Skip navigation
A group of climbers ascend a snowy mountain, overlaid with a color filter of Duo green
Product & Engineering

From Base Camp to Summit: Climbing from AD FS to Duo SSO

Scaling a cybersecurity mountain is an arduous but essential task for organizations. It requires careful planning, thorough preparation, and the right gear. For years, Active Directory Federation Services (AD FS) has been the trusted climbing gear for many organizations. It has been a dependable tool, providing single sign-on access to systems and applications across organizational boundaries.

However, just as mountain climbing techniques and equipment have evolved over the years to overcome tougher terrains and higher peaks, so too must our cybersecurity tools adapt to the ever-changing threat landscape. As cyber threats become increasingly sophisticated and complex, it's crucial to ensure your organization has the most advanced, secure, and efficient tools at its disposal.

This is where Cisco Duo's Single Sign-On (SSO) comes into the picture. Consider it the next-generation climbing gear designed specifically to overcome the challenges of today's cybersecurity mountain. Duo SSO offers enhanced security features, streamlined user experience, and the flexibility to adapt to unforeseen challenges.

Switching from AD FS to Duo SSO is like trading an old climbing harness for a state-of-the-art alpine kit. It not only ensures that your organization is better equipped for the climb but also makes the journey significantly smoother and safer. In the vast landscape of cybersecurity, Duo SSO is the gear upgrade that can help your organization reach new heights of security. As with any sport, you don’t need to upgrade all of your gear at once, and we’ve made it easy to move at whatever pace best fits your organization.

Embrace Duo SSO and ensure your organization's journey up the cybersecurity mountain is secure, efficient, and successful.

What are customers saying from the top?

Just as every mountaineer experiences a unique journey to the summit, each organization embarks on its own unique path when transitioning from AD FS to Duo SSO. As they traverse this cybersecurity landscape, customers often share their insights, much like climbers sharing their experiences to guide those who follow. So, what are we seeing from our customers as they navigate this shift? Let's delve into the base camp chatter.

The Ultimate User Experience: Duo SSO offers a seamless, single sign-on experience across all applications. This enhances user satisfaction and boosts productivity by reducing the time spent logging into multiple applications. Duo SSO is the linchpin to our streamlined authentication experience in which users authenticate once at the start of their day and forget that Duo is there as we securely and automatically sign them into the rest of their Duo applications.

Threat Mitigation: Duo SSO ingeniously prevents user lockouts and unnecessary strain on your internal infrastructure by proactively analyzing and suppressing repeated bad login attempts. This feature significantly reduces user frustration and enhances account security. Offering a smooth, smart solution, Duo SSO ensures a secure and hassle-free environment for user accounts.

Straight-Forward, Zero Trust Policy Enablement: Duo SSO supports enabling zero trust policies with a simple per app, group, or global approach such as strong multi-factor authentication (MFA) with Verified Push, risk-based authentication with Duo's Risk-Based Authentication, device trust with Trusted Endpoints, and contextualized access & remediation policies.

Simplified Management: Duo SSO offers a cloud-based service that eliminates the need for so many on-premises servers. This reduces the complexity and maintenance efforts, providing a more streamlined and simplified management experience.

Increased Flexibility: Duo SSO supports SAML, OIDC, and OAuth applications, which covers many, if not all, of the SaaS or increasing number of internal applications you may use. With our growing list of officially named integrations, you have greater flexibility in shaping your IT architecture according to the unique set of applications that you care about most and that drives your business forward. All accessible in whatever way is easier for you - the Duo Admin Panel or our newly released Admin API!

Enhanced Scalability and Availability: Being a cloud-based service, Duo SSO offers high availability and can easily scale up to meet the growing needs of large organizations, ensuring uninterrupted service.

Cost Efficacy: Migrating to Duo SSO can lead to significant cost savings by reducing the need for hardware, lowering maintenance efforts, and minimizing downtime - giving your team time to drive the business forward instead of updating AD FS servers.

Robust Security:  Duo SSO provides robust security features, including two-factor authentication and device health inspection, offering better protection against cybersecurity threats.

Migrating from AD FS to Duo SSO offers businesses several benefits, including simplified management, increased flexibility, enhanced scalability, cost savings, robust security, and an improved user experience. It's a strategic move that can help businesses navigate the cybersecurity landscape more effectively.

Layering — important for any climb

Layering is key to adapting to changing conditions. Similarly, organizations can layer cybersecurity solutions for smooth transitions. Consider AD FS as your base layer, reliable and familiar. But as cybersecurity challenges grow, you need more advanced gear.

Enter Duo's Single Sign-On (SSO), the high-tech outer shell layered over AD FS. It enhances functionality and protection with features like SAML 2.0 support and two-factor authentication. As you adjust to Duo SSO's enhanced capabilities, you may find you no longer need the AD FS layer. Shedding it leaves a lighter, more efficient, and highly secure system, but having both for a period ensures a more comfortable, streamlined experience for your organization.

In short, layering solutions from AD FS to Duo SSO ensures a secure, smooth transition, preparing you for every stage of your cybersecurity journey.

With Duo SSO, you can configure the service to use your AD FS server as a SAML Authentication source. When configured in such a way, your users will still be greeted with the same login page that they are familiar with but with the added benefits of Duo.

Here is an example of this flow:

  1. The user initiates login to a SAML or OIDC application-protected with Duo SSO.

  2. The application redirects the user’s browser to Duo Single Sign-On with a SAML request message.

  3. Duo Single Sign-On redirects the user’s browser to AD FS with a SAML request message.

  4. The user logs in with the primary credentials at the AD FS login page.

  5. AD FS redirects the user’s browser to Duo Single Sign-On with a response message.

  6. Duo Single Sign-On requires the user to complete two-factor authentication. User completes Duo two-factor authentication.

  7. Duo Single Sign-On redirects the user’s browser to the SAML or OIDC application.

Now, you have the flexibility to transition at your own pace. Your users won't notice any disruptions as applications are seamlessly shifted between systems, thanks to the established application sessions. Once your migration to Duo SSO is complete, you can smoothly transition to using Active Directory directly. It's like shedding a layer once you've acclimatized to the climb, leaving you with an efficient, and highly secure system to carry you forward on your cybersecurity path.

Want to climb with us? Subscribe to our release notes.

To learn more about Duo SSO and Duo Central as a whole, view our official documentation.