Duo SSO with multiple Salesforce instances

Hello Duo team,

We are looking into Duo-hosted SSO for our Salesforce instances. The “basic” integration works perfectly but we are facing to an issue with username: as we have multiple Salesforce instances (production, sandboxes, etc…), we have multiple username. For example:

I tried to use aliases in Duo but it does not work. Do you have an idea on how I could go forward?

We use have a sync with our AD (on-prem) done with Duo AuthC proxies.

Thank you.

Regards,
Antony Gallez

Hi @antony.gallez!

Do you have the two different email addresses as attributes in your authentication source? Username aliasing only impacts the usernames that are used when trying to do Duo authentications but are not the values sent to Salesforce.

Ideally you’d have an attribute in your authentication that matches “agallez@cameoglobal.com” and another that matches agallez.mfa@cameoglobal.com. You’d then map the appropriate attribute as your Mail attribute for each Salesforce application in the Duo Admin Panel.

Hi @jamie,

Thank you for your reply.

We have different email addresses between the instances but also different usernames.

I do not get waht you meant with the mapping of attributes. I tried to add the username as alias in the user but it did not work.

Regards,
Antony

Could you show me what error you’re hitting? Just want to make sure I understand where you’re running into problems.

@jamie,

Sure, please find some screenshots below.

AuthC logs from Duo admin

Error when I am authenticated through SSO
SF-Error

Config of the Duo user


As you may see here, I added an alias matching the SF username but still, it does not work.

Config in SF
SF-User.Config
On this one, if I change the Username to my email address, SSO works fine.

So your username and aliases in the Duo Admin Panel only impact what usernames we recognize when doing things like Duo 2FA. The value that is being sent to Salesforce is the attribute that in your Authentication Source

If you go to your Salesforce application in the Duo Admin Panel under the “Service Providers” section you should see a checkbox next to Custom attributes. Here you can specify a different authentication source attribute to send to Salesforce when authentication. By default we use mail for Active Directory and Emailfor SAML IdPs.

If you have an attribute in your authentication source that matches your different logins you can specify it there per Salesforce application.

Hi @jamie,

Ok. Sorry for my mistake on the alias, now I got it clear.

I’ll look at this and let you know the outcome.

Regards,
Antony

Hi @jamie,

I made a test with the field Description (quick test before altering our AD schema) in our AD but I get an error when I click on the tile in SSO portal:
2021-06-14 07_35_06-Window

I looked in our AD sync configuration but I can’t find any settings to import the field description. I also read the docs but same result.

Is it restricted to custom attributes? Or am I using a wrong attribute name?

Regards,
Antony

Hi @antony.gallez,

I think for the custom Mail attribute on the Salesforce page in the Duo Admin Panel you’ll want to put just description not <Description>. description is the name of the attribute in Active DIrectory. Once you’ve updated the value click Save at the bottom of the screen and try to do another authentication to Salesforce.

The <Words> are just our bridge attributes that you can select from the dropdown so that we automatically would map certain attributes if you switched between using Active Directory and a SAML IdP.

Hi @jamie,

Ok. Got your loud & clear on the bridge attributes.

All is working fine. Thanks a lot for your help!

Regards,
Antony

1 Like