Multiple user IDs on one authentication system


#1

One of the first systems we integrated with Duo is our Palo Alto GlobalProtect VPN. When we began enrolling individuals in the system, one of the first things we discovered was that users could get around the Duo prompt by using their email address as a username, instead of their sAMAccountName. We’re an O365 and SkypeforBiz customer and are required to have the email address setup as a SIPAddress.

Is there any way to either
a) setup multiple usernames in Duo that can authenticate through an application?
-or-
b) disallow users from using a secondary user ID other than their sAMAccountName? We’re not seeing anything like this in our GlobalProtect instance.


#2

Hi Plundstet,

I spoke with our support team and here are responses to your questions:

a) Yes, by enabling Username Normalization. Please ensure that Username normalization for your Palo Alto application is set to “Simple.”

b) Yes. If your New User Policy is set to Allow Access, set it to Deny Access. If I am understanding you correctly, you have more than one “style” of username that your users are trying to use to log in. If you are alright with enforcing sAMAccountName as the only accepted username, setting this policy to Deny Access would block users from completing authentication with their email.

We are actively exploring more complex username aliasing features that would accommodate formats beyond email address and sAMAccountName in the future, but I don’t have a timeline to share for that feature at this time.