Duo Identity Security with Cisco Identity Intelligence - SSO Configuration

Overview

Duo Identity Security combines Duo’s strong attack mitigation and remediation capabilities with cross-vendor identity insights powered by Cisco Identity Intelligence.

Cisco Identity Intelligence

Cisco Identity Intelligence (CII) is a multi-sourced, vendor-agnostic solution that works across your existing identity stack and brings together authentication and access insights, enabling you to proactively address vulnerabilities and risks in your multi-vendor identity environment.

All Cisco Identity Intelligence features and capabilities are included in Duo Identity Security for Duo Premier and Duo Advantage customers.

Learn more about Cisco Identity Intelligence.

Requirements

The requirements for provisioning Cisco Identity Intelligence are:

• A Duo Premier or Duo Advantage plan.
• A Duo administrator with the Owner role.
• Everyone in your organization whom you want to be able to access the Cisco Identity Intelligence dashboard via Duo Single Sign-On should exist as an end-user in your Duo account your SAML or Active Directory external authentication source if you use them.

Create a Cisco Identity Intelligence Administrator Group

You need a group in Duo comprised of the Duo end-user accounts belonging to your Cisco Identity Intelligence dashboard users. You will grant access to the Cisco Identity Intelligence SSO application to this group during configuration.

If your Identity Intelligence administrators exist as Duo end users who are managed by an external directory sync, then you need to create a distinct group in your source directory containing the end-user accounts for the Cisco Identity Intelligence dashboard users, and add it to your Duo sync configuration so that group gets imported to Duo.

You can manually create and populate a group of your Identity Intelligence admins if your Identity Intelligence admin users exist as Duo end-users who are not managed by an external directory sync.

See the Using Groups documentation for group creation and management instructions.

Provision Your Cisco Identity Intelligence Tenant

1. Log on to the Duo Admin Panel as an administrator with the Owner admin role.

2. Navigate to Monitoring → Cisco Identity Intelligence.

3. Review the information on the "Cisco Identity Intelligence" page. Click the Connect to Cisco Identity Intelligence button to continue.

   

4. Duo will automatically provision your Duo integration with Identity Intelligence to enable your new Identity Intelligence tools to consume and analyze Duo user and authentication data.

   

5. Your CII admins can not access your Identity Intelligence dashboard via Duo SSO until you grant access to the new SSO application. Click the Edit SSO Configuration button on the Cisco Identity Intelligence "Duo SSO" tab to view the SSO application.

6. The "User access" setting for your autogenerated Cisco Identity Intelligence SSO application defaults to Disable for all users. Select Enable only for permitted groups and pick the group or groups you created earlier which contain the Duo users who should have access to the CII dashboard. Active Duo users in the permitted groups can sign in to Cisco Identity Intelligence via Duo SSO. Active Duo users not in a permitted group receive an access error from Duo SSO.

   If you do not restrict user access to the CII SSO application by selecting a permitted group, then any of your active Duo users may be able to access the Cisco Identity Intelligence dashboard and view personally identifiable information (PII) for other users.

   This setting only applies to users who exist in Duo with "Active" status. This does not affect application access for existing users with "Bypass" status, existing users for whom the effective Authentication Policy for the application specifies "Bypass 2FA" or "Skip MFA", or users who do not exist in Duo when the effective New User Policy for the application allows access to users unknown to Duo without MFA.

   

   Learn more about user access to applications.

7. Scroll down and click Save.

8. You can now use your Identity Intelligence tenant. Navigate to Monitoring → Cisco Identity Intelligence again and click the Launch Identity Intelligence button. This launches the Identity Intelligence dashboard from the Duo Admin Panel. Duo administrators logged into the Admin Panel with any role assigned can access the Identity Intelligence dashboard from this link to log in via Duo SSO.

   Make sure that any Duo admins accessing Identity Intelligence also exists as an end-user in Duo who is a member of the group granted access to the CII SSO application. If you use an external identity source for SSO also ensure the CII dashboard user exists there for primary authentication.

Next Steps After Provisioning

Data ingestion and analysis of Duo data begins automatically after provisioning. Depending on how many identities exist in your environment, it can take a few days for all the data in your environment to get fully synchronized in the Cisco Identity Intelligence tenant. Learn more about Cisco Identity Intelligence.

Create Additional Integrations

Set up additional available integrations to maximize the cross-vendor visibility that Cisco Identity Intelligence provides and to ensure protection of your full identity ecosystem.

Integrations

Cisco Identity Intelligence can integrate with a number of vendors for data ingestion, ticketing, notifications, and SIEM usage.

You can read more about the integrations and find configuration instructions by following the links below.

Cisco Identity Intelligence can ingest data from the following sources:

• Auth0
• AWS
• GitHub
• Google Workspace
• Microsoft Entra ID
• Microsoft Entra ID Event Hub
• Okta
• Salesforce
• Workday

Additionally, integrations are available for notifications, ticketing and SIEMs:

• Azure Sentinel
• Jira
• Microsoft Teams
• ServiceNow
• Slack

Troubleshooting

Need some help? Take a look at our Identity Security Knowledge Base articles or Community discussions. For further assistance, contact Support.