Skip navigation
Product & Engineering

Duo Single Sign-On Now Supports Multiple Active Directory Forests

We are happy to announce that Duo Single Sign-On (SSO) now supports Multiple Active Directory (AD) forests, allowing users in multiple domains without an Active Directory Trust created to connect to a shared set of applications. 

There are plenty of reasons why an organization would have more than one domain in their environment: Mergers and acquisitions. Corporate rebranding. A growing number of applications taking advantage of multi-tenancy. Any of these scenarios — and many more — present accessibility and security challenges to IT, sometimes even adding up to domain consolidation projects that never get completed. Consequently, over the lifetime of these migrations, users often experience friction when logging into a shared set of essential business applications, like Microsoft 365 or Dropbox.  

When we started developing support for multiple ADs, we worked through multiple iterations to ensure a frictionless end-user experience.  

We know that organizations want their end users to be able to log into applications quickly and easily, with access that doesn’t require intricate knowledge of the complexities of the IT infrastructure powering their day-to-day work. That’s why we built our support for multiple ADs without requiring users to pick (or know) what authentication source they are coming from. Duo SSO will search for the username across all configured AD authentication sources, and once it finds them, will continue on through the rest of the passwordless or multi-factor authentication flows. 

“We’ve been using Duo SSO since it launched, but due to the complexity of our environment, we had to pick and choose who used SSO and who had a different experience. It’s great to finally be able to have all of our users on the modern login flow and for us to be able to apply policy to all users.” —Senior Architect, Manufacturing Organization

Adding further Active Directory Authentication Sources to Duo SSO is easy. IT admins simply need to have a Duo Authentication Proxy (or cluster of Authentication Proxies) with a minimum version of 5.5.1 for each unique AD forest.

Once that’s complete, it’s as simple as standing up your preview authentication source. After adding the source, verifying the permitted domain, and running the enrollment command, your new authentication source is ready to go. 

Duo provides a modern, automated SSO solution that helps organizations scale both their accessibility and security quickly and easily. Long gone are the days of standing up and maintaining multiple on-premises servers for each domain.  

Duo SSO is only getting better with time. Want to follow along? Subscribe to our release notes.