Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1121
Views
0
Helpful
1
Replies

Google Workspace and Duo

KenZ
Level 1
Level 1

‎11-25-2022 08:18 AM

Hi

Got a requirement to provide MFA to Google Workspace (google mail, Google Classroom, etc)
Looking at Duo Single Sign-On for Google Workspace (Google G Suite) | Duo Security it says that the first steps are to configure Duo Single Sign-on and configure a working Authentication Source. Unfortunately this is a bit confusing top me.

When I go to configure an Authentication Source, it gives me the option of Active Directory or SAML.

It says that this configuration is for first-factor credentials. does that mean I need to configure AD for first factor, then SAML for 2nd Factor to secure my Google Workspace? Or do I just need to configure SAML idP to use Duo with Google Workspace, as I’ve already got the Google Cloud Directory Sync installed on my domain controllers to allow users to use their domain accounts with Google classroom?

Additionally I’ve already got an Active Directory source configured for my DirSync, to sync users up to Duo Portal.
Will it automatically use this if necessary, or do I have to explicitly create a new Authentication source just for SSO?

If I have to create a new Active Directory Authentication Proxy, do I then need to have 2 installed in my domain, one for standard dir sync and one for SSO?

After that is done, I then need to configure SAML as the “second-factor”?

very confused…

Regards

Ken Z

Labels:
0 Helpful
1 Reply 1

jamieis
Cisco Employee
Cisco Employee

‎11-27-2022 04:46 PM

Hi Ken,

Duo Single Sign-On is a SAML 2.0 Identity Provider that adds MFA into every authentication you do with it. This would replace the Google password completely and instead use their Active Directory password.

You would set up an Authentication Source, I’d recommend Active Directory based on what you’ve said. Once you have the authentication source set up you can protect Google Workspace with Duo Single Sign-On.

Once Google Workspace is setup to use Duo Single Sign-On when users attempt to log into Google they’ll be:

  1. Redirected to the Duo SSO login page to type in their e-mail address and password for 1st factor (they’ll only be required to do this every few hours based on your settings).
  2. After 1FA they’ll be sent to do Duo MFA which allows you to add many policy controls
  3. After MFA they will be logged into Google Workspace.

You can see an example of what a login flow would look like: SSO End User Login

To answer some of your other questions:

  • You do need to set up the Active Directory set up in the Duo Admin Panel separately from Directory Sync.
  • You do need to set up the connection for the Authentication Proxy to Duo SSO separately.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents