There is a Duo Access Gateway user who would like to enable SSO to my company’s web app. Normally we would just do the OIDC details exchange and be done. Sometimes (like now) I need to dig into the documentation because there is some kind of oddity.
Created a free trial account to poke through the UI. It looks like they can go to Applications->Protect an application->Search Auth API. From there it looks like a standard OIDC flow.
Reading through the Auth API documentation there seems to be some spec changes? Is this a superset and standard OIDC will still work?
Could someone check my understanding of the different terminology Duo uses compared to OIDC? Integration Key = ClientID
Secret Key = Client Secret
API hostname = Authority
??? = MetadataAddress
What would the MetadataAddress be? Guessing it is Authority plus something standardized?
Also, I did note that the Auth API documentation said to make sure “response_type” is set to “code”.
Thank you for any help you can provide!