Fortigate VPN Duo integration works.

I believe importing of groups is possible with a SCIM integration, but the above would be good enough for my needs.

avatar
François Dubois

Hello,

Thank you for your feedback. I'm taking note of it and will follow this topic to see if there's any additional interest or input from other users.

Best regards,

François Dubois

avatar
aycockr

Here's another visual example of how many other products handle groups with SAML integrations. This is a screenshot of the new group creation screen in Palo Alto Cortex XDR. Note the "Saml Group Mapping" field. They don't do any group syncing via SAML. An admin creates a group in Cortex and then maps that to an existing group in the SAML provider.
msedge_G5kntdwfHe.png

msedge_G5kntdwfHe.png

1