Re: Authenticating to multiple active directory domains

ITMonkey · ‎12-30-2020

We have a requirement to authenticate users in separate Active Directory forests to the same SAML application. The DAG does not support multiple forests so I built an identical DAG under a different FQDN for the 2nd domain. When configuring the 2nd DAG, the entityID is using the new FQDN so the SAML authentication is invalid.
How can I configure the 2nd DAG to send SAML assertions using the primary DAG’s entityID, but still allow users to connect to it using the new FQDN? In the config file I am able to set the baseurlpath to the primary server, but then this breaks the ability for a user to log into it. Is there a setting in the config file for just the entityID? Will that even make things work if I can change it?

thomas.busse · ‎01-05-2021

Hello ITMonkey, I kind of had the same chellange when I had to synchronize users from different AD forrests using the Duo Authentication Proxy. The solution was to point the Authentication Proxy to the AD global cataloge server instead of an individual forrest AD server, be aware, that the global cataloge is using a different port (3268 instead of 389/636).

I would give it a try to configure the global cataloge as the identity source within your Access Gateway and see if you can authenticate users from different forrests.

bjonathan1 · ‎02-04-2021

We are having a similar issue. Multiple forests, users from multiple domains in a full trust that need to authenticate via SSO. We’ve all migrated to O365, but are maintaining on premise domain controllers and leveraging Azure AD Connect.

I’ve changed the Auth Proxies to have [ad_client] and [ad_client2] a few different ways (each host configured for each DC on port 3268 with each domain’s respective DN’s, single DC on port 3268 for both hosts with each domain’s respective DN’s, a mix of both on standard LDAP). All allow me to start the service, but I can only authenticate with user accounts beneath the domain that I have setup in Step 2 of the Active Directory configuration in the admin portal.

I have a feeling this would work if I could configure the other domain’s DN’s on that Step 2 page, but adding the multiple DC’s and DN’s there fails the test.

Is the solution for this in the same vein as the OP?

petemaida · ‎02-05-2021

We had a similar issue with SAML on our AnyConnect. Multiple child domains and trusted forest domains. Ended up using MS Federated services for SAML and using Duo to protect that. MS ADFS will cover all trusted domains automatically. On our RDS protection, using global catalog was all we needed.

DuoKristina · ‎02-05-2021

Neither Duo Access Gateway or Duo Single Sign-On support multiple authentication sources nor AD authentication using a single source across AD cross-forest trusts today. Use of the GC port is an answer for authentication against any child domains in a single forest.

We’re evaluating adding multiple authentication source support to Duo Single Sign-on. To add your interest in this functionality to the relevant feature request please contact your Duo account executive or customer success manager (if you have one), or Duo support.

Duo, not DUO.