Duo Access Gateway

DAG is an on-premises SAML IdP that validates users against an existing directory (e.g., AD/LDAP or cloud directory), then performs Duo MFA before issuing SAML assertions to service providers. Duo positions Duo SSO (cloud-hosted IdP) as the replacement and provides a guided migration path.

Key Capabilities

  • SAML 2.0 IdP: Centralizes SAML authentication to SaaS and web apps; supports SP- and IdP-initiated flows across many vendor guides.

  • Directory integration + MFA: Uses existing on-prem or cloud directory credentials, then enforces Duo MFA and policy before granting access.

  • Admin experience: Local appliance/server deployment with admin UI; app-specific setup guides and a broad catalog existed during active support.

  • Migration tooling: Duo publishes step-by-step guidance to migrate each SAML app from DAG to Duo Single Sign-On.

Limitations

  • Lifecycle status: Last Day of Support: Oct 26, 2023; creation of new DAG apps has been blocked since May 19, 2022. Duo later canceled the March 30, 2024 end-of-life milestone, but commercial support remains ended; migration to Duo SSO is recommended.

  • Protocol scope: Official docs present DAG as a SAML IdP. There’s not enough public information to confirm DAG issuing OpenID Connect/OAuth 2.0 tokens.

  • Operational overhead: Self-hosted server requiring maintenance, updates, and logging on the local box; Duo SSO removes this by hosting the IdP.

  • Support nuances: Duo communications emphasize that after Oct 26, 2023, assistance is limited to migration activities; community notes also remind that only specific (e.g., federal) editions may retain support.

Customer Identity, Simplified.

No Complexity. No Limits.
Thousands of businesses trust LoginRadius for reliable customer identity. Easy to integrate, effortless to scale.

See how simple identity management can be. Start today!
Free Trial
Contact Sales