Re: USING MULTIPLE DOMAIN

mumbai.support · ‎05-27-2024

The issue you are facing with the Duo Authentication Proxy and the two domains (abc.com and xyz.com) seems to be related to the user directory configuration. Based on the information provided:

Customer had only one domain (abc.com) configured on Duo and the Authentication Proxy was also configured for only that domain.
Some users from the xyz.com domain were trying to log in, but they were getting an error saying their organization was not allowed to log in. This is because the Duo Authentication Proxy was only configured for the abc.com domain.

To resolve this issue:

We advised the customer to add a new Authentication Proxy server in Duo with the xyz.com domain. This was the right approach, as it would allow users from both domains to authenticate through Duo.
However, Customer mentioned that even after this configuration, some users from the xyz.com domain are still not able to log in, and the Duo dashboard is indicating that there are multiple, duplicate user accounts with invalid credentials. @DuoKristina Need your expertise.

DuoKristina · ‎05-28-2024

If this is about a Duo customer please instruct them to contact Duo Support. I'm not in support; don't @ me.

However, it is correct that they will receive the error you mentioned if there are duplicate usernames coming from the two domains. Is this SSO + AD authentication? It is noted in the documentation that email addresses must be unique across all domains and forests:

If Duo Single Sign-On gets results for multiple users matching the email address, it will show an error to the user. All email addresses that users log-in with should be unique across all the directories.

They should check the users that can't log in to make sure their email is not duplicated between forests. Again, if you don't know how to proceed advise the customer to contact Duo Support.

Duo, not DUO.

DuoKristina · ‎05-28-2024

I'm told that TAC can create a case in CSOne and bond the case to the Duo Support queue.

Duo, not DUO.