Duo SSO logs? Possible using Splunk Enterprise Dashboards?

Gigawatt · ‎04-11-2023

We have started the move to Duo SSO from our ADFS server, but we still use ADFS as our IdP. We are forwarding our events to Splunks forwarder, it’s also a Protected app on Duo.
My question is we really don’t have any visuability now that we have moved to Duo SSO, is anyone have any community projects or solutions for a Dashboard on Splunk for Duo?

Note: I do realize that there is a SSO report on the Admin panel ( Reports > Single Sign On Logs), but it doesn’t show failures. This was something that I miss having the DAGs for, but those are end of life. Can this be a feature in the future?

Current query is “index=duo extracted_eventtype=$eventtype$ $username$”

jamieis · ‎04-12-2023

Hi @Gigawatt,

The Single Sign-On Logs in the Admin Panel do actually report failures as of January of this year! If you’re using a SAML IdP as your identity source though you might not see many failures reported because usually it means you’re getting blocked at the ADFS side and a SAMLResponse is never making its way back to Duo Single Sign-On.

Duo SSO is currently working on adding a new AdminAPI endpoint for SSO authlogs but no ETA when it will be released at the moment.

Gigawatt · ‎04-12-2023

Yuuuuup, we are.

Oh that’s great news, thanks @jamie !
Since we are forward events to Splunk as well, do you think I could possibly get the data I need since we do “SAML as our IDP(ADFS)”?

jamieis · ‎04-12-2023

Once the API is out you’ll be able to pull in the SSO Authlogs like you seen in the Admin Panel but you won’t get any better details about auths failing over on the ADFS side since most of the time Duo SSO never hears back about that authentication.