10-24-2024 01:52 AM
I opened a Duo support ticket but thought I would ask here for any other experiences.
I found this older thread from 2022 about Duo + Google Workspace / GSuite: https://community.cisco.com/t5/protecting-applications/demo-of-duo-google-workspace/td-p/4885129
Since that time, up until present, the behavior is that the user must first enter their Google user account in the respective Google page. They are then redirected to the Duo SSO login page where they must enter their AD user account (same username but a different domain) before being prompted with their configured MFA method.
Is there a way to make this dual entry unnecessary? i.e., we would like the username to be filled in automatically in the Duo workflow.
Duo support says it is not currently possible but there is a feature request for it.
Can anybody offer insight or experiences as to how they have handled this issue? It seems so discordant with the otherwise very low friction experience that most other modern applications have with Duo MFA.
Solved! Go to Solution.
10-24-2024 08:52 AM - edited 10-24-2024 08:53 AM
Yes, I understand what you were asking completely and that is what I responded to.
An OIDC service provider app can send the username login_hint that is in the OIDC spec.
The SAML spec does not have a direct equivalent to this, as I explained. The Google integration in Duo SSO is using SAML.
We did add saving the username after the first auth to reduce some of the friction of repeated username entry after the first one, and have some ideas about how to populate the username on the first redirect from a SAML app to Duo SSO that require further research.
We have an open feature request for this. I suggest you contact your Duo Care manager or account team if you have one to be added to that feature request. If you do not have a dedicated Duo contact, you can ask Duo Support to add you to the feature request.
10-24-2024 06:22 AM
Once someone does enter their Duo SSO username and password in the Duo SSO login flow, are you not seeing that username is retained on subsequent auths? This is intended to help with username entry fatigue. If you aren't seeing them persist are users clearing their cookies, or is their first sign-on in a thick-client app that doesn't share a cookie with the browser or other apps?
OIDC has a login_hint param in the spec that can be used to pre-populate the info, but the limitation on passing the username from a SAML app is that the SAML spec doesn't have a direct equivalent to login_hint. There are other params that could possibly be used, but we have do some research to figure out which would have the widest support from SAML service provider apps and SAML identity providers.
10-24-2024 08:46 AM
It's the flow from Google > Duo > to being authenticated.
The desired behavior would be to have the user enter username to Google (i.e., by logging in at accounts.google.com or via the user profile login in Google Chrome), be presented with a Duo SSO prompt to enter their password (username is pre-populated - just like it is in Microsoft 365 for example) and, once that is done, be MFA-prompted via their chosen method (push, verified push, Duo desktop etc.) and then returned to the Google - all in their initiating browser.
10-24-2024 08:52 AM - edited 10-24-2024 08:53 AM
Yes, I understand what you were asking completely and that is what I responded to.
An OIDC service provider app can send the username login_hint that is in the OIDC spec.
The SAML spec does not have a direct equivalent to this, as I explained. The Google integration in Duo SSO is using SAML.
We did add saving the username after the first auth to reduce some of the friction of repeated username entry after the first one, and have some ideas about how to populate the username on the first redirect from a SAML app to Duo SSO that require further research.
We have an open feature request for this. I suggest you contact your Duo Care manager or account team if you have one to be added to that feature request. If you do not have a dedicated Duo contact, you can ask Duo Support to add you to the feature request.
10-25-2024 06:54 AM
Thanks @DuoKristina I did ask Duo Support to add me to the feature request.
The customer for whom I am currently doing a deployment is quite keen to see this implemented; so we hope it's something that actually happens with the product sooner rather than later.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide