Announcing the Duo Single Sign-On public beta

Update: As of June 2, 2020, the public beta for Duo Single Sign-On is available to all non-Federal customers on Duo MFA, Duo Access, or Duo Beyond edition.

We’re excited to announce that Duo Single Sign-On is now open for public beta to U.S.-based, non-Federal customers. The beta is being rolled out following our standard phased deployment process, which means that it will become available in your Duo Admin Panel between March 16 and March 27, 2020.

You are encouraged to join and share your feedback with us! Please read on for more details.

What is Duo Single Sign-On?

Duo Single Sign-On is a cloud-hosted SAML Identity Provider (IdP) that adds two-factor authentication, complete with inline self-enrollment and the Duo Prompt, to popular cloud services like Salesforce and Amazon Web Services using SAML 2.0 federation.

Why use it?

By allowing users to access multiple applications with a single username and password, Duo Single Sign-On helps mitigate the risk of bad password habits while making it easier to work flexibly. You can even create access policies that can differ by application, depending on the sensitivity of its data and the privileges of the user, which reduces user friction while protecting your most important assets.

Who can participate?

Duo Single-Sign On is available to U.S.-based, non-Federal deployments. It will be included at no additional cost in our MFA, Access, and Beyond editions.

How do I try it and learn more?

Look for the “Single Sign-On” page under “Applications” in your Duo Admin Panel. You can learn more about Duo Single Sign-On by visiting our documentation.

Please reach out to us at sso-beta@duosecurity.com to share your feedback or if you have any questions.

1 Like

Hi,

I am a bit confused .
What is the diference bewwen SSO with DAG and this new way ?
What are the uses cases?
This replaces DAG ?

1 Like

Hey there! Great catch in noticing Duo SSO’s similarities with the DAG. The primary difference here is in the on-prem installation. The DAG requires an on-prem installation, while Duo SSO does not. That said, if you are using an on-prem primary auth source, you can still leverage the Auth Proxy to communicate with Duo SSO.

To you question about replacement of the DAG, I’d say this is a “choose one” scenario – you don’t need both, and you can choose whichever of the two best meets the needs of your organization!

2 Likes

Our IdP, Okta, is already a Duo protected application. Is there a use case for setting up Duo SSO alongside Okta SSO?

Hello! Adding to what Kim said, we have a help article that goes into greater detail on the differences between the DAG and Duo SSO (link). Check it out if you’d like to learn more :slight_smile:

1 Like

At the moment the biggest difference is the beta has very limited application support. For example from my understanding O365 is only supported via DAG.

Hey there - while the Duo Access Gateway (DAG) has many more “named” integrations which can be added via the Duo Admin Panel, Duo SSO does include a “Generic Service Provider” integration much like the DAG, which can be used to federate Duo SSO with most other applications that support SAML federation.

With Office 365, Duo SSO currently supports only Modern Auth (i.e. browser-based authentication, such as is used in the Outlook app) via the generic service provider integration and does not currently support Basic Auth (i.e. SMTP/POP3/IMAP). The Duo Access Gateway does supports Basic Auth in addition to Modern Auth, however 2FA is not possible with Basic Auth. It is also worth noting that Microsoft is currently in the process of deprecating Basic Auth.

I hope this clears up the differences between Duo Access Gateway and Duo SSO with respect to Office 365. I’m happy to clarify if you have any further questions.

1 Like

Hi John,

Appreciate the update, this is great news.

On premise DAG has been an issue with customers that have a cloud first approach. For example Office 365/WebEx SSO with Okta does not require an on premise server, just an agent.

As a DUO MSP we are looking forward to general availability for our customers in Australia,

Steve

I’m glad to hear it sounds like this will be a better solution for some of your customers! I should quickly note that at least currently, Active Directory is still the only supported auth source for use with Office 365 - and that using Duo SSO with an Active Directory auth source does require an Authentication Proxy on-prem in order to verify your user’s passwords.

Cheers,
John

1 Like

Interested in the Duo Central portion. Any ideas on a release date for that or even beta date for it? Agree with @steveorfanos - Customers adopting a cloud-first approach generally would not want to install a DAG on-prem. The launcher is what makes SSO a decent user experience.

Will/Does Duo SSO work with RD Gateway? I can’t seem to find that information.

Hey there @Luis_Fuentes,

There is no release date to be announced yet for Duo Central but I’d keep an eye on this site for updates.

Hey @Schmoo,

Duo SSO is a SAML 2.0 Identity Provider. To my knowledge RD Gateway does not SAML as an authentication type so it would not work with Duo SSO.