We are trying to get Duo SSO working to protect ASA VPN logins across multiple domains. Our ASA can obviously authenticate users across domain names, and I have a SAML to Duo auth working in our primary domain. As I add other domains, though, I have run into a question - despite having different domain names, many of our e-mail addresses have the same suffix. Duo documentation says that it will throw an error if it finds the same email in several AD clients (understandably), so is there a solution to get around this? Separate Auth Proxies in the separate domains? Using ISE for all authentication? We will eventually have hardware tokens for some users, so we were advised to use SAML from ASA to Duo for authentication.