Skip navigation
Documentation

Duo Identity Security

Last Updated: August 29th, 2024

Duo Identity Security provides you with insights, signals, and remediation features across your multi-vendor identity environment.

Duo Identity Security is an Early Access feature.

Overview

Duo Identity Security combines Duo’s strong attack mitigation and remediation capabilities enabled by Trust Monitor, Risk-Based Authentication, and policy enforcement with cross-vendor identity insights powered by Cisco Identity Intelligence.

Cisco Identity Intelligence

Cisco Identity Intelligence (CII) is a multi-sourced, vendor-agnostic solution that works across your existing identity stack and brings together authentication and access insights, enabling you to proactively address vulnerabilities and risks in your multi-vendor identity environment.

All Cisco Identity Intelligence features and capabilities are included in Duo Identity Security for Duo Premier and Duo Advantage customers.

Learn more about Cisco Identity Intelligence.

Requirements

The requirements for provisioning Cisco Identity Intelligence are:

Additionally, everyone in your organization whom you want to be able to access the Cisco Identity Intelligence console via Duo Single Sign-On should exist as an end-user in your Duo account and your SAML or Active Directory authentication source.

Duo User Data Requirement

If you are using Active Directory Sync or Microsoft Entra ID Sync, Cisco Identity Intelligence will use the source directory's unique identifiers to associate Duo identities with matching identities in other vendors.

If you are not using Active Directory Sync or Microsoft Entra ID Sync, an email address will be required for the username or email field for your Duo users in order for Cisco Identity Intelligence to map Duo user identities to corresponding identities in other data integrations. The email address used in Duo must match an email address in another integrated platform (e.g., Okta, Google Workspace, AWS).

Provision Your Cisco Identity Intelligence Tenant

  1. Log on to the Duo Admin Panel as an administrator with the Owner admin role.

  2. Navigate to MonitoringCisco Identity Intelligence.

  3. Review the information on the "Cisco Identity Intelligence" page. If you agree to the terms, check the box, and then click Submit and start setup.

  4. Type in a unique organization name for your Cisco Identity Intelligence tenant in the Organization name field. The organization name must consist of lowercase letters, numbers, underscores, and dashes only. This organization name identifies your tenant for SSO login. Click the Next button.

    Organization Name for Cisco Identity Intelligence Tenant
  5. Duo will automatically provision your Duo integration with Cisco Identity Intelligence to enable your new Cisco Identity Intelligence tools to consume and analyze Duo user and authentication data. Optionally, select the following checkboxes to enable additional permissions:

    • Grant write resource: Allow your Cisco Identity Intelligence application to add, modify, and delete resources, such as users, phones, and hardware tokens. This will enable your team to take remediation actions and send a push notification from within the Cisco Identity Intelligence panel.
    • Enable Event Streaming: This will enable Cisco Identity Intelligence to consume Duo logs near real-time via our Event Streaming bridge. If you leave this box unchecked, Cisco Identity Intelligence will poll Duo’s API for log data once daily.
    Configure Organization for Cisco Identity Intelligence Tenant
  6. Click the Next button.

  7. Next you'll configure an SSO login method for the Cisco Identity Intelligence panel. You can choose Duo SSO or another OIDC provider as your method to authenticate.

  8. To configure sign in with Duo SSO, select the Duo SSO tab. Before configuring you'll first need to enable Duo Single Sign-On for your Duo account and configure a working SAML or Active Directory authentication source.

  9. Type in a connection name into the Duo SSO connection name field. This name will be displayed during SSO login for members of your organization logging into the Cisco Identity Intelligence panel. Click Submit and skip to step 12.

    Duo will automatically create a Cisco Identity Intelligence SSO application. The name of the SSO application will be the "Duo SSO connection name" you specified in this step. The type of application will be "Cisco Identity Intelligence - Single Sign-On".

    Configure Duo SSO for Cisco Identity Intelligence
  10. To configure a different OIDC provider, select the OIDC tab. Follow the Cisco Identity Intelligence documentation for Okta SSO or Microsoft Entra ID for further instructions on how to set up SSO.

    OIDC for Microsoft Entra ID

    Currently, the Cisco Identity Intelligence documentation for Microsoft Entra ID SSO includes an option for SAML-based SSO. However, configuration of non-Duo SSO does not support SAML-based SSO. If you are configuring Microsoft Entra ID SSO, please follow the OIDC instructions.

  11. Enter in the information needed in the "OIDC" tab and then click Submit.

  12. You can now use your Cisco Identity Intelligence tenant. A Launch Identity Intelligence button will appear on this page that will launch the Cisco Identity Intelligence dashboard from the Duo Admin Panel.

    Duo administrators with any role assigned can access the Identity Intelligence dashboard via Duo SSO or OIDC via an external identity provider. Clicking the launch button redirects to whichever SSO provider you configured during provisioning. Make sure that any Duo admins accessing Identity Intelligence also exists as an end-user in Duo and in your identity source for SSO.

Next Steps After Provisioning

Data ingestion and analysis of Duo data begins automatically after provisioning. Depending on how many identities exist in your environment, it can take a few days for all the data in your environment to get fully synchronized in the Cisco Identity Intelligence tenant. Learn more about Cisco Identity Intelligence.

Create Additional Integrations

Set up additional available integrations to maximize the cross-vendor visibility that Cisco Identity Intelligence provides and to ensure protection of your full identity ecosystem.

Note: If you created a Microsoft Entra ID or Okta SSO integration you must also create a data ingestion integration to enable Cisco Identity Intelligence to create accurate identity context checks.

Restrict Access to the Identity Intelligence Dashboard

If you opted to use Duo SSO during provisioning then you may limit access to the Cisco Identity Intelligence dashboard via permitted groups.

  1. Create a group in Duo that contains the users you want to access the Cisco Identity Intelligence dashboard. If your organization uses Duo directory sync, create a group in your Active Directory, OpenLDAP, or Entra ID directory containing the CII users and sync that group into Duo.

  2. Locate your Cisco Identity Intelligence SSO application in the Duo Admin Panel's Applications page. The name of the SSO application is the "Duo SSO connection name" you specified in step 9 of the provisioning process, and the type of application is "Cisco Identity Intelligence - Single Sign-On". Click on the application to view its details.

  3. Scroll down to the Permitted groups setting and select the group of CII users you created or synced in from step 1. Click Save.

  4. The users in the permitted group can sign in to Cisco Identity Intelligence via Duo SSO. Users not in a permitted group receive an access error.

If you are using an external identity provider like Entra ID or Okta for Cisco Identity Intelligence dashboard authentication, consult your IdP provider's documentation to determine how you may restrict access to your CII OIDC application.

Integrations

Cisco Identity Intelligence can integrate with a number of vendors for data ingestion, ticketing, notifications, and SIEM usage.

You can read more about the integrations and find configuration instructions by following the links below.

Cisco Identity Intelligence can ingest data from the following sources:

Additionally, integrations are available for notifications, ticketing and SIEMs:

Troubleshooting

Need some help? Take a look at our Identity Security Knowledge Base articles or Community discussions. For further assistance, contact Support.