Skip navigation
Duo Blog
Admin Login

Categories & Archive

Product & Engineering
Colin MedfischSeema Kathuria

Duo Single-Sign On Support for OpenID Connect (OIDC) Apps Now Generally Available

As hybrid work continues in 2023 and into the foreseeable future, employees are demanding flexibility when accessing applications from any location and device. At the same time, organizations must safeguard their network and systems against data breaches, particularly since stolen credentials are involved in more than 80% of breaches from web application attacks. Adopting modern authentication standards like OpenID Connect (OIDC) helps organizations to reduce risk of data breaches.

Today, we are excited to announce the General Availability release of Duo’s Single Sign-On (SSO) support for OpenID Connect. OIDC enables devices to verify identities based on authentication done by an authentication server. It lets application and website developers authenticate users without storing and managing other people’s passwords which is both difficult and risky. Duo SSO can now be used for applications that use either OIDC or SAML 2.0 standards.

Supporting OIDC allows us to protect more of the applications that our customers are adopting as we all move towards a mobile-first world and integrate stronger and modern authentication methods such as biometrics.

What is OpenID Connect (OIDC)?

OpenID Connect is an identity layer that works on top of the OAuth 2.0 protocol adding Authentication to what has historically been used for Authorization purposes. This FAQ includes a nice at-a-glance representation as follows:

Text that reads: (Identity, Authentication) + OAuth 2.0 = OpenID Connect

OAuth 2.0 offers a variety of grant types which support unique sets of use cases, both on their own but often when used in combination with another. The most common OAuth grant types include the following:

  • Available Now (supported by Duo SSO)

    • Authorization Code

    • Authorization Code with Proof Key for Code Exchange (PKCE)

  • Public Preview (Early Access)

    • Client Credentials

  • Coming Soon

    • Refresh Tokens

  • Other Grant Types

    • Device Code

    • Hybrid

The Journey to Duo SSO support for OIDC

We have been on a journey to help various organizations in different industries – including healthcare, IT, telecommunications, manufacturing and education – protect several OIDC-based applications. This was made possible due to partnership with our Active Development Program customers.

Here is one of our customers sharing their experience:

"As the second largest mobile network operator in Saudi Arabia, protecting both our own and our customers' data is very important to us. But we also have to balance security with employee productivity. Cisco Duo is a trusted security partner whom we rely on for enabling employees to both seamlessly and safely access internal cloud and on-premises applications like mCan and Oracle ERP. We are excited that Duo has finally brought to market support for OpenID Connect (OIDC)-based applications, which we were one of the first to try in public preview. So far, we have deployed SSO to 45% of our users and plan to expand to all our employees and contractors to ensure we are securing every connection to critical business apps no matter where our employees connect from. Duo is helping us to achieve stronger and comprehensive security for our business-critical applications while maintaining a seamless user experience." - Chandan Tripathi, Identity and Access Management Principal at Mobily

In the General Availability release, we support these grant types: OIDC Authorization Code and Authorization Code with Proof Key for Code Exchange (PKCE) – with more coming over the course of the year.

Applications supported today are Epic’s Haiku, Canto, and Rover mobile applications. Additional applications that could work but are not yet in the Duo named apps catalog are: Salesforce, IBM Spectrum Virtualize, IFS Cloud, Datto, Grafana, and AWS Verified Access.

Screengrab of the CloudFlare Access OIDC dashboard

Who can use this new capability?

OIDC and OAuth 2.0 support is now available to all customers using Duo Single Sign-On. To enable it, select Generic OIDC Relying Party or OAuth 2.0 Client Credentials from the Protect an Application list in the Duo Admin Panel.

Here is a quote from one of our customers who is excited about the OIDC support in Duo SSO:

“We have been using Duo SSO so employees can conveniently and safely access various corporate apps, which are SAML 2.0-based. We have deployed a handful of applications with the newly release OIDC support and we are excited to see that Duo is evolving into a more comprehensive platform.” - Jason Waits, CISO at Inductive Automation

We look forward to seeing what you protect with this new capability! And do join the Duo Community to share your learnings and feedback to improve the product, plus help others by educating them on best practices. This forum consists of security professionals who can help you get started with or get better at administering and using Duo.