Skip navigation
Duo Blog
Admin Login

Categories & Archive

Two people, each working on a mobile phone, standing in front of a stylized version of the Duo logo
Product & Engineering
Colin Medfisch

Harmonizing Access Control With Routing Rules

Available now in Public Preview for all paid Duo subscriptions

  • Seamlessly connect multiple identity providers to Duo

  • Orchestrate secure access for multi-domain environments

“Routing Rules just make sense, and it is great to see all of our users under one single Duo tenant.” — Head of IT, Biotechnology Organization

Today, we are proud to announce the launch of Routing Rules for Duo Single Sign-On (SSO) into Public Preview.

Historically, Duo Single Sign-On (Duo SSO) only supported one SAML Identity Provider (IdP) per account, which caused issues for multi-domain environment use cases. With the introduction of Routing Rules, Duo SSO now adds support for simultaneously authenticating users to multiple SAML identity providers and multiple Active Directory (AD) sources. Routing Rules also improves the well-adopted support for multiple Active Directory (AD) sources by allowing for more targeted requests to the proper AD environment. This ensures Duo SSO is prepared for all your users and can deliver a better user experience while reducing the load on your existing Duo Authentication Proxy infrastructure.

“With the introduction of Routing Rules, Duo SSO now adds support for simultaneously authenticating users to multiple SAML identity providers and multiple Active Directory (AD) sources.”

With organizational growth and diversification come more intricate authentication needs. A good example are mergers and acquisitions, which frequently require support for multi-domain use cases. This innovative solution is crafted to synchronize your identity access control, much like a maestro orchestrates a symphony, ensuring every authentication is delivered to the right authentication source at the right moment.

Modern organizations often rely on multiple identity providers to meet their diverse needs. With Routing Rules, you can configure detailed access rules based on conditions. For example, when an identity accesses an application, the email domain, network space, and application itself can be assessed in the Routing Rules profile to intelligently route the user to the correct downstream identity provider. This flexibility ensures access is granted under exact conditions, especially when combined with the rest of Duo’s amazing policy stack, enhancing the overall security posture of growing organizations.

One of the standout features of Duo is that rather than just being a delegated authentication event, Duo retrieves the most up-to-date attribute set from the Active Directory or SAML source in real time, enabling both Duo as well as the applications being logged into to perform more secure authorization checks.

Let’s walk through a use case example

Acme Corp. acquired Globex and the acquisition is closing faster than expected. Each organization has their own infrastructure, including different domains (multi-domain), multiple identity providers, applications, security tools and resources. With the acquisition closing, an administrator needs to be able to route traffic intelligently for the two unique profiles to ensure members have the correct experience and authenticate with the right downstream identity provider.

  • The acquired Globex domain users will need to authenticate with Okta for Workday and Google for Acme’s Salesforce.

  • The existing Acme domain users will need to still authenticate with Active Directory for Workday.

A web diagram showing how Duo Routing Rules orchestrates access between users, Workday, Salesforce, Active Directory, Okta, and Google Cloud based on domain, IP, and application

In Duo, the Routing Rules configuration would look like the screenshot below:

Screenshot of the Routing rules configuration page in Duo

As you see in the diagram, if the Globex user accesses Workday, Duo will orchestrate access to the Okta authentication source. However, if the Globex user accesses Salesforce or any other application, the user will need to authenticate with Google Workspace. Lastly, the Acme user will authenticate strictly with Active Directory for all applications in this example scenario.

Experience Duo Routing Rules today!

Routing Rules is solution for various use cases across sectors including organizations dealing with mergers and acquisitions, multi-domain, multiple IdP, multi-national corporations and any business looking to secure access to applications with different IdPs based on routing conditions. On that note, we’re excited to see what symphonies Duo administrators orchestrate with Routing Rules.

Head over to the Duo docs page to learn more!