Skip navigation
Product & Engineering

Insert Tokens to Play! OpenID Connect (OIDC) Support in Duo SSO Is Now in Early Access

We are in an ever-changing world where tens, hundreds, sometimes even tens of thousands of applications are being used to keep your business moving forward. We see this here at Duo and Cisco every single day! As organizations work tirelessly to adopt these new business-critical applications, the identity and security industries are doing the same to ensure that end users have secure, frictionless access to all of them.

Today, we are excited to announce the Early Access release of Duo’s Single Sign-On (SSO) support for OIDC.

To date, Duo SSO has only supported SAML 2.0 web applications. Supporting OIDC allows us to protect more of the applications that our customers are adopting as we all move towards a mobile-first world and integrate stronger and modern authentication methods (e.g. biometrics).

What is OIDC?

OpenID Connect is a modern authentication protocol that lets application and website developers authenticate users without storing and managing other people’s passwords, which is both difficult and risky. Another benefit of OIDC is that end users find it easy to sign up and register on websites, thereby reducing website abandonment. Organizations that adopt and developers that build third-party OIDC apps want to enable users (B2C, B2B) single sign-on access to them.

OIDC is an identity layer that works on top of the open OAuth 2.0 protocol adding Authentication to what has historically been used for Authorization purposes. OAuth 2.0 offers a variety of grant types which support unique sets of use cases, both on their own and often when used in combination with another.  The most common OAuth grant types include:

  • Authorization code

  • Authorization code with proof key for code exchange (PKCE)

  • Client credentials

  • Device code

  • Hybrid

  • Refresh tokens

What can you protect today?

We have been on a journey to help various organizations in different industries (healthcare, IT, manufacturing) protect several OIDC based applications. We could not have done this without the amazing partnership with these Active Development Program customers. Here is one of our customers sharing their experience.

“OIDC has been phenomenal. It’s made everyone’s lives easier. Every time I click the button I am filled with joy.” – Iain McMullen, Director of Technology, Birmingham Consulting

In the Early Access release of Duo SSO support for OIDC, we will support two grant types: OIDC Authorization Code and OAuth 2.0 Client Credentials – with more coming before our Generally Available release. Organizations that use either or both grant types can participate in the Early Access release starting later this week!

Applications tested so far include Epic’s Haiku, Canto, and Rover mobile applications, Salesforce, IBM Spectrum Virtualize, IFS Cloud, Datto, and AWS Verified Access.

“We are very pleased that Duo SSO now supports OpenID Connect which allows us to secure more applications that our employees access on a regular basis. We use Duo SSO for securing access to Microsoft 365, Cisco AnyConnect VPN, and IFS Aurena, our ERP system. We will continue to integrate Duo in more applications and plan to expand usage to 50x more users over the next few months. We are glad we chose Duo for securing access to modern apps that our hybrid workforce depends on.” – Carlos Cortes, Business Systems Administrator, ASO Worldwide

How do I sign up?

OIDC and OAuth 2.0 support will start rolling out over the next week and be available to all customers using Duo Single Sign-On. To enable it, select Generic OIDC Relying Party or OAuth 2.0 Client Credentials from the Protect an Application list in the Duo Admin Panel.

We look forward to seeing what you protect with this new capability and invite you to share learnings and feedback with us. And if you want to learn more, check out our Duo + AWS Solution Brief.