Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
587
Views
0
Helpful
3
Replies

Simple Username Normalization Not Working

Evan-C
Level 1
Level 1

‎03-25-2025 09:58 AM - edited ‎03-25-2025 09:59 AM

Hello!

Our organization has a few applications that we are having some trouble with setting up SSO through Duo. We sync our users through AD and we have username normalization set to simple. However, some of the applications we use take email addresses [username]@[domain] and these applications are not removing the @[domain] from the user when passed to Duo. The error we get is that the user: [username]@[domain] is not found. How can we get these applications to use the simple username normalization? 

 

Additionally, and somewhat related, we have some email accounts that are [firstname-lastname]@[domain]. Is there a way we can automatically alias that FirstnameLastname without the email domain? We've tried userPrincipleName but that still includes the email domain. 

 

Any help would be appreciated, thanks!

0 Helpful
3 Replies 3

DuoKristina
Cisco Employee
Cisco Employee

‎03-26-2025 07:25 AM

Take a look at these Duo SSO AD Auth settings:

Email attributes

Duo username attribute 

To your other question about automatically aliasing [firstname-lastname]@[domain] to firstnamelastname - I assume you mean you need a Duo username alias of firstnamelastname? I think you'll need to set some attribute in AD to hold that value and then import it into Duo as another username alias via AD sync.

Duo, not DUO.
0 Helpful

Evan-C
Level 1
Level 1
In response to DuoKristina

‎03-27-2025 11:14 AM

@DuoKristina Thank you for the information.

These documents have been what we've been working with. Even with the mail attribute or UserPrincipleName aliased, we still get the error that the user does not exist in Duo. So as an example, our AD mail alias is johnsmith@email.com  but when we try to sign in to the application, it only sees johnsmith, and doesn't allow the user in. Additionally, each of our users also has an email alias which matches their AD username. Trying that, username@email.com  as the alias (which is what UserPrincipleName pulls), it doesn't remove the email part. That Duo application sees the full username@email.com  instead of just the shortened username as the normalization should do, and again the application blocks it for not knowing the user. Any ideas on what to try?

Thanks!

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee

‎03-28-2025 06:05 AM

I think you should sync in the AD mail or userprincipalname attributes as username aliases. It's unclear if you are actually doing that or if you have just mapped these bridge attributes.

Are these SSO applications or non-SSO applications? The normalization settings are managed per-app for non-SSO, and at the SSO authentication source for all SSO applications.

You probably should contact Duo Support at this point so someone can review your configurations with you 1:1. That is beyond the scope of a community conversation, and I am not in the Support org (I am just a person with lots of Duo knowledge who answers community questions as a mental break from other work).

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents