When we add web applications to DUO either natively or via Generic SAML 2.0 it works fine and users can get self provisioned in these apps just by simply login in via our DUO Central page even if they've never used the application before. Their accounts are created normally with firstname, lastname, email address or SamAccountName.
So one of our latest web apps (A HR system) have asked if can parse more attributes from AD to the Application so when a users is created (via SSO) they have fields such as firstname, lastname, email address, department, manager, office location, job title.
Is this possible?
I've looked under bridged attributes or attribute mapping etc but I don't know what DUO's list of supported attributes are?
I asked support and they gave a rather blunt answer saying DUO is a iDP authentication source only. Not very helpful even if they are correct?
Duo enrollment, where we send a new Duo user through the enrollment process to self-register in Duo after successful primary authentication, doesn't over any ability for the user to enter information for additional attributes, nor do we support querying some identity source to pull in the attribute values into Duo during new user enrollment today.
It sounds though like the apps you have federated with Duo SSO create new users in those applications based on the information passed in to the SAML response from Duo? While Duo does not fully support SCIM today there may be a way to do this.
Sounds like you found the bridge attributes SSO setting. This lets you map attributes from your authentication source to Duo SSO attributes. However, configuring the bridge attributes alone does not also tell Duo SSO to _send_ them to your federated applications at login.
If you federated a service provider application to Duo using a generic SSO application, there's a "Map Attributes" section of the config where you can specify which attributes you want Duo SSO to send to the application. Here you can specify more attributes to send in the response (based on the bridge attributes in the SSO authentication source config).