Duo Access Gateway and AD FS are both SAML 2.0 capable identity providers (or IdPs). They perform the same function: accept a login redirect request from some application, authenticate it against an identity store, and return access approval back to the application.
Look at these network diagrams for DAG and AD FS; you’ll notice the DAG and the AD FS server occupy the same spot.
DAG
ADFS
You do not have to deploy DAG if you’d rather use AD FS with Connectwise Manage. You can set up Connectwise Manage as a relying party in AD FS, and you can then also install the Duo MFA plugin for AD FS to protect those logins.
It is possible to use both DAG and AD FS together. When you deploy DAG you configure it to use AD FS as a SAML IdP primary authentication source, so DAG talks to AD FS which then talks to AD, instead of DAG talking to AD directly. There are a few reasons for this, for example when someone already has a robust existing SAML identity infrastructure and don’t want to add Duo to it directly.
It sounds like you don’t have AD FS set up now? Why not give the Duo Access Gateway a try on its own? It has some advantages over AD FS + the Duo plugin, primarily that with DAG you can create Duo access policies for each individual SSO application you configure to use Duo Access Gateway, but with AD FS you can only apply one Duo policy that would apply to every SSO relying party.
So your configuration steps would be:
- Deploy Duo Access Gateway
- Point it to Active Directory as the primary authentication source
- Set up SSO for ConnectWise Manage. When you do this you’ll be bouncing between the Duo Admin Panel (where you create the generic SAML application using whatever parameters/attributes ConnectWise recommends), your Duo Access Gateway server’s admin interface (where you add the application you created in the Duo Admin Panel), and the ConnectWise management console (where you tell it to use Duo for SSO).
This might be a good reference for you: https://docs.connectwise.com/ConnectWise_Documentation/090/020/070/140/SAML_and_SSO_Frequently_Asked_Questions
I could just install ADFS on our Domain Controller
If you do decide to use AD FS instead of the Duo Access Gateway we DEFINITELY do not recommend this unless you also plan to deploy a web application proxy in front of AD FS to protect it from direct external client access.