Solved: Duo Deployment to protect Gsuite emails

jcuni · ‎11-12-2024

Hello everyone,

I was looking for information on how to deploy Duo for a customer using G Suite emails. This customer doesn't have a Windows server or any other authentication source. Is it possible to deploy the Duo MFA solution?

Thanks!

DuoKristina · ‎11-13-2024

@jcuni You're right to suspect the prior answer, as it's not possible to protect Google Workspace logins with Duo SSO while also using Google Workspace as the SAML authentication source (it creates an infinite loop scenario where Google redirects to Duo which redirects back to Google and so on).

There is not currently another good option for Duo MFA protection for Google Workspace. A possibility is to deploy Google.s Secure LDAP service https://support.google.com/a/answer/9048516?hl=en and use that in place of Active Directory in a Duo SSO AD authentication source configuration, but it is complex and not explicitly supported by us.

We are exploring options to support Google Workspace with Duo that don't require on-premises domain components. You can contact Duo Support or a Duo Care rep/Cisco AE (if you have one) to add yourself as an interested party to the feature request for Google Workspace support without AD.

Duo, not DUO.

View solution in original post

amitspanchal · ‎11-13-2024

Hi,

Yes it is possible to use Gsuite as a authentication source. You will have to configure SAML authentication for that. This will require SAML configuration on the Gsuite as well and appropriate Gsuite tier which supports SAML.

jcuni · ‎11-13-2024

Hi @amitspanchal , thank you for your prompt answer. The problem is i have this disclaimer from Duo:

That’s why I have a question about how to implement Duo using a different method.

DuoKristina · ‎11-13-2024

@jcuni You're right to suspect the prior answer, as it's not possible to protect Google Workspace logins with Duo SSO while also using Google Workspace as the SAML authentication source (it creates an infinite loop scenario where Google redirects to Duo which redirects back to Google and so on).

There is not currently another good option for Duo MFA protection for Google Workspace. A possibility is to deploy Google.s Secure LDAP service https://support.google.com/a/answer/9048516?hl=en and use that in place of Active Directory in a Duo SSO AD authentication source configuration, but it is complex and not explicitly supported by us.

We are exploring options to support Google Workspace with Duo that don't require on-premises domain components. You can contact Duo Support or a Duo Care rep/Cisco AE (if you have one) to add yourself as an interested party to the feature request for Google Workspace support without AD.

Duo, not DUO.

jcuni · ‎11-14-2024

Thanks for confirming, @DuoKristina. That's exactly what I experienced, a loop when trying to log in. I think the best option in this scenario is to deploy Google Authenticator.

DuoKristina · ‎11-14-2024

Duo Mobile can be used for passcode generation for third-party accounts. This means that a user won't receive a Duo Push request at login, but can generate a passcode to use to log in when prompted by Google - similar to using Google Authenticator.

https://guide.duo.com/third-party-accounts

An even more secure option than OTP authenticator apps is using a passkey. https://support.google.com/a/answer/13529161?hl=en

While Duo SSO isn't an option yet for pure Google auth without AD, Duo does fully support roaming and platform WebAuthn authenticators as passkeys, so if a userbase is already used to passwordless login to Google with passkeys before using Duo's platform they're well positioned to move to Duo to continue passwordless authentication with passkeys when the time is right.

Duo, not DUO.