Refining SSO at Black Hat USA

Additional Contributors: David Keller

At Black Hat Europe 2024, Cisco Duo established itself as the multifactor authentication (MFA) and single sign-on (SSO) provider for the Network Operations Center (NOC), serving as the central application portal for NOC members to access their applications through Duo Central. During the Black Hat Europe show, we piloted Duo Directory and with the successful testing there, we did a full deployment at Black Hat Asia 2025. Since this was before the official launch, we could not blog about the IdP (Identity Provider) portion of Duo yet, but it was extremely successful in the private preview, and we expanded the deployment from 20-30 users in Asia to 100+ at Black Hat USA 2025.

Building on that foundation, our deployment at Black Hat USA 2025 evolved to deliver a more comprehensive and secure identity and access management experience for both users and administrators. Black Hat was the first customer of Duo Directory (checkout the announcement vidcast: See What Attackers Will Hate & Users Will Love), with a successful proof of value at Black Hat Asia 2025 as a beta customer). At Black Hat USA 2025, we expanded the SSO access to Endace.

While Duo previously functioned primarily as an MFA and SSO provider, the introduction of Duo Directory in mid-2025 allowed us to take our user management to the next level at Black Hat USA 2025. Duo's intuitive IAM (Identity and Access Management) gave us control over primary authentication, including user password management directly within Duo. Leveraging the new Global Enrollment Policy, we required users to set their passwords as part of the standard Duo onboarding workflow, as seen in the screenshots below, simplifying the process and reducing friction for new users. Administrators can also setup authentication to another authentication source if they'd prefer, rather than using an enrollment code, during the setup process.

Fig. 1: Duo's global enrollment policy

Fig. 2: Duo enrollment at Black Hat

Group membership directly determined which applications appeared in Duo Central, ensuring users only saw the resources they were authorized to access, eliminating confusion and enhancing security.

Fig. 3: Duo password reset

Fig. 4: Duo SSO interface

Administrative Units, a net new addition to Black Hat USA 2025, was fully embraced by the NOC leadership. This enabled each NOC service provider to manage their own users and applications independently. For example, administrators assigned to the "Arista" Administrative Unit could manage the "Arista Admins" group and configure the Arista application's access policies and settings-empowering partners to enforce zero trust access for their own resources.

Fig. 5: Duo administrative units

Now, administrators could be restricted not only by Administrative Unit but also by access scope, such as limiting their visibility to Reporting relevant to their applications and users. For instance, an Arista administrator with the Security Analyst Role could manage Arista users, while also viewing logs and reports, without overreaching into other applications or user groups.

Fig. 6: Role assignment interface

Here's a quick overview of the key enhancements:

By building on our experience from Black Hat Asia 2025, we delivered a more robust, flexible, and user-friendly identity experience at Black Hat USA 2025. The combination of Duo Directory, group-based access, and granular administrative controls enabled a true zero trust environment-one where every partner had the autonomy and security they needed.

To learn more about our approach and see the evolution from Asia to USA, check out the Black Hat Asia 2025: Identity Intelligence blog post.

Interested in how Cisco Duo can help your organization achieve zero trust? Reach out or explore more at Duo's website.

Duo Invitation Process for the Black Hat NOC

The invitation process for Duo with the Duo IdP is not the easiest to do when you have a new user you need to onboard. Ideally you are using their company email address as the main email in their Duo Directory account. But if this is a new person, how do you invite them when they do not have access to their email? I wanted to solve this conundrum so I wouldn't need to manually send out email invites to 100 new users. One option is to add their phone number to the profile and send out an invite via text. But this seems unprofessional and not official to a new employee.

That leaves sending out an invite via email, but how since the email would end up in their company mailbox? So, I got to making a python script and doing much testing over a few days. The first thing I did was test if I could send out an invite to the external email address of the user and then change the email to the company email address. Would this still allow the enrollment to take place?

The answer is yes! Enrollment can still happen if the email address is changed. This gave me what I needed to script out what I would do. I would get all the users, make a JSON body that I could use with the Duo API, create the new users with the company email in another field besides the primary, use their external email as the primary, send the invite out to the primary email, then edit the user and swap the two emails to what it should be.

I was provided with an excel file of everyone that was to be working in the NOC and so I first converted that into a CSV for easier processing in python. Then using the format given, I made a few example users using my own email address and the + trick. Then I got to coding.

I rip out the First Name, Last Name, email address, and company the user has in the sheet, then build an internal email address for each user. After that is done, I use the Duo API to check if any of the users already exist and remove them from the JSON, so they do not cause any errors or get duplicated. After this has been done, I build the JSON for each individual user in the format Duo expects and then loop through them to get them created.

Note: You can bulk create users, but you cannot set custom attributes using the bulk create. This is why I need to loop through the users and create them individually, so a custom attribute can be used.

As the user ID of each created user is returned from the API, I store them in a new JSON body so I can go back and change their email addresses around later. After all the users are created, I use the Enrollment API to send out the Duo invites and then immediately update their email from their external email to the company email.

After all the users have had their enrollment link sent and their emails updated, I then send another email to them explaining the enrollment process and what to look for. You can check out the code in Github. I have made the script a bit more useful for other people than for just my own use case, so go ahead and use it, update it, and customize it to your needs.

The second script I needed to make was a way to update all the users' groups. The second script gets all the users in Duo, checks the company/department they are a part of and then updates their groups based on an object/dictionary with the all the correct groups they should be in. You can find that script in Github.

About Black Hat

Black Hat is the cybersecurity industry's most established and in-depth security event series. Founded in 1997, these annual, multi-day events provide attendees with the latest in cybersecurity research, development, and trends. Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more. As the event series where all career levels and academic disciplines convene to collaborate, network, and discuss the cybersecurity topics that matter most to them, attendees can find Black Hat events in the United States, Canada, Europe, Middle East and Africa, and Asia. For more information, please visit the Black Hat website.

We'd love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram
X