https://community.cisco.com/t5/managing-users/sso-with-ad-sending-samaccountname-instead-of-email/m-p/5282708#M1476 <P>MHurley,</P><P>Did you find a solution for this?&nbsp; We are looking for a solution like yours.</P><P>&nbsp;</P><P>Thank you,</P><P>Bret</P> Fri, 18 Apr 2025 12:00:41 GMT macocharlie 2025-04-18T12:00:41Z https://community.cisco.com/t5/managing-users/sso-with-ad-sending-samaccountname-instead-of-email/m-p/5259951#M1465 <P>I am configuring DUO using the auth proxy to on-prem AD.&nbsp; &nbsp; &nbsp; Internal users have their email addresses in the AD mail attribute, and things work great.&nbsp; &nbsp;</P> <P>When the internal users are added to DUO using directory sync, two main things work:</P> <OL> <LI>They receive an enrollment email with steps on downloading the app and enrolling their phone</LI> <LI>When they log into VPN (utilizing SAML integration to DUO), they enter their email address and AD password</LI> </OL> <P>Things break down a bit when dealing with third-party users, which we want to use MFA when coming in over VPN.&nbsp; &nbsp;</P> <P>The vendors have AD accounts but we do not give them email boxes.&nbsp; &nbsp;The AD accounts have their third-party email addresses in the mail attribute.</P> <P>They receive the enrollment email when they are added to DUO using directory sync, which is exactly what we want.</P> <P>I understand they will need to log into the DUO prompt using a corporate email address (because of domain validation), so asking them to put the corporate domain is acceptable&nbsp; (Ex:&nbsp; &nbsp;AD Username - hvac-user, DUO prompt - <A href="mailto:hvac-user@mycorp.com" target="_blank" rel="noopener">hvac-user@mycorp.com</A>)</P> <P>We can create an alias on their duo account to match:&nbsp; <A href="mailto:hvac-user@mycorp.com" target="_blank" rel="noopener">hvac-user@mycorp.com</A></P> <P>The issue I am running into now is that authentication is failing.&nbsp; &nbsp; When I look at the auth proxy logs, DUO is sending the full email address of the user, which doesn't exist in AD.&nbsp; &nbsp;It results in a "user not found" error.</P> <P>If we can strip the "@mycorp.com" from the authentication attempt it would be able to match the sAMAccountName.</P> <P>Is there a way to make these authentication attempts send the sAMAccountName to AD, rather than the full email address typed in?</P> <P>If not, has anyone else found a flow that works for vendors and allows them to send the enrollment email to their "real" email?</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 13 Feb 2025 01:04:22 GMT https://community.cisco.com/t5/managing-users/sso-with-ad-sending-samaccountname-instead-of-email/m-p/5259951#M1465 mhurley131 2025-02-13T01:04:22Z https://community.cisco.com/t5/managing-users/sso-with-ad-sending-samaccountname-instead-of-email/m-p/5275374#M1475 <P>So, this was an option we set up in our environment:</P><P>We registered a new DNS under our DNS provider. For example, if our main domain is mycorp.com, we registered a subdomain like a.mycorp.com. We then added this subdomain in Duo under Permitted Email Domains and completed the verification process.</P><P>Next, for the vendor accounts, we updated their email addresses in Active Directory to use the new subdomain for example, abc@a.mycorp.com. We tested this configuration, and it worked as expected.</P><P>Now, all vendor accounts in AD have their email addresses set to use @a.mycorp.com.</P><P>Hope this helps!</P> Wed, 26 Mar 2025 14:25:11 GMT https://community.cisco.com/t5/managing-users/sso-with-ad-sending-samaccountname-instead-of-email/m-p/5275374#M1475 temz147 2025-03-26T14:25:11Z https://community.cisco.com/t5/managing-users/sso-with-ad-sending-samaccountname-instead-of-email/m-p/5282708#M1476 <P>MHurley,</P><P>Did you find a solution for this?&nbsp; We are looking for a solution like yours.</P><P>&nbsp;</P><P>Thank you,</P><P>Bret</P> Fri, 18 Apr 2025 12:00:41 GMT https://community.cisco.com/t5/managing-users/sso-with-ad-sending-samaccountname-instead-of-email/m-p/5282708#M1476 macocharlie 2025-04-18T12:00:41Z