We are trying to get Duo SSO working to protect ASA VPN logins across multiple domains. Our ASA can obviously authenticate users across domain names, and I have a SAML to Duo auth working in our primary domain. As I add other domains, though, I have run into a question - despite having different domain names, many of our e-mail addresses have the same suffix. Duo documentation says that it will throw an error if it finds the same email in several AD clients (understandably), so is there a solution to get around this? Separate Auth Proxies in the separate domains? Using ISE for all authentication? We will eventually have hardware tokens for some users, so we were advised to use SAML from ASA to Duo for authentication.
You have the same individual users with their email address existing in multiple AD directories?
Like.. - Domain ALPHA; the user ALPHA\bob exists with the email address email@example.com - Domain BETA; the user BETA\robert also exists, and represents the same person as ALPHA\bob and also has the email address firstname.lastname@example.org?
Are you able to clean your directory attributes so that the email address attributes only are populated once across the domains?
A virtual directory that aggregates attributes for the same users across your domains may in fact be a good answer to this. I have no experience with ISE but I have been in environments where we used AD LDS or Radiant Logic VDI to solve this problem.
Separate Authentication Proxy servers won't help you here as the LDAP response is going to be the same no matter how many proxies perform the search. You _will_ need distinct Authentication Proxy servers to service each of your domains if they aren't part of the same forest, and in the Duo SSO multiple AD config the authentication process will search amongst all configured domains.