Solved: OpenID Connect (OIDC) Support

ITEM93 · ‎07-08-2021

On our road to deploying SSO within our company we have come across a couple of applications that use OpenID Connect for their SSO deployment instead of SAML, and when looking to set up SSO with them they have referred us to this list of companies that are certified with OIDC: OpenID Certification | OpenID

I was very surprised to see Duo missing on this list and would love to see some OIDC support.
I’ve done some digging in the Duo documentation and it sounds like the new “Universal Prompt” is going to be based on OIDC, but I can’t find anything relating development on being able to protect OIDC applications like AutoTask/DarkWebID and others.

Is this sort of integration in development?

colin_medfisch · ‎11-30-2022

Public Preview will be rolling out over the next week!

View solution in original post

Amy2 · ‎07-08-2021

Hi @ITEM93, thanks for asking this great question here in the community! There are currently feature requests under consideration for the future for both generic OIDC SSO applications and AutoTask specifically. I encourage you to request to be added to those by your account representative or a Duo Support agent, as we discussed on another thread.
Just briefly, I spent some time looking through the Dark Web ID website and knowledge base to see if I could find any instructions that could help you in the meantime, but without the ability to use generic SAML or RADIUS, I’m not really sure how this could be accomplished.

colin_medfisch · ‎07-08-2021

Hey @ITEM93,

I’m the Product Manager for SSO at Duo and am happy to discuss where we are at with regards to OIDC.

Since the generally available release of Duo SSO last year, the team has been heads down working on our official Microsoft 365 integration that expands Duo SSO’s scope from exclusively SAML to also supporting WS-FED, WS-Trust, and WS-MEX (for M365 only).

Now that Microsoft 365 is out the door, we are starting work on support for OIDC service providers with Duo SSO.

With that, I am compiling a list of applications that our customers are looking to connect via OIDC so that our team can better validate the new service, but also hopefully create better named integrations in the future.

You mention AutoTask and DarkWebID. Are there any other application in particular that you would be trying to integrate?

ITEM93 · ‎07-08-2021

Hi @cmedfischduo

Thanks so much for the update, we are actually planning to roll out the M365 integration this weekend and are looking forward to that! Really appreciate all your hard work getting that named integration setup.

AutoTask is certainly the Number 1 highest priority for us right now.
The IDAgent suite would follow (DarkWebID & Bullphish) this would make Duo a much more compelling product matching the integrations offered by Okta, Authy, Passly.

I hope that with the development of the Universal Prompt, that it would make getting other OIDC integrations setup much easier.

There are a couple of other integrations that I’d love to see, but I don’t think
Webroot Secure Anywhere - both for MFA/SSO and for Device Health AV Agent Verification (Duo Device Health Application | Duo Security)
pfSense - both for device login as well as for direct OVPN integration. (I did find a workaround for the VPN part with a RADIUS integration, but would love a direct integration package with the built-in user manager (https://community.duo.com/t/duo-integration-on-pfsense-openvpn-configuration)

Hopefully other community users searching for OIDC compatibility can find this thread and add their requests to the list.

Thanks you once again for this update!

ITEM93 · ‎07-22-2021

Hi @cmedfischduo

It looks like Datto have also adopted the OIDC standard for their SSO integration, this would be another key vendor that we would like to integrate with.

https://help.datto.com/s/article/KB370000000060

ITEM93 · ‎08-27-2021

Hi @cmedfischduo,

With the new updates and improvements with the Universal Prompt, are there any updates on the SSO - OIDC integration? We are really looking forward to expanding our SSO with Duo.

Xander_Desai · ‎10-13-2021

Hey!
Just wanted to circle back and let you know that we don’t have any public facing updates we can share just yet. We are still busy working away on OIDC support for Duo SSO.
If you would have any interest in helping us do early testing @cmedfischduo is still looking to gather up some interested customers. If you could reach out to your account manager (if you have one) or to Duo support (Duo Customer Support | Duo Security) and let them know that we sent you they can help you get connected to us and enrolled in a private preview program.
Thanks!

ITEM93 · ‎10-13-2021

Hi @Xander_Desai

Thank you so much for the update.
I’m looking forward to working with the team to get these integrations setup and working.

newapitesting · ‎02-17-2022

Hello,

Following up on this post. Does DUO now support OIDC SSO?I don’t see anywhere in your documentation. I’m working with a customer who is looking to integrate with our application for support of OIDC SSO.

For the customer to integrate with our application, they would need to provide us:

Client Id
Client Secret
OpenID Configuration URL
Issuer URL

It looks like (at least in the trial account) you only offer SAML and Active Directory.

Any information would be appreciated.

Thank you!

colin_medfisch · ‎02-18-2022

Hi @newapitesting,

We are in active development of our OIDC support for Duo SSO!

What this will add is being able to add OIDC applications to Duo for authentication, but it will still require Active Directory or SAML to be configured as the authentication source for SSO itself.

We are hoping to have this in a private preview in the coming months.

– Colin

mbrownnyc · ‎06-04-2022

Hey Colin (@cmedfischduo),

I’d very much like to use Duo with Hashicorp Boundary, which supports OIDC (as detailed here).

I’m in the midst of a developing a PoC and would like to understand if it’s possible to perform the integration, as my attempts seem to be failing.

Thanks,

Matt

colin_medfisch · ‎06-06-2022

Hey @mattt,

Based on the documentation, it looks like Hashicorp’s implementation is pretty barebones, so it should be workable with our first release of OIDC support.

This should be in private preview shortly, so can you please DM me your account ID and I will add you to the preview list?

Ruben_Cardenal · ‎09-05-2022

Hello @cmedfischduo

Any realistic ETA on this? We’re really interested in using it with AWS ALBs. The Cognito implementation works, but it has some issues.

Thanks.

colin_medfisch · ‎09-06-2022

Hey @Ruben_Cardenal,

Just sent you a DM! We are getting very close to our Public Preview of this feature!

andrewyager1 · ‎08-01-2022

Hi; I’m hoping to integrate OIDC into OwnCloud with Duo as the identity provider. I believe that this may not be currently well available yet - have you got any updates on when this might be ready? I’m pretty sure that we can do the user management/provisioning from LDAP/AD directly; and just use Duo for the auto workflow; but we need a .well-known endpoint to respond.