Explore Our Products Duo provides secure access to any application with a broad range of capabilities. Compare Editions Get the security features your business needs with a variety of plans at several price points.
Have questions about our plans? Not sure where to begin? Get in touch with us. Explore Our Solutions Duo provides secure access for a variety of industries, projects, and companies. Users can log into apps with biometrics, security keys or a mobile device instead of a password. Learn More. Learn About Partnerships Partner with Duo to bring secure access to your customers.
Already a SSP Partner? See All Support Have questions? Our support resources will help you implement Duo, navigate new features, and everything in between. Duo Care is our premium support package. With a dedicated Customer Success team and extended support coverage, we'll help you make the most of your investment in Duo, long-term.
Browse All Docs Get instructions and information on Duo installation, configuration, integration, maintenance, and much more. We update our documentation with every product release. Sign up to be notified when new release notes are posted. See All Resources Explore research, strategy, and innovation in the information security industry. Learn how to start your journey to a passwordless future today. Duo integrates with Microsoft AD FS v3 and later to add two-factor authentication to services using browser-based federated logins, complete with inline self-service enrollment and Duo Universal Prompt.
Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. After completing primary authentication to the AD FS server by any standard means such as Windows Integrated or Forms-Based , your users will be redirected to Duo for two-factor authentication before getting redirected back to the relying party.
When configuring the multi-factor authentication policies after the Duo installation on the internal AD FS server you select whether to require MFA on Internal or External access locations or both. If you are planning to require two-factor authentication for External access locations, a Web Application Proxy server is required.
Before moving on to the deployment steps, it's a good idea to familiarize yourself with Duo administration concepts and features like options for applications , available methods for enrolling Duo users , and Duo policy settings and how to apply them. See all Duo Administrator documentation. Treat your secret key like a password The security of your Duo application is tied to the security of your secret key skey.
Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances! Duo Universal Prompt The new Universal Prompt provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements. Universal Prompt Traditional Prompt. Before you activate the Universal Prompt for your application, it's a good idea to read the Universal Prompt Update Guide for more information about the update process and the new login experience for users.
If you're configuring Microsoft ADFS now, proceed with the installation instructions in this document. The "Universal Prompt" area of the application details page shows that this application is "New Prompt Ready", with these activation control options: Show traditional prompt : Default Your users experience Duo's traditional prompt when logging in to this application.
Show new Universal Prompt : Your users experience the Universal Prompt when logging in to this application. In addition, the "Integration key" and "Secret key" property labels for the application update to "Client ID" and "Client secret" respectively. The values for these properties remain the same. Activation of the Universal Prompt is a per-application change. Activating it for one application does not change the login experience for your other Duo applications.
Enable the Universal Prompt experience by selecting Show new Universal Prompt , and then scrolling to the bottom of the page to click Save. Should you ever want to roll back to the traditional prompt, you can return to this setting and change it back to Show traditional prompt.
This report shows the update availability and migration progress for all your Duo applications in-scope for Universal Prompt support. You can also activate the new prompt experience for multiple supported applications from the report page instead of visiting the individual details pages for each application.
Enrolled users must complete two-factor authentication, while all other users are transparently let through. Then when you're ready change the "New user policy" to "Require Enrollment. If you have a SQL farm, you may begin with any node. If the Bypass Duo authentication when offline option is unchecked, then Duo for AD FS will "fail closed" when Duo Security cloud services are unreachable and users will not be able to access protected federated resources.
Check the box if you want users to be able to access protected applications without Duo authentication if Duo's cloud service is unreachable. This setting can be changed post-install from the registry. If you enable this option, you must also change the properties of your AD FS application in the Duo Admin Panel to change the " Username normalization " setting to None. Otherwise, Duo drops the domain suffix from the username sent from AD FS to our service, which may cause user mismatches or duplicate enrollment.
X authentication method where X. X reflects the Duo version to enable Duo protection. Click OK. The MFA policy immediately applies to the selected relying party. In this example, all users have access to this relying party, but members of the "Duo Users" domain group also require multi-factor authentication before accessing the application. For example, if you want to always require two-factor authentication for all of your users, select both the Extranet and Intranet location when configuring the multi-factor authentication policy and don't specify a group assignment for MFA as shown in the example.
If you only want to enforce two-factor authentication for external users in any group , and you have configured your network such that external users communicate with an AD FS Web Application Proxy while internal users communicate with the Identity Provider, do not add any groups for MFA and only enable the Extranet location in the multi-factor authentication policy and leave the Intranet location unchecked.
Note that any MFA assignments made via the Global Authentication Policy editor are effectively "OR" rules, so each individual condition always applies. X reflects the actual installed Duo version to enable Duo protection. If you need to enforce more complex MFA rules for an Office relying party bypass or require policies for certain clients, users, or subnets , please take a look at our Guide to advanced client configuration for Duo with AD FS 3 and later with Office Modern Authentication.
This will satisfy Azure AD conditional access policies that require multifactor authentication. To do this, you need to update your federation configuration for that domain to indicate support for multifactor authentication, and then create a custom claims rule in AD FS to send the AMR information. Launch PowerShell on the server where you installed the MSOnline PowerShell module , and run the following commands the module prompts you to enter your Microsoft or Azure admin credentials :.
Examine the command output and look for SupportsMfa : True. If you do not see this, then run this command to set it:. Give your new claim rule a name, and then in the "Incoming claim type" field type in Authentication Methods References. Do not try to select this using the drop-down list, because the required value is not present. You must type it in exactly as shown. Leave the "Pass through all claim values" option selected and then click Finish to save your new claim rule and return to the list of issuance transform rules.
Click OK to apply your new claim rule for Authentication Methods References to the relying party. To test your setup, use a web browser to log into a relying party for your AD FS deployment. The AD FS page briefly indicates that it's necessary to redirect you to Duo for authentication then performs the redirect. Complete Duo two-factor authentication when prompted and then you'll return to AD FS to complete the login process to your relying party. Office and desktop applications including Outlook and Skype for Business can connect to Office after Duo AD FS adapter installation only if Modern Authentication is enabled for your Office tenant or you've constructed your MFA rules to exclude Office client applications.
More information about Modern Authentication, including a list of Office applications that support Modern Authentication, is available at the Office Blog. X authentication method to disable Duo protection. View checksums for Duo downloads here. When the installer is finished, repeat the steps you originally followed to enable the Duo method in AD FS. Users may log on to federated services without two-factor protection until you've re-enabled the Duo authentication method.
For a WID farm, install Duo on the primary server first. If you are updating an existing Duo AD FS deployment to use the Universal Prompt, you will need to authenticate with the updated plugin first before you can enable Universal Prompt.
Troubleshooting Need some help? For further assistance, contact Support. About Duo. Careers Now Hiring! Product Product Explore Our Products Duo provides secure access to any application with a broad range of capabilities. Remote Access Provide secure access to on-premise applications. Device Trust Ensure all devices meet security standards. Adaptive Access Policies Block or grant access based on users' role, location, and more. Duo in Action Click through our instant demos to explore Duo features.
Explore Demos. You need Duo. Start a Free Trial. Duo Free Free 10 users Simple identity verification with Duo Mobile for individuals or very small teams. Pricing Questions? Get in Touch Have questions about our plans? Solutions Explore Our Solutions Duo provides secure access for a variety of industries, projects, and companies. Customer Stories.