Skip to content

User Authentication with Duo SSO

Our Duo SSO authentication authority lets you log users in at the agent against a Duo Single-Sign-On application in your existing Duo tenant. With this you can:


Ensure you have set up Duo Single-Sign-On in your Duo tenant, including configuring an authentication source. Documentation on this is available at


Duo SSO does not issue refresh tokens to us when users log in, so we cannot frequently check that a user is still valid. Because of this, user logins through Duo will expire after 20 hours and users will need to log in again.

Create a Duo Application

To connect your Duo instance to Enclave, you must first create an Application within Duo. Go to your admin dashboard in Duo and navigate to the Applications page, then click Protect an Application.

Duo Applications Page

On the next page, select Generic OIDC Relying Party, then click Protect.

You'll then be shown a settings page with a Client ID and Issuer values. You'll need those to create your Enclave Trust Requirement.

On this settings page, apply the following changes:

Grant Type Tick Allow PKCE only authentication.
redirect URLs Specify one URL:
Scopes Tick profile and email scopes.
Under the profile scope, click Add Claim, then select <Username> in the IdP attribute dropdown, and set the Claim to preferred_username.
Name Set to Enclave (or some other usefully identifying name)

Relying party settings

OIDC Scope Values

Once applied, press Save at the bottom of this page.

Create the Enclave Trust Requirement

Now we have all the Duo configuration set up, we can create our Enclave Trust Requirement.

When defining a new User Authentication Trust Requirement in the Enclave Portal, select Duo SSO from the Authority dropdown, and populate the fields with:

  • The Duo Client ID
  • The Duo Issuer

Duo Trust Requirement

Once you press Save you can start using your Duo SSO Trust Requirement in an Enclave Policy. Your users will then be prompted to login and will be sent to your Duo tenant for authentication.