Solved: Enabling SSO using an existing DUO Authentication Proxy

stevenspray1 · ‎01-06-2022

Hi!

As per subject really. We are already using a DUO Authentication Proxy instance on our of our domain controllers for Cisco VPN logins. We now want to enable SSO on Microsfot 365 and this also requires the use of a DUO Authentication Proxy instance. Do we need to install another DAP on the same server, or can we use the existing one?

Appreciate any help!

jamieis · ‎01-10-2022

Hi @fnanfne,

If you follow the steps under Connect Authentication Proxy to Duo Single Sign-On located at Duo Single Sign-On | Duo Security you can configure an existing Duo Authentication Proxy to Duo Single Sign-On.

It mostly consists of creating a new authproxy under the Active Directory Authentication Source you created in the Duo Admin Panel, copying some information into the authproxy.cfg file and then running a command that is provided.

View solution in original post

jamieis · ‎01-06-2022

Hey @fnanfne,

You can use the existing authentication proxy, you’ll just need to make sure it is up to date.

For Duo SSO we do recommend you run multiple authentication proxies in production so that if one does go down your users can still authenticate.

rdstoknes · ‎01-06-2022

Are you sure about this??

Duo Auth Proxy is an internal-only service for services like VPN authentication with Duo MFA, whereas Microsoft 365 requires a public-facing Duo Access Gateway (DAG) to be able to do MFA for logins.

At least we had to use one (already had a DAG in place since it is also used for user provisioning of Duo for VPN access etc) when we set up MFA Conditional Access Policies within M365. All Microsoft and Duo documentation also refers to this.

Brgds,
Rune

jamieis · ‎01-07-2022

Hi @RuneS,

Sorry, I had assumed based on the fact that you were trying to use the Duo Authentication Proxy I thought you were trying to protect Microsoft 365 using Duo Single Sign-On which is Duo’s newer cloud-hosted SAML IdP.

It sounds like you’re using the Duo Access Gateway, Duo’s on-premises SAML IdP which does not utilize the authentication proxy at all. You can see documentation for setting up Microsoft 365 for the Duo Access Gateway here.

I would recommend looking at using Duo SSO (cloud-hosted) because the newer service uses some different communication protocols to better integrate with Microsoft 365 and Windows services.

stevenspray1 · ‎01-07-2022

Hey all thanks a bunch for the replies!

I am a bit confused over the offerings now. I read a DAG is for self-hosted SSO. We do not want to host this ourselves and so would want to opt for “2FA with SSO hosted by Duo” for protecting our Office 365.

The documentation I read suggests we need to configure a DAP. We already have a DAP configured and in place for Cisco ASA SSL VPN, and so I was hoping we could use this existing DAP also for the Office 365.

Jamie noted thanks, I will submit a CC to add DAP to a second/third server.

stevenspray1 · ‎01-10-2022

So, how do I use an existing DAP? Under protect an application, I will choose “Microsoft 365 - 2FA with SSO hosted by DUO”.

I’m then asked for configuring a DAP. How can I select our existing one? I can’t seem to find that option.

jamieis · ‎01-10-2022

Hi @fnanfne,

If you follow the steps under Connect Authentication Proxy to Duo Single Sign-On located at Duo Single Sign-On | Duo Security you can configure an existing Duo Authentication Proxy to Duo Single Sign-On.

It mostly consists of creating a new authproxy under the Active Directory Authentication Source you created in the Duo Admin Panel, copying some information into the authproxy.cfg file and then running a command that is provided.

stevenspray1 · ‎01-12-2022

Hi @jamie,

That is the exact information and confirmation I was looking for!

Thank you so much for pointing me in the right direction, much appreciated.