Integrate Duo From Main Campus to Single Department


I’m trying to figure out if this is possible.

I work for a university that uses Duo for all authentication. My department does not currently use the main campus Duo for any authentication within our subdomain.

If we want to integrate the main campus Duo into our subdomain, eg., internal apps, ssh, etc., would the duo proxy authentication be the product needed?


The Duo Authentication Proxy acts as a connector between on-premises RADIUS and LDAP applications/devices and the Duo cloud service. It isn’t a proxy between your organizational locations or between Duo customer accounts.

A simple example using a Linux SSH server…

  • You’d need access to a Duo Unix integration. You might get this from a Duo customer account only used by your department, or your main campus Duo admins might create the Duo Unix integration in their existing customer account and provide you the configuration info.
  • Your Linux server can access Duo’s cloud service over the internet HTTPS/443.
  • You install Duo’s PAM application on your department’s SSH server.
  • Users log in to that SSH server using whatever primary authentication credential they used before, and then get prompted for Duo 2FA.

There are a few different strategies large entities like universities use to distribute Duo account access across organizational units. I encourage you to have a dialogue with your school’s main campus Duo admins and your information security group (and your school’s Duo account executive or customer success manager if needed) to determine the approach that works best.