Improved Self-Service. Less Code. Hosted Device Management via Duo SSO Is Now in Public Preview.
Millions of users carry Duo Mobile around in their pocket daily. On top of that, you have some users with it also installed on their tablets or who carry around their precious YubiKey. This authentication device is central to them being able to login and start their workday or to turn in that big assignment five minutes before that midnight due date. However, sometimes these devices change. Sometimes accidents happen. There are many reasons why users may need to update their Duo authentication device (eg: TouchID, security keys, mobile phone) and having an easily accessible way to do this, without needing to contact IT staff for help, is crucial to their overall experience with Duo.
In 2014, Duo added the Self-Service Portal to the Duo Prompt - allowing users to enroll and manage their authentication devices from any web-based application that was protected by Duo. Then, in 2016, we released the Device Management Portal which provided an SDK for customers to embed Duo’s self-service offering on their own web server, backed by their own primary authentication provider. This empowered customers to put their own security controls in front of the portal, have their own identifiable URL that points users towards the service, and link out to it from anywhere that they see fit.
The next thing we knew, we started logging feature requests for a fully-hosted device management tool for users!
This was understandable as many customers we work with do not wish to host more on-premises servers than needed to work with Duo - a SaaS provider, or many times, they did not have the development resources necessary to spin up this service or configure it to work with their user directory. Nonetheless, they had the same problem to solve - how to decrease friction for users when they need to add, remove or edit their authentication devices.
The challenge in solving this problem over the years is that while Duo has had ways to sync user information, we have not had a way to complete primary authentication from our cloud service to customer directories. That is, until we released Duo Single Sign-On.
Duo Single Sign-On is a fully hosted SSO service that connects to either on-premises Active Directory or a SAML Identity Provider. Users can authenticate either directly from cloud applications or from Duo Central, an application launcher for both SSO-enabled applications and bookmarks of your choice.
Now that we can tie into an authentication source of choice, securely hosting device management becomes possible! As part of this update, you can now enable access to the new Universal Prompt Self-Service Portal from a My Devices link in Duo Central and from a direct link.
When using the direct link, users will be directed to authenticate using Duo SSO, have their device policy checked through Duo Central’s policy stack, and finally land on the Self-Service Portal. We are excited to see how customers build out their help desk sites and automations without the reigns of on-premises servers!
This new way to manage authentication devices will start rolling out to Duo SSO customer accounts between May 19th and May 26th. Check out our documentation to get started!
If you still need to connect Duo Single Sign-On to your LDAP or SAML authentication source of choice, check out our Duo Single Sign-On Configuration Documentation!
Want to learn more how Duo Security can fit into your security stack?
Check out our on-demand #CiscoChat panel discussion with real-world security practitioners on how they have implemented secure access best practices for hybrid work using Duo.