Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1760
Views
0
Helpful
1
Replies

Multiple user IDs on one authentication system

Go to solution
Plundstedt
Level 1
Level 1

‎07-11-2017 12:56 PM

One of the first systems we integrated with Duo is our Palo Alto GlobalProtect VPN. When we began enrolling individuals in the system, one of the first things we discovered was that users could get around the Duo prompt by using their email address as a username, instead of their sAMAccountName. We’re an O365 and SkypeforBiz customer and are required to have the email address setup as a SIPAddress.

Is there any way to either
a) setup multiple usernames in Duo that can authenticate through an application?
-or-
b) disallow users from using a secondary user ID other than their sAMAccountName? We’re not seeing anything like this in our GlobalProtect instance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mkorovesisduo
Level 4
Level 4

‎07-11-2017 01:44 PM

Hi Plundstet,

I spoke with our support team and here are responses to your questions:

a) Yes, by enabling Username Normalization. Please ensure that Username normalization for your Palo Alto application is set to “Simple.”

b) Yes. If your New User Policy is set to Allow Access, set it to Deny Access. If I am understanding you correctly, you have more than one “style” of username that your users are trying to use to log in. If you are alright with enforcing sAMAccountName as the only accepted username, setting this policy to Deny Access would block users from completing authentication with their email.

We are actively exploring more complex username aliasing features that would accommodate formats beyond email address and sAMAccountName in the future, but I don’t have a timeline to share for that feature at this time.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
mkorovesisduo
Level 4
Level 4

‎07-11-2017 01:44 PM

Hi Plundstet,

I spoke with our support team and here are responses to your questions:

a) Yes, by enabling Username Normalization. Please ensure that Username normalization for your Palo Alto application is set to “Simple.”

b) Yes. If your New User Policy is set to Allow Access, set it to Deny Access. If I am understanding you correctly, you have more than one “style” of username that your users are trying to use to log in. If you are alright with enforcing sAMAccountName as the only accepted username, setting this policy to Deny Access would block users from completing authentication with their email.

We are actively exploring more complex username aliasing features that would accommodate formats beyond email address and sAMAccountName in the future, but I don’t have a timeline to share for that feature at this time.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents