Use of Alternative Active Directory Attributes in Duo Authentication

Introduction

The default option for Cisco Duo two factor login authentication might not meet your organization's needs. Duo has multiple different options for login name when syncing active directory users to Duo. The two most popular options are mail and UserPrincipalName. sAMAccountName and phone number can be used as well for logins, assuming that these attributes are in Active Directory. The default option given by duo is the mail attribute, the active directory attribute that is associated with the email account of the user. UserPrincipalName, also known as UPN, is a chosen username plus the chosen active directory domain to form an email address style login. E.g. both are formatted user@domain.com. UPN is normally used for Office 365 and Azure logins and identification. Duo documentation for more information.

Properties of Mail Attribute

The Mail attribute is set as the default login option for sync. It’s also used as the destination for enrollment emails. It's typically set at account creation, and should ideally be set to the same as the UPN, to prevent user confusion. 

Properties of UserPrincipalName

UserPrincipalName is typically used for identifying users in Azure, Office365, and some other microsoft services. Active directory does not enforce a requirement for UPNs but it’s very useful for using the microsoft ecosystem. Creating UPNs allows active directory and Office 365 to sync up correctly when trying to connect these services to Duo.

Other options

sAMAccountName and phone numbers can be synced with Duo and be used for authentication as well. They can also be used as an alias to allow for multiple different login usernames for users in case they have a preference for one username. 

Use cases for UserPrincipalName over Mail Attribute in Duo

For users that require shared email addresses, using UPNs to sync up with Duo for individual login allows for unique multi factor authentication logins, while also enabling logging of specific user actions. 

Another use case is when users share similar first and last names, preventing unique email creations. Using specific domains via UPN allows for more accurate and unique email addresses for users, an example being user@domain.com vs user@west.domain.com. 

Office 365 syncs with Duo using UPN, so syncing up your active directory with Duo using UPN prevents user confusion, as the login required can vary between Office 365 and other services. Using only one email attribute across all your services allows for users to easily login without having to recall what login a service might expect. 

Troubleshooting Email Attributes in Duo Debugging Logs

LDAP is used by Duo for syncing purposes and the attributes chosen to sync will be used within the LDAP queries. LDAP queries can be seen in authproxy logs and SSO logs on Duo. You can inspect the logs to see if there are any issues that might come up because of the chosen attribute. Placed below are examples of queries that might be useful for troubleshooting. When I was setting up duo, I used the logs to understand how the mail attribute was not meeting my needs.  How to enable logging linked here.