Duo Access Gateway and ADFS

mattk · 2018-06-13 16:44:44 UTC

I am new to Duo Access Gateway and to ADFS and am a little confused as to what the differences are between the two.

We need to have Duo protect Connectwise Manage, which I’m told we can do (even though no one currently supports it) via SSO/SAML 2.0 using DUO’s generic SAML service provider.

I set up a DAG server thinking that was the best way to go, but now I’m not so sure. I’m having trouble determining if DAG and ADFS work in tandem or if they are different ways of doing the same thing.

I was under the impression I could just install ADFS on our Domain Controller and link it up to the DAG server, but that doesn’t seem to jive with anything I am now reading.

Would DAG fit somewhere on this network map? https://duo.com/docs/adfs#deployment-overview.

Thanks for your help!

Matt

DuoKristina · 2018-06-13 17:18:42 UTC

Duo Access Gateway and AD FS are both SAML 2.0 capable identity providers (or IdPs). They perform the same function: accept a login redirect request from some application, authenticate it against an identity store, and return access approval back to the application.

Look at these network diagrams for DAG and AD FS; you’ll notice the DAG and the AD FS server occupy the same spot.

DAG

ADFS

You do not have to deploy DAG if you’d rather use AD FS with Connectwise Manage. You can set up Connectwise Manage as a relying party in AD FS, and you can then also install the Duo MFA plugin for AD FS to protect those logins.

It is possible to use both DAG and AD FS together. When you deploy DAG you configure it to use AD FS as a SAML IdP primary authentication source, so DAG talks to AD FS which then talks to AD, instead of DAG talking to AD directly. There are a few reasons for this, for example when someone already has a robust existing SAML identity infrastructure and don’t want to add Duo to it directly.

It sounds like you don’t have AD FS set up now? Why not give the Duo Access Gateway a try on its own? It has some advantages over AD FS + the Duo plugin, primarily that with DAG you can create Duo access policies for each individual SSO application you configure to use Duo Access Gateway, but with AD FS you can only apply one Duo policy that would apply to every SSO relying party.

So your configuration steps would be:

Deploy Duo Access Gateway
Point it to Active Directory as the primary authentication source
Set up SSO for ConnectWise Manage. When you do this you’ll be bouncing between the Duo Admin Panel (where you create the generic SAML application using whatever parameters/attributes ConnectWise recommends), your Duo Access Gateway server’s admin interface (where you add the application you created in the Duo Admin Panel), and the ConnectWise management console (where you tell it to use Duo for SSO).

This might be a good reference for you: https://docs.connectwise.com/ConnectWise_Documentation/090/020/070/140/SAML_and_SSO_Frequently_Asked_Questions

I could just install ADFS on our Domain Controller

If you do decide to use AD FS instead of the Duo Access Gateway we DEFINITELY do not recommend this unless you also plan to deploy a web application proxy in front of AD FS to protect it from direct external client access.

mattk · 2018-06-13 18:00:24 UTC

Thank you, Kristina. This is very helpful!

I was trying to follow the instructions on that CW link you included, but seemed like I needed ADFS set up to get the metadata needed for setting up SSO. That’s where I got stuck. I am glad to know I don’t have to set up ADFS. Looks like I can get that metadata and certificate from the DAG portal.

I would much rather just use the DUO Access Gateway. Especially since I already have it set up!

Thank you for your quick reply!

Coriron · 2018-10-27 23:14:52 UTC

If possible could you update this thread with information about how you configured Duo for this? I’m getting a “bad request” response at the moment, i presume because i’m sending the wrong attributes back to ConnectWise.