Configuring duo Access Gateway without Back-End Authentication Server


One of our customers uses Duo extensively for 2 factor authentication. They are currently exploring the option of configuring Duo’s Access Gateway to leverage the ability of Duo to provide two factor authentication while acting as a SAML IdP.

The customer also wants to configure Duo as a single factor authentication (ie., Call/SMS/Push only) without having an Authentication Server back-end (LDAP/AD etc) configured in the Duo Access Gateway. To give a better picture, consider the following flow:

The Setup suggested by Duo in the following page is as follows:

A SAML SP (our product) --> Duo Access Gateway (sitting at customer’s end) --> Authentication Server + Call/SMS/Push with website

The setup they (our customer) likes to have, is as follows:

A SAML SP (our product) --> Duo Access Gateway (sitting at customer’s end) --> Call/SMS/Push with website

In brief, they would like to just fetch the username from the SAML Request, and then use that to have a single factor authentication using Call/Push/SMS, which successfully completes the SAML flow if all goes well, and returns back to the SP with SAML Response

Is it possible to configure Duo’s Access Gateway to work without back-end authentication server, and just pass the user to Call/Push/SMS page?

Thanks and Regards,
Suchindra Chandrahas


Hi Suchindra. At this time, the Duo Access Gateway requires an authentication source for first factor and to retrieve attributes for the SAML response.