Couple questions regarding swap to AD from Open LDAP Directory, SAML, Passwordless, & Windows Logon

Hello DUO Community,

I am currently implementing Cisco DUO for one of our customers and we are running into some questions that I am unable to answer confidently at this point as I am still lacking overall experience with DUO. I’m just going to list them below, would really appreciate some input on this by more experienced people, thank you so much in advance!

  1. The customer is currently syncing his users/groups from an Open LDAP Directory. These synced users have already enrolled in DUO and are using it for 2FA. However, in the future a migration from Open LDAP to AD is being considered. The question now is, will all the current Open LDAP Users have to enroll again once they have been migrated to an Active Directory? Or is there a a way to circumvent this?

  2. The customer has also manually enrolled certain users through a CSV file already. Will these users have to go through the enrolment process again after these exact users have been synced from a directory (assuming it’s the same users that are being synced on top of the already existing ones which have been previously manually enrolled)?

  3. Is it possible to add a second SAML IdP within DUO SSO which can then be used solely for Admin access?

  4. Is it possible to use the new DUO Universal Prompt for Windows Logon/RDP?

  5. Does passwordless authentication also work with Open LDAP or only with AD as stated in the documentation?

Again, some info on this would be very much appreciated, thanks a lot for your help in advance!

  1. No if the imported username matches the existing username (best success would be if all user attributes synced from AD exist in OpenLDAP with identical values e.g. matching username, matching email, matching phone numbers, etc). The recommended process would be to:

    1. Delete the existing AD sync. This changes currently synced users to unmanaged users with their authentication devices intact.

    2. Create the new OpenLDAP sync, selecting a username attribute with values that match the current usernames in Duo.

    3. Run the new OpenLDAP sync. It will take over management of the existing users with matching usernames.

      It will not reuse the same AD managed groups as before though, so any permitted groups assignments made previously would need to be updated with the new groups created by OpenLDAP sync.

    Note the prerequisites for syncing OpenLDAP directories, particularly the required LDAP attributes and object classes.

  2. No, as mentioned in #1, the sync takes over management of users with the same Duo username.

  3. No, today Duo SSO supports only one SAML authentication source.

  4. No, the Duo Universal Prompt is exclusive to web-based applications that perform authentication in a browser and Duo for Windows Logon is a client/server API application. See details about which Duo application are in-scope and out-of-scope for Universal Prompt here.

  5. No, Passwordless requires AD authentication because Passwordless requires Duo SSO and Duo SSO does not yet support OpenLDAP authentication sources.

Some of the functionality you ask about (3 and 5) may already be feature requests. Have your customer reach out to their Duo account exec or customer success manager if they have one to be added to the feature requests. If they don’t have a dedicated Duo point of contact they can also indicate interest in feature requests through Duo Support.

Hello Kristina,

thank you so much for your detailed answer, much appreciated!

Just one question regarding your response to question 1. The customer is actually trying to migrate from Open LDAP to AD. So it would be the other way around than what you described. I guess it would still be the same process though, right?

Regarding question 5, would a SAML IdP like Shibboleth work in that case or is AD 100% needed here?

Thanks a lot for your help again!

Best regards,
Dario

Yes, sorry for that mixup on the directory types but it is the same idea for a migration either way.

ETA that a benefit of moving from OpenLDAP to AD is that AD sync can use the AD account status to enable/disable users in Duo.