Migrating to Duo Access Gateway for Salesforce MFA

bryanjx34 · ‎11-16-2021

Is there a way to use Duo for Salesforce MFA but only activate it on certain users from Microsoft Server Active Directory? We would like to move department by department. I know how to do this in Salesforce’s MFA but would prefer Duo to handle MFA.

jamieis · ‎11-16-2021

Hi @bryanjx34,

I’m Jamie, a software engineer on our SSO team.

Salesforce doesn’t have a way as far as I know in completly gating access for only a certain set of users but you can set up multiple ways to log in and instruct users to log in via a certain way.

If you haven’t already deployed the Duo Access Gateway, I’d recommend that you use Duo Single Sign-On. This is our new cloud-hosted SAML identity provider which offers all the same benefits of the Duo Access Gateway but all the web portions are cloud-hosted, you don’t need to run a web server in your DMZ, and you can control everything in the Duo Admin Panel instead of across multiple admin consoles.

When using Duo Access Gateway or Duo SSO you can create a button on the Salesforce login page to have people log in via the SAML IdP. You can eventually decide to enforce that everyone log in this way.

If you only want to allow specific users access the application through Duo and not allow new users to enroll you can set Permitted Groups on the application in the Duo Admin Panel from preventing anyone but those users to access the application through Duo.