Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
107
Views
0
Helpful
1
Replies

Cisco DUO attribute sync

GaranT
Beginner
Beginner

‎11-15-2023 02:18 AM

Hi,

When we add web applications to DUO either natively or via Generic SAML 2.0 it works fine and users can get self provisioned in these apps just by simply login in via our DUO Central page even if they've never used the application before.
Their accounts are created normally with firstname, lastname, email address or SamAccountName.

So one of our latest web apps (A HR system) have asked if can parse more attributes from AD to the Application so when a users is created (via SSO) they have fields such as firstname, lastname, email address, department, manager, office location, job title.

Is this possible?

I've looked under bridged attributes or attribute mapping etc but I don't know what DUO's list of supported attributes are?

I asked support and they gave a rather blunt answer saying DUO is a iDP authentication source only.  Not very helpful even if they are correct?

Can this be done? If So any ideas how?  

0 Helpful
1 Reply 1

DuoKristina
Cisco Employee
Cisco Employee

‎11-22-2023 06:28 AM

Duo enrollment, where we send a new Duo user through the enrollment process to self-register in Duo after successful primary authentication, doesn't over any ability for the user to enter information for additional attributes, nor do we support querying some identity source to pull in the attribute values into Duo during new user enrollment today.

It sounds though like the apps you have federated with Duo SSO create new users in those applications based on the information passed in to the SAML response from Duo? While Duo does not fully support SCIM today there may be a way to do this.

Sounds like you found the bridge attributes SSO setting. This lets you map attributes from your authentication source to Duo SSO attributes. However, configuring the bridge attributes alone does not also tell Duo SSO to _send_ them to your federated applications at login.

If you federated a service provider application to Duo using a generic SSO application, there's a "Map Attributes" section of the config where you can specify which attributes you want Duo SSO to send to the application. Here you can specify more attributes to send in the response (based on the bridge attributes in the SSO authentication source config).

Duo, not DUO.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents