Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
419
Views
2
Helpful
8
Replies

Implement DUO for an application that can't natively implement MFA

fhikrisuryadi
Level 1
Level 1

‎02-20-2024 01:20 AM

Hi Guys, I need to know, if there is an application that cannot natively implement MFA, is it possible to implement MFA Number Matching to the server/apps using DUO Cisco with absolutely no changes from the application side? for example the type of application is Virtual Application and connected to Active Directory for checking credential. Please also provide information about whether MFA number matching is built into DUO or can also be integrated with AzureAD/EntraID for the MFA Number Matching.

0 Helpful
8 Replies 8

DuoKristina
Cisco Employee
Cisco Employee

‎02-20-2024 01:17 PM

Not a guy but happy to respond anyway to suggest that if your application supports SAML 2.0 or OIDC you may be able to use Duo Single Sign-On to put Duo Universal Prompt with verified Duo Push (our implementation of number matching) in front of your application with no code changes.

Also, if your application is already using Entra ID (formerly Azure AD) for authentication you might also be able to use Duo's custom control for Entra ID conditional access. This also supports Duo Universal Prompt with verified Duo Push.

Duo, not DUO.

fhikrisuryadi
Level 1
Level 1

‎02-20-2024 05:31 PM

Hi Kristina, Thank you for your answer. So if i want to implement MFA Number Matching to my application without code change, the application must supports SAML 2.0 or OIDC, right?

0 Helpful

Pulkit Mittal
Level 1
Level 1
In response to fhikrisuryadi

‎02-29-2024 03:17 AM

That it is correct, it must support SAML for it to work with Duo or any IdP in general.

Please mark this helpful if you are happy with the response.

0 Helpful

Ken Stieers
VIP
VIP

‎02-20-2024 06:16 PM

For apps on prem where you're not doing SAML, you can get Duo 2factor the app is LDAP or Radius using an authentication proxy..  you can't get the number matching from a proxy though...

0 Helpful

fhikrisuryadi
Level 1
Level 1
In response to Ken Stieers

‎02-20-2024 07:56 PM

i'm sorry Ken, I can't fully understand your argument. can you explain more clearly? Thank You

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to fhikrisuryadi

‎02-21-2024 05:48 AM

1. What you refer to as "number matching" is represented in our service as "verified Duo Push".
2. Verified Duo Push is ONLY available in the Duo Universal Prompt experience.
3. Duo Universal Prompt is ONLY available during interactive browser authentication (therefore excluding Duo RADIUS or LDAP configurations, which is what Ken was pointing out).
4. There are four ways to get a browser-based Universal Prompt in front of your application:
     a. Implement authentication via our OIDC authentication endpoints in the code of your application with our Web SDK.
     b. Implement authentication via direct use of our OIDC authentication endpoints in the code of your application.
     c. If the application supports SAML 2.0  or OIDC federation already, put Duo SSO (which supports Duo Universal Prompt) in front of it. Duo SSO is available in all paid Duo plans.
     d. If they application doesn't support SAML and is on-premises, publish it via Duo Network Gateway (which supports Duo Universal Prompt). Duo Network Gateway is only available in the Duo Premier plan (as in, the most expensive Duo plan).

You want "absolutely no changes from the application side", which to me means "no custom code updates to our application". That excludes methods a and b, so the next best option is c.

Duo, not DUO.

Ken Stieers
VIP
VIP
In response to fhikrisuryadi

‎02-21-2024 06:24 AM

Kristina covered it...


________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.
0 Helpful

gabriel garciaf
Level 1
Level 1

‎03-07-2024 07:23 PM

Hi Guy

Cisco DUO have 2 options to do the MFA, SAML and AD, you can use SSO and some universal prompt if the technology not appear in the bar protect technology.  one time i configure a technology that not support MFA and can integrate with the matching numbers, but the only request is that needed to be integrated with AD to obtain the profile the user that goin to connect

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents