D270: Duo Release Notes for July 21, 2023

kyleleighavery · ‎07-21-2023

Hello everyone! Here are the release notes for our most recent updates to Duo.

Public release notes are published on the Cisco Community every other Friday, the day after the D-release is completely rolled out. You can subscribe to notifications for new release notes by following the process described here. If you have any questions about these changes, please comment below.

Check out a new resource: Guide to Duo End-of-Life and End-of-Support Plans. This guide provides an up-to-date list of current and past end-of-life plans for Duo products.

What’s in this release?

New features, enhancements and other improvements

New Warning Message for NTLMv1 End of Support in the Duo Admin Panel

New and updated applications

Duo Splunk Connector Version 2.0.0 Rolled Back
Duo Device Health Application Public Beta 5.2.1.0 Released
Six New Named SAML Applications with Duo SSO
Duo Mobile for Android Version 4.45.0 Released
Duo Mobile for iOS Version 4.45.0 Released

New features, enhancements and other improvements

New warning message for NTLMv1 end of support in the Duo Admin Panel

Owner admins will see the following message on Users > Directory Sync if they select NTLMv1 as the authentication type for Active Directory and LDAP directory sync connections or Active Directory authentication sources for SSO:

NTLMv1 support ending

Effective October 2, 2023, Duo Security will no longer support the NTLMv1 authentication type for [Directory Sync/Single Sign-On]. Using NTLMv2 is recommended.

Learn more about the end of support of the NTLMv1 authentication type

New and updated applications

Duo Splunk Connector version 2.0.0 rolled back

This version was released on July 3, 2023, and rolled back on July 14, 2023, due to bugs with the Splunk app directory structure, log duplication and log rate limiting. A new version will be released soon.
See Knowledge Base article Why are my Duo logs not showing up in Splunk after installing the Splunk connector? for more guidance.

Duo Device Health Application Public Beta version 5.2.1.0 released

Added improvements to support script.
Added collection of information related to whether the device is managed.

Six new named SAML applications with Duo SSO

There are now named SAML applications for IT Glue, Keeper Security, Signal Sciences, SailPoint IdentityIQ, Cloudflare Access and Igloo to protect using Duo SSO, our cloud identity provider.
Reminder: Duo Access Gateway will reach end of life in October 2023. Please see the Guide to Duo Access Gateway end of life for more details.

Duo Mobile for Android version 4.45.0 released

Miscellaneous bug fixes and behind-the-scenes improvements.

Duo Mobile for iOS version 4.45.0 released

Miscellaneous bug fixes and behind-the-scenes improvements.

hawley35 · ‎08-01-2023

Did D270 include deprecation of the 'password' parameter on 'POST /admin/v1/admins/[admin_id]'?

This parameter stopped working for us in the week prior to these release notes being published.

kyleleighavery · ‎08-01-2023

Hi @hawley35 ! That parameter has been deprecated since October 2020, as noted in the October 30 2020 Duo Release Notes, the Admin API documentation, and the Duo KB article Guide to Duo Administrator Provisioning and Self-Service Changes. Are you now receiving an error response or does it just not change the password?

hawley35 · ‎08-01-2023

Thanks @kyleleighavery, but I don't specifically see that endpoint or and end-of-life date in any of that documentation. The API documentation lists it as 'Deprecated', but not with any end-of-life date.

The documentation implies that 'POST /admin/v1/admins/[admin_id]/password_mgmt' is the new supported method for use with a PAM tool. What method does Duo suggest for the PAM heartbeat(password validation) after the password change?

DuoKristina · ‎08-01-2023

I think the relevant info would be...

From the 10/30/2020 release note (bolding mine):

As part of this change, Owners will no longer be able to set a new password for an administrator who has forgotten their password. Instead, Owners will be able to copy-paste a link from the administrator’s details page where the administrator can reset their password. The action of viewing the reset password link for another administrator will be recorded in the Administrator Actions log.
The Admin API has also been updated to support the new administrator provisioning workflow.
- Refer to this Duo Knowledge Base article for more information.

From the linked KB article (bolding mine):

Existing add admin endpoint now has optional params to specify a number of days the admin’s activation link should be valid and whether to send an activation email. The phone parameter is now an optional parameter, rather than required. The password parameter was deprecated, and any value provided there will be ignored.

To your question: are you asking if Duo has a method for polling the external PAM for a password change there, then pulling in the changed password via API? No, we do not support this today, just a post to Duo from external to change the password, triggered by the external system.