The best option is not to import usernames into Duo that you know are duplicated in both domains.
Is it possible for the VPNs to use UPN usernames for logins? Your UPNs are (hopefully) unique throughout both forests and would not cause collisions.
Are the users who exist in both domains you want to sync the exact same people? The problem with syncing in sAMAccountNames from two domains is that Duo can’t have two different users coexist with the same username or username alias.
If the user
jdoe exists in both
domainA sync will create/update the
jdoe Duo user with information from
domainA, and then the
domainB sync will do the exact same thing, updating
jdoe with the information from
John Doe but
Jennifer Doe (i.e. different people), that is an unworkable scenario. However, if both
John Doe, that seems possible (assuming all AD attributes synced into duo from each domain have identical values phones, email, display name, etc.), right?
No! Attempting multiple domain syncs with overlapping users is still not recommended - even when the actual humans behind those users are same people - because of the sync group memberships!
When you select a group to import into Duo, Duo creates the group in Duo and adds all direct and indirect AD groups members as direct members of the group in Duo. The Duo group is identified as being managed by the sync that created it. The user group memberships get verified/updated at every sync (because when a user is removed from all sync groups that’s Duo’s trigger to set that user to “pending deletion”.
Say you configured the
domainA sync to import members of a group called
Duo Users, and also configured the
DomainB sync to import a group called
Duo Users (the fact that I’m using identically named AD groups in each domain isn’t super relevant; unique AD group names would have the same result).
domainA sync runs, and imports all members of the
domainA\Duo Users group. Then the
domainB sync runs and imports all members of the
domainB\Duo Users group. Users who exist in both domains have their membership change unexpectedly.
domainA\Duo Users AD members:
domainB\Duo Users AD members:
domainA sync runs:
- creates the group “Duo Users (from AD sync domain A)” in Duo
- creates the
qsmith users in Duo using attribute values from
qsmith members of “Duo Users ( from AD sync domain A)”
domainB sync runs:
- creates the group “Duo Users ( from AD sync domain B)” in Duo
- creates the
bjones user in Duo using attribute values from
bjones a member of “Duo Users ( from AD sync domain B)”
jdoe user using attribute values from
jdoe from being a member of “Duo Users (from AD sync domain B)” to “Duo Users (from AD sync domain B)”
The unexpected change in group memberships for
jdoe could affect how that user is affected by any custom application group policies, permitted groups restrictions, or administrative unit assignments.
In summary, configure directory sync for multiple directories only when usernames and username aliases are guaranteed unique between both domains, which may require choosing an alternate username attribute than
sAMAccountName and configuring the application/service/device to use that chosen username format OR making changes in the source directory to ensure unique values if the source attribute cannot be changed.
Other methods of getting users into Duo, like CSV import, don’t have the same issue of constantly changing group memberships, but would still have a problem if the users with the same usernames are not in fact always the same people.