Google Workspace and Duo


Got a requirement to provide MFA to Google Workspace (google mail, Google Classroom, etc)
Looking at Duo Single Sign-On for Google Workspace (Google G Suite) | Duo Security it says that the first steps are to configure Duo Single Sign-on and configure a working Authentication Source. Unfortunately this is a bit confusing top me.

When I go to configure an Authentication Source, it gives me the option of Active Directory or SAML.

It says that this configuration is for first-factor credentials. does that mean I need to configure AD for first factor, then SAML for 2nd Factor to secure my Google Workspace? Or do I just need to configure SAML idP to use Duo with Google Workspace, as I’ve already got the Google Cloud Directory Sync installed on my domain controllers to allow users to use their domain accounts with Google classroom?

Additionally I’ve already got an Active Directory source configured for my DirSync, to sync users up to Duo Portal.
Will it automatically use this if necessary, or do I have to explicitly create a new Authentication source just for SSO?

If I have to create a new Active Directory Authentication Proxy, do I then need to have 2 installed in my domain, one for standard dir sync and one for SSO?

After that is done, I then need to configure SAML as the “second-factor”?

very confused… :frowning:


Ken Z

Hi Ken,

Duo Single Sign-On is a SAML 2.0 Identity Provider that adds MFA into every authentication you do with it. This would replace the Google password completely and instead use their Active Directory password.

You would set up an Authentication Source, I’d recommend Active Directory based on what you’ve said. Once you have the authentication source set up you can protect Google Workspace with Duo Single Sign-On.

Once Google Workspace is setup to use Duo Single Sign-On when users attempt to log into Google they’ll be:

  1. Redirected to the Duo SSO login page to type in their e-mail address and password for 1st factor (they’ll only be required to do this every few hours based on your settings).
  2. After 1FA they’ll be sent to do Duo MFA which allows you to add many policy controls
  3. After MFA they will be logged into Google Workspace.

You can see an example of what a login flow would look like: SSO End User Login

To answer some of your other questions:

  • You do need to set up the Active Directory set up in the Duo Admin Panel separately from Directory Sync.
  • You do need to set up the connection for the Authentication Proxy to Duo SSO separately.