Solved: Re: Multiple emails for single user

Drew_Nolen · ‎03-06-2023

Hello,
I am setting up a Duo environment for our users. All of our users have 2 email addresses, formatted as follows:
username@123.com and username@abc.com.
Our on-prem Exchange is set up to give every account both emails as an alias for the same account. For the sake of Duo’s SSO, I am syncing users based on the “mail” atribute of the account in AD. This attribute picks a “default” for each user based on the Exchange setting and is not the same for every user (one user may have @123.com and another user may have @abc.com)
I would like to have our Duo set up to accept either as a valid email for all users, despite what the “default” email is. We are working to move all of our users to use abc.com primarily (since most of our users are currently on 123.com) but we don’t have a timeline on that, nor will 123.com just go away.
Does anyone have any ideas on how to add multiple emails for a single user?

DuoKristina · ‎03-09-2023

For Duo SSO there are two different parts to this:

The Duo user must have both email addresses set as username or username alias (as @raphka described) to be able to match the email username received by Duo to an existing user.
If you are using AD authentication for Duo SSO, you also need to configure the list of AD attributes that contain the email addresses for your users. The default is to just search the mail AD attribute values for a match. If you have alternate email addresses for your users stored in a different AD attribute then you would need to add it to the list of email attributes for SSO. I don’t believe this supports multivalued AD attributes like the proxyAddresses attribute.

Duo, not DUO.

View solution in original post

raphka · ‎03-07-2023

Hi Drew_Nolen, Welcome to the Duo Community!

When you look at a user object in Duo, the Email field is only used to send Enrollment or Activation emails to the users. It is not used as a username.

The username and alias fields are usernames.
As such if you modify your sync to contain the attributes used as email2 for an alias field, your users will be able to sign in with those alternate emails.

Please see the Duo Alias configuration guide below:
https://help.duo.com/s/article/aliases-guide

If this is for logging in with Duo SSO, the email domain will also need to be verified in your Duo SSO Authentication source configuration.

Drew_Nolen · ‎03-09-2023

Yes, this is for Duo SSO. I have verified both of the email domains in my configuration. Can users have 2 email addresses which they use to log into Duo SSO?

DuoKristina · ‎03-09-2023

For Duo SSO there are two different parts to this:

The Duo user must have both email addresses set as username or username alias (as @raphka described) to be able to match the email username received by Duo to an existing user.
If you are using AD authentication for Duo SSO, you also need to configure the list of AD attributes that contain the email addresses for your users. The default is to just search the mail AD attribute values for a match. If you have alternate email addresses for your users stored in a different AD attribute then you would need to add it to the list of email attributes for SSO. I don’t believe this supports multivalued AD attributes like the proxyAddresses attribute.

Duo, not DUO.

Drew_Nolen · ‎04-06-2023

@DuoKristina @raphka Thank you both for your replies. I believe I have it figured out now. Instead of allowing users both email addresses as login, usuers will just use whatever their default email address is. When we eventually make the switch to our new email domain, all users will just need to change what email address they use with SSO. Thanks!

acrejonson · ‎04-17-2023

I was looking for the same thing, thank you very much everyone for your comments, they have been very helpful