Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2128
Views
0
Helpful
2
Replies

SSO for users vs. SSO for Administrators

Andrew71
Level 1
Level 1

‎08-28-2020 08:49 AM

How are people managing SSO for users vs. SSO for Administrators? Are you using both? Do your users have a separate account they use exclusively for Administrator functions? I guess I am looking for best practice recommendations. We currently have SSO enabled for our users and our administrators use an e-mail account for Administrator access. Our Service Desk would like to use SSO for Administrator accounts with the hope that they could use the same account for both their user authentication to our services and the Administrator functions. Based on my reading, it does not look like this is possible - is that correct?

Thanks in advance for your input.

0 Helpful
2 Replies 2

DuoKristina
Cisco Employee
Cisco Employee

‎09-02-2020 06:08 AM

This is very possible. In Duo end user accounts are distinct from administrator accounts, so a user who is also an admin can exist with the same email address under those different contexts. You can federate identities for Duo end users to an external SAML IdP, and then also use that same IdP as the identity source for Duo Administrator SAML login.

Duo, not DUO.
0 Helpful

mheim
Level 1
Level 1

‎09-10-2020 12:56 PM

I want to echo what DuoKristina is advising.

I know of a few organizations that use Duo Access Gateway to host user and admin SSO using the same email address.

You will need to use the resource Duo Administrator SAML login linked above and create to enable SSO login for administrators then deploy the Duo Admin Panel [2FA with SSO self-hosted] application to your Duo Access Gateway

2X_2_266321b2eb41b2499b65a840460993f47df4d03a.png
.

Since the Duo Admin panel is treated like other SAML integrations, application access can by controlled by source directory groups and MFA policy can be implemented however enrollment cannot be embedded into the Duo administrator login workflow i.e. the Duo administrator needs to have an enrollment link sent via emai.

Also, I think it is worth mentioning that if Duo administrators use the Duo Mobile soft token as authentication factor (recommended) then a separate entry will appear for for Duo administrator token in vault admins.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents