DUO Universal Prompt Support

DUO Security will no longer support the iframe-based Traditional Prompt after September 30, 2024 and is migrating to the Universal Prompt. Here’s the official Duo documentation for the end-of-support for Traditional DUO prompt and extended support for Akamai EAA. As a result, there will be a change in the user experience for users who use DUO as the second factor for authenticating to EAA Login Portal.

In the iframe-based traditional Duo 2FA applications, the DUO Prompt is shown as an iframe within a page hosted by the EAA Application. But, in the updated frameless DUO 2FA application, EAA redirects you to a page hosted by DUO within duosecurity.com where you’re shown the DUO prompt. After the end-user completes the two-factor authentication, they are redirected back to the EAA application. The redirection page shows either the Universal prompt or the Traditional prompt, dependent on Universal prompt activation status for that EAA application in the DUO Admin Panel, configurable by you (the administrator).

Changes to end-user experience for different prompts

In this section we describe different prompts shown to the end-user after entering username/password and using DUO as the 2FA while logging into the EAA IdP login portal.

A) Iframe-based TRADITIONAL PROMPT (before 24.01 release)

Here the end-user is presented with a DUO traditional prompt embedded as an IFRAME inside EAA.

DUO iframe in eaa

Figure 1: DUO Traditional Prompt in an iframe inside EAA

B) Redirect-based TRADITIONAL PROMPT (with 24.01 release)

Here the end-user is presented with a DUO traditional prompt not as an IFRAME embedded inside EAA, but as a separate page managed by DUO, where the authentication finishes. End-users will see this only after EAA is upgraded to 24.01 release.

DUO traditional iframe in duo

Figure 2: Redirect-based DUO Traditional Prompt hosted by DUO

C) Redirect-based UNIVERSAL PROMPT (with 24.01 release)

Here the end-user is presented with a DUO universal prompt not as an IFRAME embedded inside EAA, but as a separate page managed by DUO, where the authentication finishes. End-users will see this only after EAA is upgraded to 24.01 release and you (the admin) enable Universal Prompt in the DUO Admin Panel.

DUO universal prompt in duo

Figure 3: Redirect-based DUO Universal Prompt hosted by DUO

How to enable DUO Traditional Prompt or Universal Prompt in DUO Admin Panel

  1. When you login to your DUO Admin Panel and access your EAA account as the protected application, you will see “Waiting on App provider”. Neither the Traditional Prompt nor Universal Prompts are visible. Basically, DUO is informing the admin that Application Provider, in this case, EAA product must support the new DUO Universal Prompt feature. (Before EAA 24.01 release)

DUO waiting on EAA

Figure 4 : DUO admin panel before EAA Application Admin approves Universal Prompt

In this state, the end-users will see the DUO traditional prompt with the iframe embedding, as in Figure 1.

  1. Once EAA releases support for the DUO Universal Prompt, when you login to your DUO Admin Panel and access your EAA account, you will see “Ready to activate” with the default setting of “Show traditional prompt” and click “Save” to save your changes.

DUO EAA Ready to activate

Figure 5: DUO admin panel after EAA Application supports Universal Prompt but not enabled by Admin.

In this state, the end-users will see the redirect-based DUO traditional prompt without the iframe embedding, as in Figure 2.

Note: If any of the users of your organization try to access the EAA application and perform 2FA with DUO, you (the admin) will be prompted with this notification:

DUO admin notification

Figure 6: Admin will be shown the option to enable Universal Prompt

You (the admin) can select “Activate Now” to activate the Universal Prompt for all your users. If you want to continue to use the redirect-based Traditional Prompt without the iframe embedding, select the “No, thanks” option.

Also, note that after the first end-user logs into the EAA Login portal using DUO as 2FA, the DUO Admin Page will change from “Waiting on App Provider” to “Ready to activate” state.

  1. If you want your end-users to be shown the Universal prompt without the iframe embedding in the EAA login portal, you must select “Show new Universal Prompt” and click “Save”, to save your changes.

DUO EAA Ready universal prompt

Figure 7: DUO admin panel for activating redirect-based Universal Prompt by Admin.

In this state, the end-users will see the redirect-based DUO universal prompt without the iframe embedding, as in Figure 3

Note: After EAA 24.01 release, you will only be able to switch between the redirect-based Traditional Prompt or Universal Prompt (2 or 3). You will not be able to go back to iframe-based Traditional Prompt (1).

Limitations

  1. After you upgrade to DUO v4, you must clear the browser cache to avoid incorrect errors when redirection happens from DUO to EAA.
  2. Only English is shown as the language when a registered DUO end-user logs into the EAA IdP login portal, even if you try changing to another language.
  3. When you configure the DUO user attribute as Domain Name/SAM account name in the IdP and use it as the Login Preference in the directory associated with the IDP, user will experience an endless loop with MFA authentication failure.
  4. When you configure the DUO user attribute as User Principal Name (UPN) in the IdP and use it as the Login Preference in the Email associated with the IDP, DUO MFA authentication fails.

References

  1. You can refer to the DUO Universal Prompt Update Guide and substitute ACME application to EAA application in the section Changes to Support the Universal Prompt.