Skip navigation

Duo Security is now a part of Cisco

About Cisco

Announcing Administrative Units and Administrative Single Sign-On (SSO) for the Enterprise


  • Enterprise customers desire greater administrative controls
  • Admin Units delegates management of Duo across different departments
  • Admin Single Sign-On (SSO) helps mitigate risk by reducing use of local credentials
  • Both features available for Duo MFA, Duo Access and Duo Beyond

We've seen tremendous adoption of Duo Beyond, our zero-trust security platform, by customers of all sizes - especially in enterprise and education. Both environments bring two shared attributes: large user populations and a desire to delegate management of tools. As such, these customers came to us with a desire for more granular administrator controls: specifically for delegated administration and federated login.

Delegating Administration

In large organizations, responsibilities for IT are delegated broadly to distinct teams. For example, the networking team will take ownership over virtual private networks (VPNs) and firewalls, the endpoints team will manage endpoint asset management software and Windows/Mac clients, and the infrastructure team will manage Windows and Unix servers.

Similarly, support teams may be distributed across multiple locations or business units, often supporting specific groups of users. For example, the San Francisco office help desk may be responsible for users in the primary engineering office in San Francisco and the Bay Area; however, the New York office help desk is responsible for sales and marketing employees up and down the East Coast.

The reason customers separate administration across different groups is to reduce risk, especially with critical applications and information about full-time employees.

Back in 2015, we added Administrative Roles, which controls the “powers” of an administrator, such as managing users or editing policies. However, our customers came to us with a desire for greater granularity. Dividing up administrative responsibilities by applications or user groups.

So we worked together with a team of customers on a solution to introduce the idea of “scope” to our administrators. Six months ago, our team began working on a feature titled Administrative Units to fill this gap.

Introducing Administrative Units

Administrative Units allows customers to assign specific user groups or applications to individual or multiple administrators.

If Administrative Roles are the X-axis of "what can an administrator do" (e.g. add/delete users, create applications), then Administrative Units are the Y-axis of "which applications or user groups can an administrator see."

Administrative Units

We want to thank the group of twelve customers that worked together with us to provide input and feedback as we developed this feature. In fact, we have to thank customers directly for the name of this feature. The term “administrative units” came about as most of our customers thought about federating administrative controls by “business units,” a common turn of phrase in enterprise.

Administrative Units is generally available today and documentation can be found here.

Federating Logins

We also have an increasing number of customers utilizing SSO, whether it’s through federation services like Azure AD or ADFS or our own solution, Duo’s secure SSO. Customers deploy single sign-on for not only convenience, but also security. It’s convenient for users as they don’t have to memorize passwords for every single service.

Why security? Single sign-on allows customers to federate access to applications without managing separate passwords for each application, which often leads to shared passwords for each service.

Our administrators came to us asking, “How come I can federate logins with users but not administrators?”

And that leads us to Administrative SSO.

Introducing Administrative SSO

SSO Button We’re pleased to announce the general availability of single sign-on (SSO) for the Administrators. Customers can now utilize SAML Identity Providers (IdP) including Azure AD, ADFS, Duo SSO, and Shibboleth to federate access to the Duo Admin Panel.

In order to support this feature, we are also making an update to - a persistent single sign-on button similar to what you’ve seen on other cloud applications.

Administrative SSO is also generally available today, and documentation can be found here.

We would also like to thank our beta customers for Admin SSO. This turned into our largest beta in Duo history, and we couldn’t have delivered this solution without your support. And just a few weeks into release, we already have 400 customers utilizing this feature, so it’s great to see the demand for this feature.

Steve Won

Steve Won

Senior Product Manager


Steve Won is a Senior Product Manager at Duo Security, where he leads the company's authentication and Microsoft efforts, working closely with the Engineering and Labs R&D teams. Prior to joining Product, Steve worked closely with Duo’s largest customers on the Customer Success team and brings customer context to every decision. A graduate of Northwestern University, Steve now resides in Seattle with his physician wife, Katie.

Mujtaba Hussain

Mujtaba Hussain

Engineering Manager, MFA Platform

Mujtaba is an Engineering Manager at Duo Security where he leads the MFA Platform team creating features that our customers love and rely on. Prior to joining Duo, Mujtaba developed a workforce management product and helped turn his previous startup company into a global one, he is a maker at heart, delivering solutions for complex customer problems in way that delights them is what drives him. He loves building highly successful teams by challenging, coaching and aligning the strengths of his team members with the goals of the organization.

Amy Afonso

Amy Afonso

Product Designer


Amy is a Product Designer at Duo Security. Prior to Duo, she studied Human Computer Interaction at University of Michigan.

Vitaliy Peker

Vitaliy Peker

Engineering Manager, MFA Administration and Authentication

Vitaliy manages Duo’s authentication and administration teams, while working closely with Product, Product Design, Engineering Operations, and Labs R&D teams. Prior to slinging code and being in leadership, Vitaliy was a Geographic Information Systems (GIS) specialist where he developed an atlas and datasets for local municipalities to use when responding to oil spills in the Great Lakes region. On a good day you will find Vitaliy drinking a morning coffee, watching his teams innovate the Duo product line, and relaxing with his wife, Kendra, and daughter, Evelyn.