SSO for users vs. SSO for Administrators

How are people managing SSO for users vs. SSO for Administrators? Are you using both? Do your users have a separate account they use exclusively for Administrator functions? I guess I am looking for best practice recommendations. We currently have SSO enabled for our users and our administrators use an e-mail account for Administrator access. Our Service Desk would like to use SSO for Administrator accounts with the hope that they could use the same account for both their user authentication to our services and the Administrator functions. Based on my reading, it does not look like this is possible - is that correct?

Thanks in advance for your input.

This is very possible. In Duo end user accounts are distinct from administrator accounts, so a user who is also an admin can exist with the same email address under those different contexts. You can federate identities for Duo end users to an external SAML IdP, and then also use that same IdP as the identity source for Duo Administrator SAML login.

I want to echo what DuoKristina is advising.

I know of a few organizations that use Duo Access Gateway to host user and admin SSO using the same email address.

You will need to use the resource Duo Administrator SAML login linked above and create to enable SSO login for administrators then deploy the Duo Admin Panel [2FA with SSO self-hosted] application to your Duo Access Gateway


Since the Duo Admin panel is treated like other SAML integrations, application access can by controlled by source directory groups and MFA policy can be implemented however enrollment cannot be embedded into the Duo administrator login workflow i.e. the Duo administrator needs to have an enrollment link sent via emai.

Also, I think it is worth mentioning that if Duo administrators use the Duo Mobile soft token as authentication factor (recommended) then a separate entry will appear for for Duo administrator token in vault admins.