I am configuring DUO using the auth proxy to on-prem AD. Internal users have their email addresses in the AD mail attribute, and things work great.
When the internal users are added to DUO using directory sync, two main things work:
- They receive an enrollment email with steps on downloading the app and enrolling their phone
- When they log into VPN (utilizing SAML integration to DUO), they enter their email address and AD password
Things break down a bit when dealing with third-party users, which we want to use MFA when coming in over VPN.
The vendors have AD accounts but we do not give them email boxes. The AD accounts have their third-party email addresses in the mail attribute.
They receive the enrollment email when they are added to DUO using directory sync, which is exactly what we want.
I understand they will need to log into the DUO prompt using a corporate email address (because of domain validation), so asking them to put the corporate domain is acceptable (Ex: AD Username - hvac-user, DUO prompt - hvac-user@mycorp.com)
We can create an alias on their duo account to match: hvac-user@mycorp.com
The issue I am running into now is that authentication is failing. When I look at the auth proxy logs, DUO is sending the full email address of the user, which doesn't exist in AD. It results in a "user not found" error.
If we can strip the "@mycorp.com" from the authentication attempt it would be able to match the sAMAccountName.
Is there a way to make these authentication attempts send the sAMAccountName to AD, rather than the full email address typed in?
If not, has anyone else found a flow that works for vendors and allows them to send the enrollment email to their "real" email?
