Solved: Demo of Duo + Google Workspace?

Zachary_Poling · ‎03-24-2022

Greetings,

I just started using Duo Free to demo the whole system for my admin team. As I was reading the features, I saw that it could be integrated into Google Workspace to act as an MFA there as well.

I currently have Duo set up for Microsoft RDP, mainly for our local computer logins via AD. This is working exactly as I expected and wanted to now have Duo act as MFA for our Google logins. Ideally, when we log into Google it should prompt us for a Duo push (or other methods) very similar to how it prompts us for AD. Our current MFA with Google is just their built-in method. It works fine, but I want to use Duo for both if possible. Did I misunderstand how Duo and Google work together, because I can’t seem to find an install guide to do this. If it is possible, I would be fine with just an install guide

Regards!

Zack

jamieis · ‎03-24-2022

Hi @Zachary_Poling,

Duo does have a to get Duo MFA in front of Google but it requires utilizing Duo Single Sign-On our SAML Identity Provider and federating your Google Workspace account against it. You can find that documentation here.

Google does not allow other MFAs to be used in their normal login so you’d set Google to federate its login over to Duo Single Sign-On which would show your users a different login page that could take their AD credentials and then perform Duo MFA before sending you back to Google.

View solution in original post

jamieis · ‎03-24-2022

Hi @Zachary_Poling,

Duo does have a to get Duo MFA in front of Google but it requires utilizing Duo Single Sign-On our SAML Identity Provider and federating your Google Workspace account against it. You can find that documentation here.

Google does not allow other MFAs to be used in their normal login so you’d set Google to federate its login over to Duo Single Sign-On which would show your users a different login page that could take their AD credentials and then perform Duo MFA before sending you back to Google.

Zachary_Poling · ‎03-24-2022

That’s unfortunate. Duo’s website really seems to hint that you can do that sort of thing. Perhaps that’s standard with MFA and is my fault for misunderstanding. We’ll probably just stay using Googles MFA for this purpose.

Thanks, Jamie!

jamieis · ‎03-24-2022

Do you have a link to where on the Duo site you see that? I’d like to look at getting it corrected or make it clearer what is happening so others don’t have the same situation occur.

Zachary_Poling · ‎03-24-2022

Reading back now after knowing how it works, I think the literature is fine. Specifically, the piece ‘Cloud-based SSO for all SAML 2.0 applications’ under editions/pricing is what made me think I could just use Duo as my SSO, since I saw Google Workspace listed under supported cloud applications. However, going back to the supported cloud apps page, I see that clicking on Google Workspace takes me to the article.. Again, it is only a misunderstanding on my part.

Thank you again for the explanations!

DuoKristina · ‎03-24-2022

@Zachary_Poling You can use Duo Mobile as an OTP generating app in place of Google Authenticator without a Duo cloud service account.

With this instead of generating a passcode for Google login in the Authenticator app, you generate the passcode in Duo Mobile. This is still the Google built-in MFA method, and will not send Duo Push requests for login. As @jamie mentioned, Duo Push requires using Duo as a SSO provider (or another SSO provider with Duo support).

Here’s more information about using Duo Mobile as a passcode generator for third-party apps in our end user guide: Third-Party Accounts - Guide to Two-Factor Authentication · Duo Security

Duo, not DUO.

Zachary_Poling · ‎03-24-2022

I may look into using this if we end up getting Duo for all user AD logins, but Google’s MFA by default works as a push notification now if you’re also logged into Google on that mobile device. It’s specifically that push notification I was hoping to get out of Duo, unfortunately.