Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2153
Views
1
Helpful
4
Replies

Migrate from DAG to Cloud SSO

rajbhatia
Level 1
Level 1

‎11-10-2020 03:24 PM

Hello,

Been a long term DAG and SSO user. Would like to move to the cloud SSO solution so we don’t have to maintain DAG internally (HA, DMZ, etc. issues).

Is there a KB article about migrating from DAG to cloud SSO? What would I lose out on by moving now vs. waiting? We use DAG for protecting a bunch of cloud based apps as well as Anyconnect VPN - MFA as well.

Thanks for any advice/pointers.

4 Replies 4

jwaits
Level 1
Level 1

‎11-11-2020 10:54 AM

There isn’t really a migration guide that I’ve found, as you need to swap over each service individually. You federated all your apps to the DAG, so now you need to go modify them to federate to Duo SSO, same as If you were swapping to AAD or Okta or another SAML provider. You can spin up a Duo SSO instance for free and add a single application to test. That’s how we started, then eventually moved all Security/IT applications over. We’re waiting for our winter break to move all the general user apps (O365, G Suite, Slac, etc) over for normal staff. It’s been rock solid for us over the last 6 months.

0 Helpful

jamieis
Cisco Employee
Cisco Employee

‎11-12-2020 04:50 AM

Hi @Rbats,

There is no article at the moment for migrating from the DAG to Duo SSO but within the next few weeks we will be adding documentation that talks about this more and a way to easily copy settings of a DAG application in the Duo Admin Panel to a new Duo SSO application in the Duo Admin Panel.

One of the biggest benefits of Duo SSO is it no longer requires you to host a web server yourself. Duo does this part for you. If you’re using a SAML IdP as your authentication source you won’t need any additional on-premises hardware. If you use Active Directory, instead of a DAG you’ll connect an Authentication Proxy to talk to Duo SSO. This Authentication Proxy only needs outbound access and doesn’t require any inbound ports to be opened.

Like @Jason_Waits mentioned, switching over your SAML apps requires updating identity provider information on the application’s side as well which is why you’ll need to move one application at a time.

0 Helpful

rajbhatia
Level 1
Level 1

‎11-18-2020 11:26 AM

Thanks for the responses. Moving one app at a time makes sense.

@jamie We do use AD for IdP and already have a Duo auth proxy installed - for Anyconnect VPN if I recall. Would we be able to use the same proxy?

Look forward to the documentation!

Thanks.

0 Helpful

jamieis
Cisco Employee
Cisco Employee
In response to rajbhatia

‎11-23-2020 06:40 AM

Hi @Rbats,

You can use the same authproxy but we recommend creating dedicated ones for Duo SSO.

Our documentation to help migrate from Duo Access Gateway to Duo SSO is now out but the feature is still rolling out to all accounts over the next week or two: Migrate from Duo Access Gateway to Duo Single Sign-On | Duo Security

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents