Skip navigation
Product & Engineering

Untangling the identity web: Why a secure identity broker is your new best friend

Headshot of Ted Kietzman, Duo Product Team
Ted Kietzman
4 minute read

The digital world has exploded, and with it, the complexity of managing who accesses what. Today's workforce expands beyond just "employees"—it's a dynamic mix of contractors, partners, and even unique groups like alumni and retirement beneficiaries. Each has distinct access needs. Add to this the sprawl of identity providers (IdPs) and directories from mergers and acquisitions (M&A) or organic growth, and you're left with a tangled web of Active Directory, Okta, Entra ID, and more. It's like trying to conduct an orchestra where every section is playing from a different score.

This sprawling infrastructure creates a constant security headache. How do you set consistent, secure policies when identities are scattered across various systems, each with different security capabilities?

The result for many: It leads to security gaps and administrative burnout. A recent survey even found that 73% of IT and security leaders feel security is an afterthought in identity infrastructure decisions, and 75% cite complexity as a key security challenge. Admins on the ground are no stranger to complexity—the average enterprise identity is now spread across nearly five separate systems, introducing friction and increasing the attack surface.

“73% of IT and security leaders feel security is an afterthought in identity infrastructure decisions, and 75% cite complexity as a key security challenge.”

2025 State of Identity Security Report

The challenge organizations face is that traditional identity and access management (IAM) vendors often prioritize features for their own service and often rely on feature add-ons for robust security, leaving a glaring gap in identity environments.

At Duo, we believe security and simplicity should be foundational. It’s why we recently announced our Duo IAM platform—the security-first approach to IAM. As a part of that offering, we developed Duo Directory, our cloud-native identity provider, and Routing Rules for Duo Single Sign-On (SSO). These innovations enable Duo to act as a powerful, secure orchestration layer atop your existing identity investments. Think of Duo as a uniting score across the orchestra. Now administrators, your maestros, can bring harmony to identity symphony, ensuring every authentication is delivered to the right source, with the right security, at the right moment with the least amount of friction possible.

Why you need an identity broker: Real-world scenarios

What is an identity broker?

An identity broker complements heterogenous identity systems by implementing secure, consistent policy for any identity regardless of source system and target resource.

This "identity broker” layer is crucial because it ensures every identity, from every provider, is routed to the right place with the most effective security policy and controls in place.

Securing third-party and contractor access

Take, for example, securing contractors and third parties. Organizations often struggle to apply consistent security to these transient identities that require faster identity lifecycles and higher access scrutiny. With Duo as your identity broker, you can easily separate employee and contractor access:

  • Place contractor identities directly into Duo Directory using an easy external directory sync to pull attributes from your existing IdPs.

  • Enforce powerful controls like Risk-Based Authentication and phishing-resistant MFA on third parties and contractors to enhance security posture.

  • Your employees remain on their existing IdP, with the option to apply Duo's powerful security functionality for them if desired.

  • Routing Rules intelligently directs traffic: Contractors authenticate via Duo Directory, while employees are routed to their established source. This extends Duo's best-in-class security to all identities.

Solving identity for mergers and acquisitions

As another example, consider Mergers and Acquisitions (M&A). When two companies merge, you face distinct infrastructures and multiple IdPs. The complexity slows down integrations, delays onboarding and drives up operating costs. Routing Rules intelligently directs users based on email domain, network, or application. For example, acquired users accessing Workday might go to Okta to establish authentication, while existing employees use Active Directory. Duo ensures everyone gets the correct, secure experience.

In each of these cases, seamless access is coupled with robust security functionality.

This is security-first IAM in action: providing powerful controls like phishing-resistant MFA, Risk-Based Authentication, and Device Trust—but at the same time prioritizing simplicity and flexibility for administrators and end-users.

The identity landscape remains complex. But with Duo as your secure identity broker, you can finally make sense of the noise and untangle the mess. Our flexible, security-first approach ensures all identity types securely access corporate resources. It's time to bring harmony back to your identity infrastructure.

Duo makes security-first IAM simple

In the music mood? Watch all the ways Duo Directory can secure your environment in our on-demand webinar “Protecting Here, There, and Everywhere with Duo IAM” and see a cheeky way to put the “fun” in AI functionality.

Or, jump straight in and reach out to an identity expert.