Migrate from DAG to Cloud SSO


Been a long term DAG and SSO user. Would like to move to the cloud SSO solution so we don’t have to maintain DAG internally (HA, DMZ, etc. issues).

Is there a KB article about migrating from DAG to cloud SSO? What would I lose out on by moving now vs. waiting? We use DAG for protecting a bunch of cloud based apps as well as Anyconnect VPN - MFA as well.

Thanks for any advice/pointers.

1 Like

There isn’t really a migration guide that I’ve found, as you need to swap over each service individually. You federated all your apps to the DAG, so now you need to go modify them to federate to Duo SSO, same as If you were swapping to AAD or Okta or another SAML provider. You can spin up a Duo SSO instance for free and add a single application to test. That’s how we started, then eventually moved all Security/IT applications over. We’re waiting for our winter break to move all the general user apps (O365, G Suite, Slac, etc) over for normal staff. It’s been rock solid for us over the last 6 months.

Hi @Rbats,

There is no article at the moment for migrating from the DAG to Duo SSO but within the next few weeks we will be adding documentation that talks about this more and a way to easily copy settings of a DAG application in the Duo Admin Panel to a new Duo SSO application in the Duo Admin Panel.

One of the biggest benefits of Duo SSO is it no longer requires you to host a web server yourself. Duo does this part for you. If you’re using a SAML IdP as your authentication source you won’t need any additional on-premises hardware. If you use Active Directory, instead of a DAG you’ll connect an Authentication Proxy to talk to Duo SSO. This Authentication Proxy only needs outbound access and doesn’t require any inbound ports to be opened.

Like @Jason_Waits mentioned, switching over your SAML apps requires updating identity provider information on the application’s side as well which is why you’ll need to move one application at a time.

Thanks for the responses. Moving one app at a time makes sense.

@jamie We do use AD for IdP and already have a Duo auth proxy installed - for Anyconnect VPN if I recall. Would we be able to use the same proxy?

Look forward to the documentation!


Hi @Rbats,

You can use the same authproxy but we recommend creating dedicated ones for Duo SSO.

Our documentation to help migrate from Duo Access Gateway to Duo SSO is now out but the feature is still rolling out to all accounts over the next week or two: Migrate from Duo Access Gateway to Duo Single Sign-On | Duo Security