DAG multi-tenancy


#1

Is it possible to use a single DAG to add applications from different customers ?


#2

Hi @Renaud,

I’m Jamie, an Application Engineer here at Duo.

While it is possible to upload JSON files from different customers, we do not recommend or advise this. The Duo Access Gateway was designed to be used by a single customer.

Issues that can arise from using multiple DAG JSON files:

  • You can only configure 1 set of Duo keys for the Launcher
  • Duo Access Gateway only supports one active Authentication Source
  • Some service providers have settings in them that would only allow 1 of that type of SP per Duo Access Gateway

Jamie


#3

Along a similar line, is running multiple instances of the dag docker container on the same host supported? Or is the only supported configuration to have a container host dedicated to each customer.


#4

Hey there @JoeTauke,

Because the Duo Access Gateway deployed with Docker uses the public ports 80, 443, and 8443 you’d need to deploy a separate host per Duo Access Gateway you’d like to run.

Jamie


#5

In theory though, the docker compose file could be altered to change what ports are exposed publicly. Then a load balancer could be placed in front that directs client URLs to the specific ports we have exposed.


#6

@JoeTauke

That’s something that could be done to get around the limitation. Just be aware that configuration is not supported by Duo.

If you do go down that route some things to note:

  • You’ll need to change the -p access-gateway in all of the docker commands you run to be unique per DAG or you’ll override the persistent data of each DAG.
  • We release new docker-compose files for each version which means you’ll need to modify all YML files going forward as new releases come out.

Jamie