Solving the Identity Crisis with Username Aliases
Summary:
- Complex customer environments mean multiple usernames for each employee
- Username Aliases introduces a total of up to five usernames per user object
- Utilize via the GUI, AD Sync, Admin API, and CSV Upload
- Feature available for Duo MFA, Duo Access, and Duo Beyond
In the three years I’ve spent at Duo, we’ve seen exponential growth in customers and size of customers. Thousands of customers deploy a consistent end user experience with Duo Push in hybrid environments with on-premises applications like Unix or Windows servers and cloud applications like Expensify and Slack.
As we’ve helped secure customers with tens of thousands of employees, we learned what our customers already knew: enterprise identity is complicated.
Identity Crisis
With all of those different on-premises and cloud applications, customers can’t guarantee that they all speak the same language for usernames. Usernames might be an email address, sAMAccountName, userPrincipalName, or even something custom like an HRID.
So consider an end user’s experience in the morning. They might log into a Windows or Mac laptop with domain\user, and then authenticate into a VPN with a UPN. But then when they open up Slack or another cloud application, they are most likely using sAMAccountName.
Sure, we had simple username normalization, where we cut off prefixes or suffixes and only accept the username. However, that turns out to be insufficient, particularly for multi-thousand user organizations, where any alphanumeric combination might be used on some service.
Now this was particularly problematic for Duo because our user objects only allowed one username. Our clever Sales Engineers came up with a workaround for customers: creating duplicate accounts of end users with the same username; however, this led to greater administrative overhead and pain for our customers.
We knew we could do better, so I’m pleased to announce Username Aliases.
The Solution
Username Aliases introduces four aliases on each user object for a total of five usernames. These objects are editable via the GUI and CSV upload.
If you use Active Directory, we can now sync four additional columns with the custom attributes feature, so you can pull in any standard or custom attribute type as needed.
We also support this via the Admin API, so you can programmatically update all your users.
Generally Available Now
Username Aliases is available for all Duo MFA, Duo Access, and Duo Beyond customers today.
We especially thank all of the customers that gave input and feedback during development and the beta period, so we could help solve this difficult challenge.