Salesforce with DUO MFA

We have been using DUO for a while. now we interested in using DUO MFA for Salesforce.
In Salesforce, what needs to setup to integrate with DUO MFA?

Hi @kumquat ,

Please see the following KB article: What are my options for protecting Salesforce with Duo?

Federation is required, but we have multiple ways to support this.

Hope this helps! Thanks!!

@DuoPablo My question is not how DUO can protect Salesforce. my question in Salesforce how to setup for duo mfa? what salesforce setting needs to enable for duo mfa?
all your document is how to set up sso. SSO is not MFA. they are separate.
looks like DUO does not have document instructions to help setup salesforce for mfa.

@kumquat You are correct in that Single Sign-On (SSO) is not the same as Multi-Factor Authentication (MFA). However, protecting SSO via MFA can inherently enable MFA on applications that are federated by the SSO solution (SAML IdP, for example).

When we say “protect an app with Duo” it is typically synonymous with “enable Duo (MFA) for said app”. Please let me know if I am mistaken regarding what you mean by “integrate Salesforce with Duo MFA”. Leveraging a federation solution to perform the SAML assertion is a requirement for Salesforce + Duo integration. We have products that can perform this using Active Directory, for example, as the auth source (Duo Access Gateway & Duo SSO).

Salesforce Multi-Factor Authentication FAQ

Thanks!

I am looking for how to set up Salesforce only, for duo mfa. do you have instructions or I need to ask Salesforce?
Not looking how to set up sso.
are you saying your salesforce set up instructions for sso is for mfa also?
DUO documentation is confusing.

Yes, our instructions for integrating Duo with Salesforce requires SSO in order to provide MFA functionality.

It is possible to use Salesforce’s own MFA via the Duo Mobile app: Third-Party Accounts - Guide to Two-Factor Authentication · Duo Security. This is not quite what we call a Duo “integration” as it does not allow for Duo Push, Authentication Log activity, Policies, or otherwise make use of your existing Duo instance.

Salesforce with Third Party Authenticator apps: https://www.salesforce.com/content/dam/web/en_us/www/documents/guides/mfa-quick-admin-guide.pdf

Some SaaS-based applications can be integrated with Duo via WebSDK, but unfortunately Salesforce is not one of them (as of this writing).

I hope this clears up any confusion. Thank you!

got it, but I have 2 questions, one relating DUO SSO with Okta?
Our Salesforce does not have an official SSO, though we are using Okta as an SSO. What i mean is we can sign on using Okta bypassing Salesforce login/password, but inside our Salesforce org, we have not enabled sso integration with Okta.

That being said, if we “integrate” Duo SSO with our Salesforce which enables an official duo mfa push with our salesforce org, does your duo sso work with our Okta?
I know that Okta brings all application app together under one Okta umbrella.

My second question relates to mobile - currently we have a MDM in place using another 3rd party app for our mobile users. Also, we are using DUO MFA for our citrix environment/architecture. in other words, our users when logging into our Citrix from a desktop, the user has to use DUO mobile app to approve the user login access.

If we “integrate” Duo SSO with our Salesforce, can the DUO SSO work for our mobile as a MDM?
what I mean can your DUO SSO manage all our user mobile devices as a mobile device management tool and at the same time bypass Salesforce Mobile app login process using username/password?

For question #1 the answer is yes. You will need to first set up Duo SSO with Okta as your authentication source and then configure Salesforce to integrate with Duo SSO.

For question #2 the answer is no. Duo SSO is not an MDM solution, such as Meraki Systems Manager or AirWatch. While Duo has some MDM-like device controls & policies, these are not exclusive/inherent to Duo SSO. If you integrate Salesforce via Duo SSO, then your users will be able to authenticate using Duo Push and have the 2FA devices seen by/reporting into the Duo Admin Panel. These device health & insight features depend on your edition of Duo, too.