Skip navigation
Documentation

Managing Duo Administrators

Contents

Introduction

Create, manage, and delete Duo administrator accounts from the the Duo Admin Panel.

Duo administrator accounts are distinct from the Duo user accounts are the ones your end users utilize to log in to Duo-protected services and applications with two-factor authentication. Please see Managing Duo Users for more information about administering Duo accounts for your end users.

To access the Duo Admin Panel, navigate to https://admin.duosecurity.com, enter your administrator account email address and password, and click Submit. After your login is accepted, you then must authenticate using a second factor. You must activate your administrator account for Duo Mobile separately from your user account to use Duo's push authentication. See Managing Administrators for instructions.

Once logged in, click Administrators on the left side of the Duo Admin Panel. Here you are able to add, remove, and modify administrators (which are the users that have access to the Duo Admin Panel).

Only Duo administrators with the Owner role may create and manage other Duo administrators. Duo admins with other roles can update their own password and modify the phone used for login verification (change the phone number or activate Duo Push).

Duo Administrator Roles

Duo administrators may be assigned one of these management roles:

  • Owner: The Owner role grants full access to all actions and settings in the Duo Admin Panel. Only admins with the Owner role can create, update, or delete other administrators.

  • Administrator: The Administrator has full access to users, settings, and applications (except for the Admin API and Account API application types). An Administrator cannot view or update billing information or make purchases, nor can an Administrator create, view, or modify any other Administrators.

  • Application Manager: The Application Manager role can add protected applications, update, and remove applications (except for the Admin API and Account API application types). Application managers may also view limited information about users and devices. In the Duo Beyond and Duo Access plans, Application Managers can assign custom policies to applications and groups, but cannot create or edit policy settings.

  • User Manager: The User Manager can create, update, and delete users, phones, tokens, and bypass codes. The User Manager can also configure and run directory synchronization.

  • Help Desk: Help Desk administrators can view and update existing users, phones, tokens, and bypass codes; and can send Duo Mobile activations to users. Help Desk admins cannot create or delete users, run a directory sync, or export information to a text file. You can restrict help desk admins' ability to create bypass codes for users in Help Desk settings.

  • Billing: The Billing role allows view and update of billing information, hardware tokens and telephony credits purchases, and management of sub-accounts. This role may only access the Dashboard and Billing page.

  • Phishing Manager: Administrators with the Phishing Manger role can launch and monitor phishing campaigns from the Duo Admin Panel. This role can also view limited information about Duo users and groups.

  • Read-only: Admins assigned the Read-only role may view (but not modify) basic information about users, groups, phones, tokens, and applications, as well as view reports. Read-only administrators may not access the Billing and Directory Sync pages.

Summary of Administrative Roles Permissions

Learn more about delegating administrator rights with role assignments at Duo Administrative Roles.

Listing Administrators

  1. Log in to the Duo Admin Panel as an Owner and click Administrators in the left sidebar. The list shows administrator names, roles, email addresses, and phone numbers.

    List of Administrators

    Click the Reports button in the upper right side of the log display and select CSV or JSON to download a a list of administrators. You can also select URL to obtain a direct link to your current administrators view. If you've filtered your current view (like by entering search text in box), the report only includes the filtered results.

  2. Clicking on an administrator's name displays details about that user, including the assigned role.

    Admin User Details

You can jump directly to your own administrator account details by clicking Edit Profile in the upper right hand corner of the Duo Admin Panel.

Update Current Admin Settings

Add an Administrator

  1. Log in to the Duo Admin Panel as an Owner and click Administrators in the left sidebar.

  2. Click either the Add Administrator menu item, or the Add Administrator button at the far right.

  3. Enter the new Duo administrator's email and name. The email address entered here is the new admin's sign-in name, so it must be unique.

  4. Enter and confirm a password for the new admin. Passwords must have at least eight characters, and may also require a mix of character types depending on your Admin Password Policy settings.

    The new administrator may change their account password after the first successful authentication. If you'd like to enforce that the new admin sets their own password at first login, enable the Require administrator to change password the next time they log in option.

  5. Enter a secondary authentication phone number. This is the number that Duo uses for SMS or phone call two-factor authentication to the Admin Panel, and is required. Optionally assign a hardware token for secondary authentication to the new admin.

  6. Select the desired permissions role for the new administrator, and if you're using the Administrative Units feature you can also enter the new admin's administrative unit assignments now.

  7. Click the Add Administrator button to finish.

    Add new administrator

Changing an Administrator's Permissions

To reassign an administrator's role:

  1. Log in to the Duo Admin Panel as an Owner and click Administrators in the left sidebar.

  2. Click on the administrator's name.

  3. Select the new role for that administrator from the Permissions list and click the Save Changes button.

Deleting an Administrator

To remove an administrator:

  1. Log in to the Duo Admin Panel as an Owner and click Administrators in the left sidebar.

  2. Click on the administrator's name.

  3. Click the Delete Administrator button to remove that user. You'll be prompted to verify your action. You cannot delete the currently logged in administrator.

Changing an Administrator's Password

To change administrator's password:

  1. Log in to the Duo Admin Panel as an Owner and click Administrators in the left sidebar.

  2. Click on the administrator's name to view details.

  3. In the "Primary Authentication" section of the administrator's details page enter then confirm the new password. Passwords must have at least eight characters, and may also require a mix of character types depending on your Admin Password Policy settings.

    If you'd like to enforce that the new admin resets the password you've assigned, enable the Require administrator to change password the next time they log in option.

  4. Click the Save Changes button. The new password will be applied immediately.

Updating an Administrator's Secondary Authentication Methods

All administrators must use two-factor authentication to access the Duo Admin Panel. When logging in to the Duo Admin Panel, you'll see a prompt like this:

Admin User Login Prompt

After submitting a valid username and password, you can select a delivery method for a one-time passcode (in most cases, this will be either SMS message or phone callback for the your initial login), or enter an OTP passcode generated by a hardware token if one is attached to your administrator account.

If you clicked "Text Me" or "Call Me", enter the passcode you receive via text message or in a voice call and click Submit.

SMS sent detail

A phone number is required when creating a Duo administrator. This is the number that Duo uses for two-factor authentication to the Admin Panel. That phone number (and extension, if necessary) is shown in the "Secondary Authentication → Phone number" field of an administrator's details page. The number can be updated at any time:

  1. Log in to the Duo Admin Panel as an Owner and click Administrators in the left sidebar.

  2. Click on the administrator's name to view details.

  3. Scroll down to the "Secondary Authentication" section of the details page. Enter the new phone number, then click the Save Changes button.

Assign a Token for Administrator Authentication

Assigning a hardware token to an administrator permits token passcode authentication when logging in to the Duo Admin Panel. Administrators can use hardware tokens purchased from Duo and third-party one-time password (OTP) hardware tokens, such as YubiKey OTP or any other OATH HOTP-compatible tokens. You can continue to use other authentication methods for the Duo Admin Panel like Duo Push and passcodes received via SMS or phone call.

Only account owners may modify other administrator accounts to add hardware token authenticators.

To attach a token to an existing administrator:

  1. Log in to the Duo Admin Panel as an Owner and click Administrators in the left sidebar.

  2. Click on the administrator's name to view details.

  3. Click the drop-down menu to see a list of available hardware tokens. You can also search for a token by typing in the serial number.

    Add administrator token information

    Click a token to select it, and then click Save Changes at the bottom of the page.

  4. The administrator's properties page shows the newly added token. Click the Remove link to the right to remove the hardware token from the administrator's account.

    View or remove administrator hardware token

    You must remove a hardware token from any attached administrator accounts before deleting the token from Duo.

Use Duo Push for Administrator Authentication

Duo administrators can also use Duo Mobile for secondary authentication via Duo Push. This "one-tap authentication" is both secure and convenient. See Duo Push in action, then download the Duo Mobile app to get started.

To activate Duo Push for your administrative account:

  1. Install Duo Mobile on your mobile device.

  2. Log in to the Duo Admin Panel and click Edit Profile, shown in the upper right hand corner of the page.

    Update current admin settings link

  3. Scroll down to the Secondary Authentication section and click the Activate link next to Duo Push.

    Activate Duo Push link

  4. Open Duo Mobile on your device. Tap the plus sign (+) to add a new account, and scan the barcode displayed on your computer screen. If your mobile device doesn't have a camera, click the link below the barcode to email an activation link to your mobile device.

    Duo Push activation barcode

  5. Your administrator account is now activated. Log out of the Duo Admin Panel, then submit your username and password and click Duo Push to give it a try.

    After clicking Duo Push, the button indicates that a login request was sent to your device.

    Pushing to your device

    Now approve the Duo Push request when it arrives on your device, and you'll be fully authenticated and logged in.

    Admin request using Duo Push

Unlocking an Administrator

A Duo administrator's account is locked out after ten unsuccessful primary or secondary login attempts. Another administrator on the same account with equal or greater privileges can reset the authentication attempt failure count. Otherwise, the administrator lockout expires 24 hours after the last failure.

To reset the authentication attempt failure count:

  1. Log in to the Duo Admin Panel as an Owner and click Administrators in the left sidebar.

  2. Click on the locked-out administrator's name to view details.

  3. Scroll down to the "Lockout" section and click the Reset link. The change is applied immediately

    Reset Administrative User Lockout

Recovering Access to an Administrator Account

If you're unable to log into your Duo Admin Panel account, work with another of your organization's Duo administrators to regain access. Resetting another administrator's password or updating an admin's secondary authentication devices requires the Owner role. We recommend creating at least two administrative users with the Owner role per account for redundant access to the Admin Panel.

If no other administrators with the Owner role exist in your account, please contact Duo Support to begin the recovery process.

Administrator Login Settings

Single Sign-On with SAML

If you have a SAML 2.0 identity provider (IdP) in your environment, you can configure single sign-on (SSO) login for Duo administrators to the Duo Admin Panel. When using SAML for Duo administrator login, you'll be redirected to your IdP's login page to submit your SSO username and password. After successful password verification, you'll then be sent back to the Duo Admin Panel login page to complete two-factor authentication before gaining access.

Duo does not support user provisioning via SAML for administrator accounts. All Duo administrator accounts must be created manually or via the Admin API with a password regardless of whether they'll login via SSO or not.

When configuring your SSO provider, you'll need to send the Duo administrator's email address as the NameID, and the email address must match the admin's email address in Duo.

Configure SAML SSO

To enable administrator SSO:

Role required: Owner

  1. Log in to the Duo Admin Panel.

  2. Click Administrators in the left sidebar, and then click Admin Login Settings.

  3. Scroll to the Single Sign-On with SAML Configuration section of the "Administrator Login Settings" page.

  4. Enable SSO by changing the "Authentication with SAML" setting. The options for this setting are:

    • Disabled - SSO login unavailable; all Duo administrators log on with username and password (the default).
    • Optional - SSO login available; Duo administrators may choose to log in either via SAML or with username and password.
    • Required - SSO login available; Duo administrators with the Owner role may log in either via SAML or with username and password. All other administrator roles must log in via SAML.

    Admin SAML Options

Selecting the Optional or Required SAML authentication option exposes the rest of the SSO configuration form. You'll need to enter or upload information about your SAML identity provider in the SAML Identity Provider Settings section, and then provide the metadata information from the Duo Admin Panel to your IdP.

Refer to the instructions for your preferred identity provider, or use the Custom Identity Provider if yours isn't listed.

If you haven't already deployed Duo Access Gateway for SSO you'll need to do that first and configure it with an authentication source before you can set up Admin SSO.

Duo Access Gateway does not support encrypted assertions.

Deploy Duo Access Gateway

  1. Install Duo Access Gateway on a server in your DMZ. Follow our instructions for deploying the server, configuring Duo Access Gateway settings, and adding your primary authentication source.

  2. Add the attribute from the table below that corresponds to the Duo Mail attribute in the "Attributes" field when configuring your Active Directory or OpenLDAP authentication source in the Duo Access Gateway admin console. For example, if Active Directory is your authentication source, enter mail in the "Attributes" field.

    Duo Attribute Active Directory OpenLDAP
    Mail attribute mail mail

    If your organization uses another directory attribute than the ones listed here then enter that attribute name instead. If you've already configured the attributes list for another cloud service provider, append the additional attributes not already present to the list, separated by a comma.

  3. After completing the initial Duo Access Gateway configuration steps, click Applications on the left side of the Duo Access Gateway admin console.

  4. Scroll down the Applications page to the Metadata section. This is the information you need to provide to the Duo Admin Panel when configuring SAML authentication for the Duo Admin Panel. Click the Download XML metadata link to obtain the DAG metadata file (the downloaded file is named "dag.xml").

    DAG Metadata Information

Create the Duo Admin Panel Application in Duo

  1. Log on to the Duo Admin Panel from the Duo Access Gateway server console and navigate to Applications.

  2. Click Protect an Application, locate SAML - Duo Admin Panel in the applications list, and click Protect this Application. See Getting Started for help.

  3. The new Duo Admin Panel SAML application assumes you're configuring administrator SSO for the same Duo account where you created this new SAML application.

    If you'd like this new Duo Admin Panel SAML application to provide SSO authentication for a different Duo account, enter the SAML URL from the "Metadata for Configuring with Duo Access Gateway" section of the "Single Sign-On with SAML Configuration" option on the "Administrator Login Settings" page in the Duo Admin Panel for that other Duo account, e.g. https://admin-abcd1234.duosecurity.com/saml/D1ABCDEFGH12345678.

  4. The Duo Admin Panel uses the Mail attribute when authenticating. We've mapped Mail attribute to Duo Access Gateway supported authentication source attributes as follows:

    Duo Attribute Active Directory OpenLDAP SAML IdP Google Azure
    Mail attribute mail mail mail email mail

    If you are using a non-standard email attribute for your authentication source, check the Custom attributes box and enter the name of the attribute you wish to use instead.

  5. Click Save Configuration to generate a downloadable configuration file.

    Duo Admin Panel SAML Application Settings

  6. You can adjust additional settings for your new Duo Admin Panel SAML application at this time — like changing the application's name from the default value, enabling self-service, or assigning a group policy — or come back and change the application's policies and settings after you finish SSO setup. If you do update any settings, click the Save Changes button when done.

  7. Click the Download your configuration file link to obtain the Duo Admin Panel SAML application settings (as a JSON file).

    Important: This file contains information that uniquely identifies this application to Duo. Secure this file as you would any other sensitive or password information. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Add the Duo Admin Panel Application to Duo Access Gateway

  1. Return to the Applications page of the Duo Access Gateway admin console session.

  2. Click the Choose File button in the "Add Application" section of the page and locate the Duo Admin Panel SAML application JSON file you downloaded from the Duo Admin Panel earlier. Click the Upload button after selecting the JSON configuration file.

  3. The Duo Admin Panel SAML application is added.

Configure Duo Admin Panel

  1. Return to the "Single Sign-On with SAML Configuration" section of the "Administrator Login Settings" page in the Duo Admin Panel.

  2. Select either the Optional or Required "Authentication with SAML" option to expose the SAML Identity Provider Settings.

  3. Change the "Identity provider" to Duo Access Gateway.

  4. Change the "Configuration method" to From file.

  5. Click the Choose file button next to "Metadata File" and select the dag.xml metadata file you downloaded from your Duo Access Gateway server earlier.

  6. Click the Save button at the bottom of the page.

    Duo Admin Panel DAG SAML Identity Provider Settings

Download Metadata from the Duo Admin Panel

  1. Navigate to the "Single Sign-On with SAML Configuration" section of the "Administrator Login Settings" page in the Duo Admin Panel.

  2. Select either the Optional or Required "Authentication with SAML" option to expose the SAML Identity Provider Settings.

  3. Change the "Identity provider" to ADFS.

  4. Check the box next to Require SAML assertions to be encrypted if you wish to use encryption.

  5. Scroll down to the bottom of the page and click Save.

  6. Scroll to "Download XML File" in the the "Metadata for Configuring with ADFS" section and click the duo_saml_metadata.xml link to download a copy of the metadata file. The downloaded file name is duo_saml_metadata.xml. This metadata file is uniquely generated for your Duo customer account. If you are using encrypted assertions it is important to save the single sign-on configuration before downloading the Duo metadata to ensure it includes the information necessary for encryption.

Add the Duo Admin Panel Relying Party in AD FS

  1. Log into your AD FS server as a Domain Admin or member of the server's local Administrators group and open the AD FS Management console.

  2. Click the arrow icon next to Trust Relationships on the left-hand side of the page to expand its options. Skip this step if you are using AD FS 4.

  3. Right click Relying Party Trusts and select Add Relying Party Trust... from the dropdown. A new window will appear.

  4. Review the information on the "Welcome" page and then click Start. In AD FS 4 leave the default choice of "Claims aware" selected and click Start.

  5. Select Import data about the relying party from a file on the "Select Data Source Page". Click the Browse button next to the "Federation metadata file location" field and select the duo_saml_metadata.xml you downloaded from the Duo Admin Panel earlier. Click Next.

  6. On the "Specify Display Name" page enter a name like "Duo Admin Panel SSO" to help you identify this relying party easily later into the Display name field and click Next.

  7. On the "Configure Multi-factor Authentication Now? page select I do not want to configure multi-factor authentication settings for this relying party trust at this time. and click Next. In AD FS 4 this page is called "Choose Access Control Policy". Select the access control policy for this application from the list. The simplest option is to choose the default "Permit everyone" policy, or if you want to restrict Duo Admin Panel access select the built-in or custom access control policy that meets your needs. After selecting an access control policy click Next.

  8. Click Next on the "Ready to Add Trust" page.

  9. Leave the "Open the Edit claim Rules dialog for this relying party trust when the wizard closes" option checked and click Close. This setting is called "Configure claims issuance policy for this application." in AD FS 4. A new window will appear.

Configure the Duo Admin Panel Relying Party in AD FS

  1. On the "Edit Claim Rules for ..." page click Add Rule.... A new window will appear.

  2. On the "Select Rule Template" page select Send LDAP Attributes as Claims from the dropdown and click Next.

  3. On the "Configure Rule" page type Email as Name ID into the Claim rule name field.

  4. Select Active Directory from the Attribute store dropdown.

  5. Click the dropdown menu under LDAP Attribute and select E-Mail-Addresses.

  6. Click the dropdown menu under Outgoing Claim Type and select Name ID.

  7. Click Finish. You'll be returned to the "Edit Claims Rules for ..." page.

  8. Click Apply and click OK. The page will close and you'll be returned to the AD FS Management console.

    Configure AD FS Claim Rules

  9. Duo requires that AD FS signs both the SAML assertion and message. AD FS only signs the assertion by default, but you can change this behavior with the set-adfsrelyingpartytrust PowerShell command.

    Run PowerShell on the AD FS server as an administrator, and enter the following command:

    set-adfsrelyingpartytrust -targetname "The name of your Duo Admin Panel Relying Party" -samlresponsesignature messageandassertion
  10. Open up a web browser and go to https://Your-AD-FS-Server/FederationMetadata/2007-06/FederationMetadata.xml. This downloads a FederationMetadata.xml XML metadata file to your computer, which you'll upload to the Duo Admin Panel later.

Configure Duo Admin Panel

  1. Return to the "Single Sign-On with SAML Configuration" section of the "Administrator Login Settings" page in the Duo Admin Panel.

  2. Select either the Optional or Required "Authentication with SAML" option to expose the SAML Identity Provider Settings.

  3. Change the "Identity provider" to ADFS.

  4. Change the "Configuration method" to From file.

  5. Click the Choose file button next to "Metadata File" and select the FederationMetadata.xml metadata file you downloaded from your AD FS server earlier.

  6. Click the Save button at the bottom of the page.

    Duo Admin Panel AD FS SAML Identity Provider Settings

Configuring Duo administrator SSO using Azure requires entering information from the Duo Admin Panel into the Azure AD portal and vice-versa. Configuring SSO with a custom SAML app requires an Azure Premium subscription.

Azure AD does not support encrypted assertions.

Start Duo Admin Panel Configuration

  1. Navigate to the "Single Sign-On with SAML Configuration" section of the "Administrator Login Settings" page in the Duo Admin Panel.

  2. Select either the Optional or Required "Authentication with SAML" option to expose the SAML Identity Provider Settings.

  3. Change the "Identity provider" to Azure.

  4. Scroll down to the "Metadata for Configuring with Azure" section of the page. You'll need to enter the Identifier and Reply URL into the Azure administrator portal in the next set of steps.

Configure the Duo Admin Panel Application in Azure

  1. In another browser tab or window, log into the Azure portal as a global administrator. Navigate to Azure Active Directory.

  2. Navigate to the Enterprise applications blade and click the New Application link.

  3. Click the Non-gallery application tile on the "Add an Application" blade.

  4. Enter a Name on the "Add your own application" blade, and click the Add button at the bottom. The rest of these instructions assume you named the application Duo Admin Panel.

  5. Once you're on the "Duo Admin Panel" app page in Azure, click the Single sign-on management item (or click Configure single sign-on (required) on the "Quick start" page for your Azure Duo Admin Panel enterprise application).

  6. Change the Single Sign-on Mode on the "Single sign-on" blade to SAML-based Sign-on. This exposes additional configuration options.

  7. Return to the Duo Admin Panel and copy the Identifier from the "Metadata for Configuring with Azure" section of the "Administrator Login Settings" page. Paste the Identifier from Duo into the Identifier field under "Duo Admin Panel Domain and URLs" (or whatever you named this Azure SAML application).

    The Duo Admin Panel Identifier looks like: https://admin-abcd1234.duosecurity.com/saml/D1ABCDEFGH12345678/metadata.

  8. Copy the Reply URL from the "Metadata for Configuring with Azure" section of the "Administrator Login Settings" page in the Duo Admin Panel. Paste the Reply URL from Duo into the Reply URL field under "Duo Admin Panel Domain and URLs".

    The Duo Admin Panel Reply URL looks like: https://admin-abcd1234.duosecurity.com/saml/D1ABCDEFGH12345678/acs.

  9. Scroll down to the "User Attributes" section. Change the User identifier to user.mail.

  10. Scroll further down to the "SAML Signing Certificate" section and check the box next to the Make new certificate active option. Then, check the Show advanced certificate signing settings box and change the Signing option to Sign SAML response and assertion.

  11. Click the Save button at the top of the "Single sign-on" blade.

    Duo Admin Panel Azure App SSO Information

  12. Click the Configure Duo Admin Panel link at the bottom of the "Single sign-on" blade to view the Azure specific configuration information in a new pane. Scroll down to the "Configure Duo Admin Panel for single sign on" section and click the SAML XML Metadata link to download the Azure SSO metadata file. The downloaded XML file has the same name as your Azure SSO application, such as Duo Admin Panel.xml. It may take a few minutes for Azure to create the metadata file after you create the new application.

  13. Click the Users and groups management item on the "Duo Admin Panel" app page and assign this application to those Duo administrators who will sign in to the Duo Admin Panel with SSO.

Complete Duo Admin Panel Configuration

  1. Return to the "Single Sign-On with SAML Configuration" section of the "Administrator Login Settings" page in the Duo Admin Panel.

  2. Select either the Optional or Required "Authentication with SAML" option to expose the SAML Identity Provider Settings if no longer selected.

  3. Change the "Identity provider" to Azure.

  4. Change the "Configuration method" to From file.

  5. The "Metadata File" is the SAML XML metadata you downloaded earlier from the Azure portal. Click the Choose File button to select the Duo Admin Panel.xml file (or whatever you named your Azure SSO application).

  6. Click the Save button at the bottom of the page.

    Duo Admin Panel Azure SAML Identity Provider Settings

Configuring Duo administrator SSO using Google requires entering information from the Duo Admin Panel into the Google Admin console and vice-versa.

Google does not support encrypted assertions.

Start Duo Admin Panel Configuration

  1. Navigate to the "Single Sign-On with SAML Configuration" section of the "Administrator Login Settings" page in the Duo Admin Panel.

  2. Select either the Optional or Required "Authentication with SAML" option to expose the SAML Identity Provider Settings.

  3. Change the "Identity provider" to Google.

  4. Scroll down to the "Metadata for Configuring with Google" section of the page. You'll need to enter the Entity ID and ACS URL into the Azure administrator portal in the next set of steps.

Configure the Duo Admin Panel Application in Google

  1. In another browser tab or window, log into the Google Admin console as a user with the "Super Admin" role or "Security Settings" privileges. Navigate to AppsSAML Apps.

  2. Once on the "SAML Apps" page, click the yellow plus sign in the bottom right to begin creating a new SAML app.

  3. On the step 1 "Enable SSO for SAML Application" page, click the SETUP MY OWN CUSTOM APP at the bottom.

  4. On the step 2 "Google IdP Information" page, click the IDP Metadata Download button in the "Option 2" section. Click Next.

  5. On the step 3 "Basic information for your Custom App" page, enter a name and description for the new application. The rest of these instructions assume you named the application Duo Admin Panel. Uploading a logo is optional. Click Next.

  6. Return to the Duo Admin Panel and copy the Entity ID from the "Metadata for Configuring with Google" section of the "Administrator Login Settings" page. Paste the Entity ID from Duo into the Entity ID field on the step 4 "Service Provider Details" page.

    The Duo Admin Panel Entity ID looks like: https://admin-abcd1234.duosecurity.com/saml/D1ABCDEFGH12345678/metadata.

  7. Copy the ACS URL from the "Metadata for Configuring with Google" section of the "Administrator Login Settings" page in the Duo Admin Panel. Paste the ACS URL from Duo into the ACS URL field on the step 4 "Service Provider Details" page.

    The Duo Admin Panel ACS URL looks like: https://admin-abcd1234.duosecurity.com/saml/D1ABCDEFGH12345678/acs.

    Do not check the box next to the "Signed Response" option.

  8. Leave the "Name ID" set to "Basic Information" and "Primary Email". Change the Name ID Format to EMAIL. Click Next.

    Duo Admin Panel Google App Service Provider Details

  9. Click Finish on the step 5 "Attribute Mapping" page as no mapping is necessary. The Duo Admin Panel SSO app is created but is "OFF for everyone" until you enable it. Click OK on the confirmation dialog.

  10. Click the settings icon on the Duo Admin Panel app page and select either to turn it ON for everyone or ON for some organizations and then pick the OUs that contain the Duo administrators who will sign in to the Duo Admin Panel with SSO. Acknowledge the new assignment in the confirmation dialog.

Complete Duo Admin Panel Configuration

  1. Return to the "Single Sign-On with SAML Configuration" section of the "Administrator Login Settings" page in the Duo Admin Panel.

  2. Select either the Optional or Required "Authentication with SAML" option to expose the SAML Identity Provider Settings if no longer selected.

  3. Change the "Identity provider" to Google.

  4. Change the "Configuration method" to From file.

  5. The "Metadata File" is the SAML XML IDP metadata you downloaded earlier from the Google Admin console. Click the Choose File button to select the GoogleIDPMetadata-yourdomain.com.xml file.

  6. Click the Save button at the bottom of the page.

    Duo Admin Panel Google SAML Identity Provider Settings

Configuring Duo administrator SSO using Okta requires entering information from the Duo Admin Panel into the Okta administrator portal and vice-versa.

Start Duo Admin Panel Configuration

  1. Navigate to the "Single Sign-On with SAML Configuration" section of the "Administrator Login Settings" page in the Duo Admin Panel.

  2. Select either the Optional or Required "Authentication with SAML" option to expose the SAML Identity Provider Settings.

  3. Change the "Identity provider" to Okta.

  4. Scroll down to the "Metadata for Configuring with Okta" section of the page. You'll need to enter the SAML URL into the Okta administrator portal in the next set of steps.

Configure the Duo Admin Panel App in Okta

  1. Log into Okta as an administrative user. Click on the Admin button in the top right hand corner of the screen.

  2. On the "Dashboard" page click the Applications menu item at the top. Once on the "Applications" page click the Add Application button.

  3. Enter Duo Admin Panel in the search bar on the "Add Application" page. Select the "Duo Admin Panel" Okta application by clicking the Add button.

  4. On the "Add Duo Admin Panel" page, check the boxes next to the Do not display application icon to users and Do not display application icon in the Okta Mobile App options and click the Done button.

  5. On the "Duo Admin Panel" Okta application page, click the Sign On tab and then click the Edit button.

  6. Click the Identity Provider metadata link in the "SIGN ON METHODS" section of the page. This downloads a metadata file. You will need to provide the information from this file to Duo to complete setup.

  7. Scroll down to the "ADVANCED SIGN-ON SETTINGS" section of the page. Return to the Duo Admin Panel and copy the SAML URL from the "Metadata for Configuring with Okta" section of the "Administrator Login Settings" page. Paste the SAML URL from Duo into the SAML URL field under "ADVANCED SIGN-ON SETTINGS" for the Duo Admin Panel Okta application.

    The Duo Admin Panel SAML URL looks like: https://admin-abcd1234.duosecurity.com/saml/D1ABCDEFGH12345678.

  8. Click the Save button.

    Okta Duo Admin Panel App

  9. Click the Assignments tab on the "Duo Admin Panel" Okta application page. Assign the Duo Admin Panel application to the Okta users or groups that will use Okta SSO to log on to the Duo Admin Panel. Ensure that the usernames for these users are email addresses that match their Duo admin login username.

Complete Duo Admin Panel Configuration

  1. Return to the "Single Sign-On with SAML Configuration" section of the "Administrator Login Settings" page in the Duo Admin Panel.

  2. Select either the Optional or Required "Authentication with SAML" option to expose the SAML Identity Provider Settings if no longer selected.

  3. Change the "Identity provider" to Okta.

  4. Change the "Configuration method" to Paste.

  5. Open the metadata file you downloaded from Okta in a text editor. Copy the entire contents of that file and paste it into the Metadata XML field under "SAML Identity Provider Settings".

  6. Click the Save button at the bottom of the page.

    Duo Admin Panel Okta SAML Identity Provider Settings

Configuring Duo administrator SSO using OneLogin requires entering information from the Duo Admin Panel into the OneLogin administrator portal and vice-versa.

Start Duo Admin Panel Configuration

  1. Navigate to the "Single Sign-On with SAML Configuration" section of the "Administrator Login Settings" page in the Duo Admin Panel.

  2. Select either the Optional or Required "Authentication with SAML" option to expose the SAML Identity Provider Settings.

  3. Change the "Identity provider" to OneLogin.

  4. Scroll down to the "Metadata for Configuring with OneLogin" section of the page. You'll need to enter the SAML URL into the OneLogin administrator portal in the next set of steps.

Configure the Duo Admin Panel Application in OneLogin

  1. In another browser tab or window, log into OneLogin as an administrative user and click Administration at the top to access the configuration portal. Navigate to APPSAdd Apps.

  2. Type Duo Admin Panel into the search field on the "Find Applications". It should return only one SAML 2.0 app result called "Duo Admin Panel". Click on the Duo Admin Panel application to create it.

  3. On the "Configuration" page click on the Visible in portal switch to toggle it off.

  4. Click Save at the top of the screen.

  5. Once you're on the Duo Admin Panel app page in OneLogin, click the Configuration tab at the top of the screen.

  6. Return to the Duo Admin Panel and copy the SAML URL from the "Metadata for Configuring with OneLogin" section of the "Administrator Login Settings" page. Paste the SAML URL from Duo into the Hostname field into the SAML URL field next to "Application Details".

    The Duo Admin Panel SAML URL looks like: https://admin-abcd1234.duosecurity.com/saml/D1ABCDEFGH12345678.

  7. Click the Save button on the OneLogin application configuration page.

  8. Click the SSO tab at the top of the screen.

  9. Change the "SAML Signature Algorithm" to SHA-256 and click SAVE.

  10. Return to the SSO tab. Click the View Details link under the the "X.509 Certificate".

  11. On the "Standard Strength Certificate (2048-bit)" page under "X.509 Certificate", select X.509 PEM from the dropdown and click DOWNLOAD. This downloads a onelogin.pem file that you'll upload to the Duo Admin Panel later.

  12. Click the back arrow to the left of "Standard Strength Certificate (2048-bit)" to return to the Duo Admin Panel OneLogin app's settings. Click SSO near the top of the screen again.

  13. You'll need to provide information from the OneLogin "SSO" page to the Duo Admin Panel, so keep this page open.

    Duo Admin Panel OneLogin App SSO Information

Complete Duo Admin Panel Configuration

  1. Return to the "Single Sign-On with SAML Configuration" section of the "Administrator Login Settings" page in the Duo Admin Panel.

  2. Select either the Optional or Required "Authentication with SAML" option to expose the SAML Identity Provider Settings if no longer selected.

  3. Change the "Identity provider" to OneLogin.

  4. Leave the "Configuration method" set to Manual entry.

  5. Copy the Issuer URL from the OneLogin SSO page and paste it into the Duo Admin Panel's Entity ID or issuer ID field.

    Example: https://app.onelogin.com/saml/metadata/123456

  6. Copy the SAML 2.0 Endpoint (HTTP) from the OneLogin SSO page and paste it into the Duo Admin Panel's Assertion consumer service URL or single sign-on URL field.

    Example: https://your-org.onelogin.com/trust/saml2/http-post/sso/123456

  7. The "Certificate" is the OneLogin certificate you downloaded earlier. Click the Choose File button to select the onelogin.pem file. Upload the certificate.

  8. Click the Save button at the bottom of the page.

    Duo Admin Panel OneLogin SAML Identity Provider Settings

Remember to assign the new "Duo Admin Panel" OneLogin application to the users who will log into the Duo Admin Panel with SSO.

Configuring Duo administrator SSO using PingOne requires entering information from the Duo Admin Panel into PingOne and vice-versa.

PingOne does not support encrypted assertions.

Start Duo Admin Panel Configuration

  1. Navigate to the "Single Sign-On with SAML Configuration" section of the "Administrator Login Settings" page in the Duo Admin Panel.

  2. Select either the Optional or Required "Authentication with SAML" option to expose the SAML Identity Provider Settings.

  3. Change the "Identity provider" to PingOne.

  4. Scroll down to the "Metadata for Configuring with PingOne" section and click the duo_saml_metadata.xml link to download a copy of the metadata file. The downloaded file name is duo_saml_metadata.xml. This metadata file is uniquely generated for your Duo customer account.

Configure the Duo Admin Panel Application in PingOne

  1. In another browser tab or window, log into the PingOne Admin portal at https://admin.pingone.com.

  2. Navigate to the "Applications" page and click the New Application dropdown. Select the "New SAML Application" option.

  3. Enter a name, description, and category for the Duo Admin Panel app.

  4. Click the Select File button next to the "Upload Metadata" field. Select the duo_saml_metadata.xml file you downloaded from the Duo Admin Panel earlier. Uploading the file fills in the required fields for you.

  5. Download the PingOne IdP metadata by clicking the "SAML Metadata" Download link. You'll need this metadata file to finish configuration of the Duo Admin Panel.

  6. Click Continue to Next Step. No other attributes are required, so click Save and Publish, and then click Finish on the next page.

Complete Duo Admin Panel Configuration

  1. Return to the "Single Sign­On with SAML Configuration" section of the "Administrator Login Settings" page in the Duo Admin Panel.

  2. Select either the Optional or Required "Authentication with SAML" option to expose the SAML Identity Provider Settings if no longer selected.

  3. Change the "Identity provider" to PingOne.

  4. Change the "Configuration method" to From file.

  5. The "Metadata File" is the SAML XML metadata you downloaded earlier from PingOne. Click the Choose File button to select the PingOne metadata file.

  6. Click the Save button at the bottom of the page.

Configuring Duo administrator SSO using PingFederate requires entering information from the Duo Admin Panel into PingFederate and vice-versa.

Start Duo Admin Panel Configuration

  1. Navigate to the "Single Sign-On with SAML Configuration" section of the "Administrator Login Settings" page in the Duo Admin Panel.

  2. Select either the Optional or Required "Authentication with SAML" option to expose the SAML Identity Provider Settings.

  3. Change the "Identity provider" to PingFederate.

  4. Check the box next to Require SAML assertions to be encrypted if you wish to use encryption.

  5. Scroll down to the bottom of the page and click Save.

  6. Scroll down to the "Metadata for Configuring with PingFederate" section. You will need to copy information from here to paste into PingFederate to complete SSO setup. If you are using encrypted assertions it is important to save the single sign-on configuration before configuring PingFederate ensure the Duo metadata includes the information necessary for encryption.

Configure the Duo Admin Panel Application in PingFederate

  1. In another browser tab or window, log into your PingFederate admin console.

  2. Navigate to the "IdPConfiguration" page under "SP CONNECTIONS" and click Create New.

  3. On the "SP Connection - Connection Type" page under "Connection Template" make sure that BROWSER SSO PROFILES is the only option checked. Click Next.

  4. On the "SP Connection - Connection Options" page under "Browser SSO" make sure that BROWSER SSO is the only option checked. Click Next.

  5. On the "SP Connection - Import Metadata" next to "METADATA" select URL.

    Return to the Duo Admin Panel and copy the Metadata URL from the "Metadata for Configuring with PingFederate" section of the "Administrator Login Settings" page. Paste the Metadata URL from Duo into the NEW URL field.

    The Duo Admin Panel Metadata URL looks like: https://admin-abcd1234.duosecurity.com/saml/D1ABCDEFGH12345678/metadata.

  6. Leave EXISTING URL NAME at the default selection and ENABLE AUTOMATIC RELOADING selected and click Load Metadata. The page will reload and say "Metadata successfully loaded". Click Next.

  7. Review the information on the "SP Connection - Metadata Summary" page and click Next.

  8. On the "SP Connection - General Info" page some fields should already be populated with information from the Duo metadata. You may fill out the other optional information. Click Next.

  9. On the "SP Connection - Browser SSO" page click Configure Browser SSO.

  10. On the "SP Connection - Browser SSO - SAML Profiles" page under "Single Sign-On (SSO) Profiles", check the boxes next to IDP-INITIATED SSO and SP-INITIATED SSO. Leave the boxes under "Single Logout (SLO) Profiles" unchecked. Click Next.

  11. On the "SP Connection - Browser SSO - Assertion Lifetime" page you can change how long a SAML assertion to PingFederate remains valid. Unless you're comfortable with SAML we recommend leaving these settings at their defaults. Click Next.

  12. On the "SP Connection - Browser SSO - Assertion Creation" page click Configure Assertion Creation.

  13. On the "SP Connection - Browser SSO - Assertion Creation - Identity Mapping" page select STANDARD and click Next.

  14. On the "SP Connection - Browser SSO - Assertion Creation - Attribute Contract" page verify that under "Subject Name Format" urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified is selected. Leave all other options on the page at their defaults. Click Next.

  15. On the "SP Connection - Browser SSO - Assertion Creation - Authentication Source Mapping" page click Map New Adapter Instance.

  16. On the "SP Connection - Browser SSO - Assertion Creation - IdP Adapter Mapping - Adapter Instance" page next to "Adapter Instance" select the authentication source you'd like to use to verify the credentials for users logging into the Duo Admin Panel via SAML. The Duo Admin Panel requires an IdP attribute from the source directory whose value matches the e-mail address of the existing Duo admin user. Click Next.

  17. On the "SP Connection - Browser SSO - Assertion Creation - IdP Adapter Mapping - Mapping Method" page under "Adapter Contract" select the option USE ONLY THE ADAPTER CONTRACT VALUES IN THE SAML ASSERTION and click Next.

  18. On the "SP Connection - Browser SSO - Assertion Creation - IdP Adapter Mapping - Attribute Contract Fulfillment" page next to "SAML_SUBJECT" click the drop-down under "Source" and select Adapter. The page will reload. Under "Value" select the name of the attribute that contains the e-mail address value. Click Next.

  19. The settings on the "SP Connection - Browser SSO - Assertion Creation - IdP Adapter Mapping - Issuance Criteria" can be left at the defaults unless you'd like to limit the scope of which users can access this service provider. Please consult your PingFederate documentation for more information. Click Next.

  20. On the "SP Connection - Browser SSO - Assertion Creation - IdP Adapter Mapping - Summary" page review the information for correctness then click Done.

    You will be returned to the "SP Connection - Browser SSO - Assertion Creation" page. Click Next.

  21. On the "SP Connection - Browser SSO - Assertion Creation" page click Done and then click Next.

  22. On the "SP Connection - Browser SSO - Protocol Settings" page click Configure Protocol Settings.

  23. On the "SP Connection - Browser SSO - Protocol Settings - Assertion Consumer Service URL" page there should already be an "Endpoint URL" populated from the Duo metadata. Click Next.

  24. On the "SP Connection - Browser SSO - Protocol Settings - Allowable SAML Bindings" page make sure that only POST and REDIRECT are selected. Uncheck all other options. Click Next.

  25. On the "SP Connection - Browser SSO - Protocol Settings - Signature Policy" page verify that REQUIRE AUTHN REQUESTS TO BE SIGNED WHEN RECEIVED VIA THE POST OR REDIRECT BINDINGS is unchecked and ALWAYS SIGN THE SAML ASSERTION is checked. Click Next.

  26. On the "SP Connection - Browser SSO - Protocol Settings - Encryption Policy" page select NONE and click Next.

  27. On the "SP Connection - Browser SSO - Protocol Settings - Summary" page review the information and click Done.

  28. On the "SP Connection - Browser SSO - Protocol Settings" page click Next.

  29. On the "SP Connection - Browser SSO - Summary" page click Done.

  30. On the "SP Connection - Browser SSO" page click Next.

  31. On the "SP Connection - Credentials" page click Configure Credentials.

  32. On the "SP Connection - Credentials - Digital Signature Settings" page select your SAML IdP signing certificate from the drop-down next to SIGNING CERTIFICATE.

    Check the boxes next to INCLUDE THE CERTIFICATE IN THE SIGNATURE ELEMENT and INCLUDE THE RAW KEY IN THE SIGNATURE ELEMENT.

    Select RSA SHA256 from the drop-down next to "Signing Algorithm" and click Done.

  33. On the "SP Connection - Credentials" page click Next.

  34. On the "SP Connection - Activation & Summary" page next to "Connection Status" select ACTIVE.

  35. Scroll to the bottom of the page and click Save. You'll be returned to the home page.

  36. Click Server Configuration on the left side menu.

  37. Under "Administrative Functions" select Metadata Export.

  38. On the "Export Metadata - Metadata Role" page select I AM THE IDENTITY PROVIDER (IDP) and click Next.

  39. On the "Export Metadata - Metadata Mode" page select USE A CONNECTION FOR METADATA GENERATION and click Next.

  40. On the "Export Metadata - Connection Metadata" page select the Duo Admin Panel service provider you configured earlier in PingFederate in the drop-down. Click Next.

  41. On the "Export Metadata - Metadata Signing" page select the IdP SAML signing certificate you chose while configuring the Duo Admin Panel service provider earlier in the drop-down.

    Check the boxes next to INCLUDE THE CERTIFICATE IN THE SIGNATURE ELEMENT and INCLUDE THE RAW KEY IN THE SIGNATURE ELEMENT.

    Select RSA SHA256 from the drop-down next to "Signing Algorithm" and click Next.

  42. Review the information on the "Export Metadata - Export & Summary" page. Click Export to download the PingFederate Identity Provider XML file. Once you've retrieved the file click Done.

Complete Duo Admin Panel Configuration

  1. Return to the "Single Sign­On with SAML Configuration" section of the "Administrator Login Settings" page in the Duo Admin Panel.

  2. Select either the Optional or Required "Authentication with SAML" option to expose the SAML Identity Provider Settings if no longer selected.

  3. Change the "Identity provider" to PingFederate.

  4. Change the "Configuration method" to From file.

  5. The "Metadata File" is the PingFederate Identity Provider XML file you downloaded earlier from the PingFederate console. Click the Choose File button to select the PingFederate metadata file.

  6. Click the Save button at the bottom of the page.

Configuring Duo administrator SSO using Shibboleth requires entering information from the Duo Admin Panel into Shibboleth and vice-versa.

Duo Admin Panel Configuration

  1. Obtain the metadata XML file for your Shibboleth IdP.

    If you cannot obtain the metadata XML file, gather the following information: EntityID, the Single Sign On URL for the HTTP-Redirect binding, and the signing certificate for your Shibboleth IdP.

  2. Navigate to the "Single Sign-On with SAML Configuration" section of the "Administrator Login Settings" page in the Duo Admin Panel.

  3. Select either the Optional or Required "Authentication with SAML" option to expose the SAML Identity Provider Settings.

  4. Change the "Identity provider" to Shibboleth.

  5. If you have the Shibboleth IdP metadata XML file, change the "Configuration method" to From file. Click Choose File to select your Shibboleth IdP metadata XML file.

    If you do not have the Shibboleth IdP metadata XML file, change the "Configuration method" to "Manual Entry" and enter the "EntityID" from Shibboleth as the Entity ID and the "Single Sign On URL for the HTTP-Redirect binding" from Shibboleth as the Single Sign On URL.

    Click Choose file next to the Certificate field and select the Shibboleth IdP's signing certificate file.

  6. Check the box next to Require SAML assertions to be encrypted if you wish to use encryption.

  7. Scroll down to the bottom of the page and click Save.

  8. Scroll to "Download XML File" in the the "Metadata for Configuring with Shibboleth" section and click the duo_saml_metadata.xml link to download a copy of the metadata file. The downloaded file name is duo_saml_metadata.xml. This metadata file is uniquely generated for your Duo customer account. If you are using encrypted assertions it is important to save the single sign-on configuration before downloading the Duo metadata to ensure it includes the information necessary for encryption.

Configure the Duo Admin Panel Application in Shibboleth

  1. Add the duo_saml_metadata.xml file you downloaded from the Duo Admin Panel to your Shibboleth configuration, and create a new Metadata Provider that points to it.

  2. If necessary, add a new relying party profile for the Duo Admin Panel. Ensure that the profile that will be used for the Admin Panel has the SAML2.SSO auth flow, and enable the urn:oasis:names:tc:SAML:2.0:nameid-format:persistent nameID format if it isn't enabled.

  3. Define the mail attribute urn:oid:0.9.2342.19200300.100.1.3 and release it. This value will be used to identify administrators in the Duo Admin Panel, so it must match the administrator email addresses configured in the Admin Panel.

  4. If necessary, enable Persistent NameID generation.

If your SAML 2.0 identity provider isn't listed by name, use the Custom Identity Provider. You'll need to consult your IdP vendor's documentation to learn how to add the a custom service provider, and use those instructions to set up the Duo Admin Panel application.

When configuring your IdP for the Duo Admin Panel application, be sure to send your users email address as a Persistent NameID in the SAML assertion.

Consult your IdP vendor to determine if it supports encrypted assertions.

  1. Navigate to the "Single Sign-On with SAML Configuration" section of the "Administrator Login Settings" page in the Duo Admin Panel.

  2. Select either the Optional or Required "Authentication with SAML" option to expose the SAML Identity Provider Settings.

  3. Change the "Identity provider" to Custom Identity Provider.

  4. If your identity provider makes the XML metadata for configuring a service provider available, you can download or copy it from your IdP and enter it in the Duo Admin Panel by changing the Configuration method to From file or Paste as appropriate, and either upload an XML file or paste metadata information into the field provided. Proceed to step 7.

  5. If your identity provider doesn't offer their metadata in XML format, change the Configuration method to Manual entry.

    Enter the Entity ID or Issuer ID and the Assertion consumer service URL or single sign-on URL obtained from your IdP.

  6. Download your identity provider's signing certificate, select it for upload to Duo using the Choose file button, and upload your IdP's certificate.

  7. Adjust the security settings for your identity provider in the "Advanced SAML Options" section. Most IdPs do not require any changes. Verify SHA signature support and signing requirements with your identity provider before changing these settings, as they decrease security for SSO logins.

  8. If your identity provider supports encrypted SAML assertions, check the box next to Require SAML assertions to be encrypted.

  9. Click the Save button at the bottom of the page when done.

  10. Copy the metadata information for the Duo Admin Panel service provider application and provide it to your identity provider. If your IdP supports XML metadata file upload or paste you can download the duo_saml_metadata.xml file from Duo and upload or copy it to your IdP. This metadata file is uniquely generated for your Duo customer account. If you are using encrypted assertions it is important to save the single sign-on configuration before downloading the Duo metadata to ensure it includes the information necessary for encryption.

Test SSO Login

Enabling SAML login for the Duo Admin Panel adds a new Single Sign On button to the Duo Admin Panel Login page.

Duo Admin Panel Login with SSO Option

Click the Single Sign On button to begin SAML authentication. Enter the email address that matches your Duo administrator login account and click Continue to Identity Provider.

Duo Admin Panel SSO Login Page

You'll be taken to your identity provider's primary login page. Once you sign in there you'll be sent back to Duo to complete two-factor authentication to finish logging on to the Admin Panel.

Admin User 2FA Prompt

Admin Authentication Methods

Duo administrators may use any available two-factor method to log into the Duo Admin Panel. You can restrict which authenticator types Duo admins may use on the Administrator Login Settings page.

To restrict allowed authentication methods for Duo administrators:

  1. Log in to the Duo Admin Panel as an Owner and navigate to AdministratorsAdmin Login Settings in the left sidebar.

  2. Scroll to the Admin Authentication Methods section of the page.

  3. Deselect the authentication methods you don't want used by Duo administrators. When adjusting the allowed methods, ensure that your Duo administrators have at least one of the allowed factors associated with their accounts. We won't let you disable the authentication method you used to log in to the Admin Panel as a safeguard against accidentally denying yourself access. If you want to restrict the method you just used, you'll need to log out and back in using a different 2FA method you plan to leave enabled.

    For example, if you disable all methods except hardware tokens and Yubikey AES, then any administrator without an assigned token or Yubikey won't be able to log in to the Duo Admin Panel. You must leave at least one method enabled.

    Restrict Admin Authentication Methods

  4. Click the Save button at the bottom of the page. You'll need to confirm your selections to apply the change.

Restricted factors appear greyed out in the Duo Admin Panel's 2FA prompt. So, if you were to disable SMS passcode and phone callback (leaving Duo Push, Duo Mobile passcodes, hardware tokens, and Yubikeys allowed), the "Text Me" and "Call Me" buttons become inactive and only "Duo Push" and passcode entry may be used.

2FA Prompt with Restricted Admin Authentication Methods

Changing the allowed methods won't automatically log out any administrator who was already logged in with a factor you've now disabled, but the next time they log in to the Duo Admin Panel they'll need to use one of the allowed factors.

Troubleshooting

Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free