Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
309
Views
1
Helpful
3
Replies

AD connector and SSO Entra ID migration

darrenyoung88
Level 1
Level 1

‎06-10-2024 08:00 AM

Hi,

We currently have DUO deployed for MFA for Anyconnect VPN clients terminating on an FTD.  Using AD connector as the identity source for users.  We would like to move away from this and configure Anyconnect Clients to connect to Meraki and use SAML for authentication via DUO with Entra ID as the authentication source.  Query is can Entra ID identity source be configured within DUO without disrupting service to existing users?  Can both AD and Entra ID run in parallel?

Thanks

0 Helpful
3 Replies 3

DuoKristina
Cisco Employee
Cisco Employee

‎06-12-2024 02:07 PM - edited ‎06-12-2024 02:12 PM

Today you may only use a single type of SSO authentication source at a time. You can't use AD authentication and SAML authentication at the same time for the same application. You can set up Entra as the SAML auth source in parallel, but today only one can be enabled at a time, so you would experience brief disruption as you disable one and enable the other.

We have support for multiple authentication sources in Duo SSO on our roadmap. Please contact Duo Support to have your org associated with that feature request.

If you are using directory sync from AD into Duo you can migrate the sync from AD to Entra source using this guide: 

How do I change from using Active Directory to Microsoft Entra ID for Duo Directory Sync? 

Duo, not DUO.

darrenyoung88
Level 1
Level 1
In response to DuoKristina

‎06-13-2024 12:06 AM

Thanks,

This would be for a separate application.  currently using "Cisco ISE Radius" using radius and AD for authentication.  We are looking to add / migrate to "Meraki Secure Client" using SAML / SSO with Entra ID as the identity source.  Both AD and Entra ID are linked so same user account.  What i am trying to understand is can I run both in parallel, existing ISE radius continue to use AD and the new Meraki app use SSO / Entra ID without impacting existing service

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to darrenyoung88

‎06-14-2024 05:38 AM

Yes, you can leave a RADIUS integration with Duo Authentication proxy in place while also deploying any Duo SSO application. They are distinct from each other. If the same users will log into both you will want to make sure that the SSO username is the same as the ISE RADIUS username so they match the same Duo user or that it has been added as a username alias to the existing Duo user.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents