Hello everyone! Here are the release notes for the most recent updates we’ve made to Duo.

You can subscribe to notifications for new release notes by following the process described here. If you have any questions about these changes, please comment below.

What’s in this release?

New features, enhancements, and other improvements

• Public Beta for Duo SSO
• Changes to Auth API Number Field
• Improvements and Enhanced Troubleshooting for Directory Sync
• Read-Only Behavior for Admins with Different Account Access
• New Options for Authentication Log

New and updated applications

• Duo Mobile for iOS 3.33.1
• Duo Network Gateway 1.5.6
• Duo Authentication Proxy 3.2.4

Bug fixes

See all bug fixes

New features, enhancements, and other improvements

Join the public beta for Duo-hosted Single Sign-On

• Duo-hosted SSO makes it easy for administrators to set up and protect users and SAML applications. Users will be able to access multiple applications with one username and password while allowing organizations to set policies for each application. Duo SSO is included in MFA, Access, and Beyond editions.
• This beta is available for U.S.-based, non-Federal customers.
• You can opt in to the beta and begin configuring Duo’s SSO by logging into the Duo Admin Panel and going to Applications > Single Sign-On.
• Read the blog post about Duo SSO or check out the documentation.

Changes to Auth API number field to partially mask phone numbers

• The number field for a device returned from the /preauth endpoint will now be masked to show only the last four digits of the device’s phone number.
• For example, if the phone number is 123-456-7890, the endpoint will return the number as XXX-XXX-7890.

Improvements and enhanced troubleshooting support for Directory Sync when using Active Directory (AD) or OpenLDAP

• If an administrator has configured two or more domain controllers or domain servers, the Directory Sync service will try each one in order when attempting to perform a successful sync. Previously, domain controllers or domain servers were tried at random.
• A new section of help text has been added to the configuration pages for Active Directory or OpenLDAP syncs called “Troubleshooting.” It includes tips on identifying and fixing common issues.
• From the new Troubleshooting section, administrators now can also run a diagnostic sync. To assist with diagnosing any issues, the Administrator Actions report will now also display a 32-character Sync Reference Code that can be provided to the Duo Support Team when seeking help. The Administrator Actions report is viewable in the Reports section of the Admin Panel.
• Active Directory Lightweight Directory Service (AD LDS) proxied users are now supported for AD syncs.
• Performance for AD and OpenLDAP syncs has been improved across the board.
• Synced groups will be named differently to prevent name collisions and unexpected changes in users’ group membership and group-related security posture. Groups that are associated with a Directory Sync will now include the name of that Directory Sync. This will appear in the Admin Panel as shown below:
  
  

Read-only behavior added for administrators viewing the administrator details page of an administrator with different account access

• Administrators on multiple accounts will now see a read-only view in the Admin Panel when accessing the administrator details page of an administrator with different account access, such as one on a different sub-account. Previously, an “invalid admin” message appeared in this case.
• A banner message at the top of the administrator page they are viewing will say, “This admin exists on multiple accounts. As a result, fields are read-only.”

New export and search options for the Authentication Log

• A field containing the hostname of the access device has been added to Authentication Log CSV and JSON exports from the Admin Panel. Previously this field was only included in exports conducted via the Admin API.
• Administrators can now search the Authentication Log via the Admin API for the token number of the second authentication factor that was used. For example, if an end-user authenticated via a U2F device, a Duo administrator can search based on its unique token number.

New and updated applications

Duo Mobile for iOS 3.33.1 released

• Added a prompt for Duo Mobile users who are protecting third-party accounts such as Facebook, Instagram, etc., to enable the app’s third-party restore function and set a recovery password.
• Other minor bug fixes and improvements.

Duo Network Gateway 1.5.6 released

• Modified SameSite cookie settings to account for some specialized Duo Network Gateway deployments.
• Increased NGINX buffer size to support bigger headers sent from protected applications.

Duo Authentication Proxy 3.2.4 released

• Full support for unicode usernames and passwords when used for Duo Single Sign-On authentication to Active Directory.

Bug fixes

• Admin Panel fixes:

  • When searching for groups, applications, users, or devices in the search bar at the top of the Admin Panel, clicking “View more” will now apply that search query to the list an admin is redirected to. Previously, the query was passed through to the URL string of the list page but was not actually run to filter the results.
  • If an Admin Panel session has timed out or the logged-in account changes, an error message of “Unable to parse response as JSON” will no longer be displayed for certain account actions to avoid confusing administrators.

• Directory Sync fixes:

  • If an Azure Active Directory Sync is configured to send enrollment emails, syncs of a single user will send an enrollment email only to that user. This change should improve the performance of username syncs.