We use Duo Access Gateway for SAML integration, and it doesn’t appear that it supports an additional factor for authentication. This should really be fixed.
I think you’re referring to logging into the DAG Admin Console. By default, the DAG Admin Console can only be accessed from the DAG server’s assigned IP addresses. You can add access IPs not assigned to the DAG server’s network interface during installation or by editing the web.config file on your DAG server console. As a rule, you should never allow any public IPs not managed by your organization to access the DAG admin console.
Any attempt to access the DAG server console from IPs you haven’t specifically allowed will fail.
You can also consider adding 2FA protection to the DAG server box itself using Duo for Windows Logon.
With that said, if you feel like this level of protection is insufficient, please file a feature request for this functionality with your Duo representative.
We are aware of the IP Restrictions in place for DAG, and have implemented them. That being said, IP restrictions are not a second factor for authentication. We also have already implemented two factor authentication on the server via Duo for windows. Don’t get me wrong, we very much like Duo and you implement things in a very smart way, but as a two factor security entity it seems strange that you wouldn’t offer a second factor for one of your services, especially a service offering critical authentication handling. As you suggested though, we will put in a feature request.