Skip navigation

Duo Access Gateway

Last Updated: December 9th, 2020

Duo Access Gateway adds two-factor authentication, complete with inline self-service enrollment and Duo Prompt, to popular cloud services like Salesforce and Google G Suite using SAML 2.0 federation.

Looking for a cloud-hosted SSO solution? Try Duo Single Sign-On.


Duo Access Gateway is an on-premises solution that secures access to cloud applications with your users’ existing directory credentials (like Microsoft Active Directory or Google G Suite accounts) using the Security Assertion Markup Language (SAML) 2.0 authentication standard. SAML delegates authentication from a service provider to an identity provider, and is used for single sign-on (SSO) solutions.

Duo provides SAML connectors for enterprise cloud applications like Google G Suite, Amazon Web Services, Box, Salesforce and Microsoft Office 365. See the full list of named cloud applications here. We also offer a generic SAML application you can use with any SAML 2.0 service provider.

Protected cloud applications redirect your users to the Duo Access Gateway server on your network. Duo Access Gateway acts as a SAML identity provider (IdP), authenticating your users using your existing primary authentication source for credential verification, and then prompting for two-factor authentication before permitting access to the SAML application.

Duo Access Gateway is part of the Duo Beyond, Duo Access, and Duo MFA plans.

Duo Access Gateway supports local Active Directory (AD) and OpenLDAP directories as identity sources, as well as on-premises or cloud SAML IdPs.

Duo Access Gateway SAML Login Workflow

You can also use the Duo Access Gateway with Azure and Google directories or third-party IdPs hosted in the cloud.

Duo Access Gateway SAML Login Workflow

Define Duo policies that enforce unique controls for each individual SSO application. For example, you can require that Salesforce users complete two-factor authentication at every login, but only once every seven days when accessing Google G Suite. Duo checks the user, device, and network against an application's policy before allowing access to the application.

Once you deploy Duo Access Gateway with multiple service providers you can opt to minimize repeated Duo authentication prompts when switching between your SAML applications with shared remembered device policies for SSO.

Duo Access Gateway for Windows

Duo Access Gateway runs as an IIS virtual site on Windows Server 2012 and later. See the Duo Access Gateway Windows documentation for system requirements and installation instructions.

Duo Access Gateway for Linux

Duo Access Gateway runs in a Docker container on most modern Linux distributions. See the Duo Access Gateway Linux documentation for system requirements and installation instructions.