ConnectWise and Duo Access Gateway or ADFS

mattk1 · ‎06-13-2018

I am new to Duo Access Gateway and to ADFS and am a little confused as to what the differences are between the two.

We need to have Duo protect Connectwise Manage, which I’m told we can do (even though no one currently supports it) via SSO/SAML 2.0 using DUO’s generic SAML service provider.

I set up a DAG server thinking that was the best way to go, but now I’m not so sure. I’m having trouble determining if DAG and ADFS work in tandem or if they are different ways of doing the same thing.

I was under the impression I could just install ADFS on our Domain Controller and link it up to the DAG server, but that doesn’t seem to jive with anything I am now reading.

Would DAG fit somewhere on this network map? https://duo.com/docs/adfs#deployment-overview.

Thanks for your help!

Matt

DuoKristina · ‎06-13-2018

Duo Access Gateway and AD FS are both SAML 2.0 capable identity providers (or IdPs). They perform the same function: accept a login redirect request from some application, authenticate it against an identity store, and return access approval back to the application.

Look at these network diagrams for DAG and AD FS; you’ll notice the DAG and the AD FS server occupy the same spot.

DAG

ADFS

You do not have to deploy DAG if you’d rather use AD FS with Connectwise Manage. You can set up Connectwise Manage as a relying party in AD FS, and you can then also install the Duo MFA plugin for AD FS to protect those logins.

It is possible to use both DAG and AD FS together. When you deploy DAG you configure it to use AD FS as a SAML IdP primary authentication source, so DAG talks to AD FS which then talks to AD, instead of DAG talking to AD directly. There are a few reasons for this, for example when someone already has a robust existing SAML identity infrastructure and don’t want to add Duo to it directly.

It sounds like you don’t have AD FS set up now? Why not give the Duo Access Gateway a try on its own? It has some advantages over AD FS + the Duo plugin, primarily that with DAG you can create Duo access policies for each individual SSO application you configure to use Duo Access Gateway, but with AD FS you can only apply one Duo policy that would apply to every SSO relying party.

So your configuration steps would be:

Deploy Duo Access Gateway
Point it to Active Directory as the primary authentication source
Set up SSO for ConnectWise Manage. When you do this you’ll be bouncing between the Duo Admin Panel (where you create the generic SAML application using whatever parameters/attributes ConnectWise recommends), your Duo Access Gateway server’s admin interface (where you add the application you created in the Duo Admin Panel), and the ConnectWise management console (where you tell it to use Duo for SSO).

This might be a good reference for you: https://docs.connectwise.com/ConnectWise_Documentation/090/020/070/140/SAML_and_SSO_Frequently_Asked_Questions

I could just install ADFS on our Domain Controller

If you do decide to use AD FS instead of the Duo Access Gateway we DEFINITELY do not recommend this unless you also plan to deploy a web application proxy in front of AD FS to protect it from direct external client access.

Duo, not DUO.

mattk1 · ‎06-13-2018

Thank you, Kristina. This is very helpful!

I was trying to follow the instructions on that CW link you included, but seemed like I needed ADFS set up to get the metadata needed for setting up SSO. That’s where I got stuck. I am glad to know I don’t have to set up ADFS. Looks like I can get that metadata and certificate from the DAG portal.

I would much rather just use the DUO Access Gateway. Especially since I already have it set up!

Thank you for your quick reply!

Coriron · ‎10-27-2018

If possible could you update this thread with information about how you configured Duo for this? I’m getting a “bad request” response at the moment, i presume because i’m sending the wrong attributes back to ConnectWise.

jgshier · ‎01-23-2019

Coriron did you get it working? What attributes did you have to setup?

Dave_Browning · ‎03-11-2019

After few hours, I got it working! Flick me a message and I can share my settings.

IWS_MN · ‎07-15-2019

can you share this please?

djgmog · ‎09-06-2019

Hi Dave, would you mind sharing your settings for protecting Manage with the DUO DAG?

davebrown21 · ‎08-14-2019

Anyone happy to share their settings?

I’m trying to configure CW Manage against Okta and seem to be bombing out on the Acs URL (and perhaps elsewhere).

We’re in AUS but hoping the URL structure is the same as NA for those in that tenant.

PhilGreif · ‎09-27-2019

I’m in the same boat. Any assistance from one you that’s already gotten this to work would be greatly appreciated.

Bradb36 · ‎01-07-2020

Reviving this thread since ConnectWise is doing away with SAML in April of 2020. Is there another way to accomplish MFA on ConnectWise using duo? Maybe some combination of Azure OpenID and Duo?

PhilGreif · ‎03-12-2020

That’s what I’ve been forced to do. We purchased Azure AD P1 licenses for all users, setup CW SSO to connect with Azure, and use Azure Conditional Access to have it tie in with Duo.

I’m still using DAG for some other applications though.

acher · ‎10-26-2020

Hi Phil, we are looking to do the same thing. Do you have more information on how you got that setup? Maybe some screenshots of CW interface and Duo setup and Azure Conditional Access rules? If you could share and/or if I could ping you for some questions I would be very grateful.

JonathanH1 · ‎12-02-2020

I’m late to the party, but overall it looks like Connectwise backed off their statement about removing the SAML integration, and I found that these instructions work for anyone looking to implement this: