OpenID Connect (OIDC) Support

On our road to deploying SSO within our company we have come across a couple of applications that use OpenID Connect for their SSO deployment instead of SAML, and when looking to set up SSO with them they have referred us to this list of companies that are certified with OIDC: OpenID Certification | OpenID

I was very surprised to see Duo missing on this list and would love to see some OIDC support.
I’ve done some digging in the Duo documentation and it sounds like the new “Universal Prompt” is going to be based on OIDC, but I can’t find anything relating development on being able to protect OIDC applications like AutoTask/DarkWebID and others.

Is this sort of integration in development?

Hi @ITEM93, thanks for asking this great question here in the community! There are currently feature requests under consideration for the future for both generic OIDC SSO applications and AutoTask specifically. I encourage you to request to be added to those by your account representative or a Duo Support agent, as we discussed on another thread.
Just briefly, I spent some time looking through the Dark Web ID website and knowledge base to see if I could find any instructions that could help you in the meantime, but without the ability to use generic SAML or RADIUS, I’m not really sure how this could be accomplished.

1 Like

Hey @ITEM93,

I’m the Product Manager for SSO at Duo and am happy to discuss where we are at with regards to OIDC.

Since the generally available release of Duo SSO last year, the team has been heads down working on our official Microsoft 365 integration that expands Duo SSO’s scope from exclusively SAML to also supporting WS-FED, WS-Trust, and WS-MEX (for M365 only).

Now that Microsoft 365 is out the door, we are starting work on support for OIDC service providers with Duo SSO.

With that, I am compiling a list of applications that our customers are looking to connect via OIDC so that our team can better validate the new service, but also hopefully create better named integrations in the future.

You mention AutoTask and DarkWebID. Are there any other application in particular that you would be trying to integrate?

3 Likes

Hi @cmedfischduo

Thanks so much for the update, we are actually planning to roll out the M365 integration this weekend and are looking forward to that! Really appreciate all your hard work getting that named integration setup.

AutoTask is certainly the Number 1 highest priority for us right now.
The IDAgent suite would follow (DarkWebID & Bullphish) this would make Duo a much more compelling product matching the integrations offered by Okta, Authy, Passly.

I hope that with the development of the Universal Prompt, that it would make getting other OIDC integrations setup much easier.

There are a couple of other integrations that I’d love to see, but I don’t think
Webroot Secure Anywhere - both for MFA/SSO and for Device Health AV Agent Verification (Duo Device Health Application | Duo Security)
pfSense - both for device login as well as for direct OVPN integration. (I did find a workaround for the VPN part with a RADIUS integration, but would love a direct integration package with the built-in user manager (https://community.duo.com/t/duo-integration-on-pfsense-openvpn-configuration)

Hopefully other community users searching for OIDC compatibility can find this thread and add their requests to the list.

Thanks you once again for this update!

Hi @cmedfischduo

It looks like Datto have also adopted the OIDC standard for their SSO integration, this would be another key vendor that we would like to integrate with.

https://help.datto.com/s/article/KB370000000060