惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

雷峰网
雷峰网
宝玉的分享
宝玉的分享
I
InfoQ
P
Privacy International News Feed
V
V2EX
IT之家
IT之家
S
SegmentFault 最新的问题
D
Darknet – Hacking Tools, Hacker News & Cyber Security
V2EX - 技术
V2EX - 技术
C
CERT Recently Published Vulnerability Notes
C
Check Point Blog
The Register - Security
The Register - Security
爱范儿
爱范儿
博客园 - 三生石上(FineUI控件)
AWS News Blog
AWS News Blog
M
MIT News - Artificial intelligence
C
Cyber Attacks, Cyber Crime and Cyber Security
F
Fortinet All Blogs
B
Blog
N
Netflix TechBlog - Medium
B
Blog RSS Feed
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Last Week in AI
Last Week in AI
T
Threatpost
Forbes - Security
Forbes - Security
U
Unit 42
A
Arctic Wolf
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
P
Palo Alto Networks Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Recorded Future
Recorded Future
L
Lohrmann on Cybersecurity
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
P
Proofpoint News Feed
月光博客
月光博客
Spread Privacy
Spread Privacy
MongoDB | Blog
MongoDB | Blog
Jina AI
Jina AI
I
Intezer
V
Visual Studio Blog
阮一峰的网络日志
阮一峰的网络日志
The Hacker News
The Hacker News
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
L
LangChain Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园_首页
MyScale Blog
MyScale Blog
腾讯CDC
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
量子位

The Duo Blog

Identity orchestration & cloud-native IAM: Time to rethink | Cisco Duo Active Directory security: how to stop modern threats | Cisco Duo Continuous identity security explained | Cisco Duo Salesforce The modern MFA toolkit: push, biometrics, and security keys | Cisco Duo Cisco Duo Identity Summit Preview | Cisco Duo Duo Brings Identity and Authorization Across AI Agent Gateways | Cisco Duo Passwordless for Microsoft 365 starts with federation Custom Admin Roles: Granular control for every Duo admin Token theft, vendor abuse, and the new identity threat surface How Duo Directory automates user lifecycle management Cisco Systems Named a Customers’ Choice in Gartner Peer Insights™ 2026 Voice of the Customer for Access Management Identity provider resilience: backup and split IdP approaches | Cisco Duo Agentic AI Security: Three Threats Your Team Should Know | Cisco Duo Secure client access at scale with Duo and Meraki | Cisco Duo IdP Concentration Risk: Why Single-IdP Dependency Puts You at Risk | Cisco Duo Endpoint Management as an Attack Vector: Lessons from Stryker | Cisco Duo Passwordless authentication without cookies: Duo Push updates Introducing Duo Agentic Identity Solving the double prompt: Better UX with AMR in Duo SSO Simplify compliance with MFA, device trust, and policies Cisco Systems Named a Customers’ Choice in Gartner® Peer Insights™ 2026 Voice of the Customer for User Authentication Why identity-led security matters for MSPs right now The Hitchhiker’s Guide to Shibboleth Launching Active Directory Defense: Strengthen On-Prem AD Security | Duo Security Industry specific IAM for MSPs Duo delivers: 99.99% uptime SLA for every customer Cisco Secures 125K user identities with Duo while advancing passwordless journey NIST AAL2/3 compliance with Duo Mobile Proximity Verification From protocol to practice: Secure the AI agent ecosystem with Duo How to secure the holidays & prep your 2026 IAM strategy Simplify MSP technician authentication with Duo Delegated Access Standing out in a crowded MSP market Securing for third-party risk with Duo for identity management Thwarting adversary-in-the-middle attacks with Proximity Verification OAuth 2.0's next chapter: Enabling the AI security revolution The dawn of a simpler, helpful policy experience
Duo + PlainID: Dynamic Authorization Meets Enterprise Identity | Cisco Duo
Colin Medfisch · 2026-07-06 · via The Duo Blog

Partnership

Colin Medfisch headshot

4 minute read

Duo is joining PlainID's IDP Authorizer program. Your tokens are about to get smarter.

The problem: static tokens in a dynamic world

When a user authenticates through an IdP, the resulting token carries claims that downstream applications use to make access decisions. In most enterprise environments today, those claims are static. They reflect what was mapped at configuration time, not what the user should actually be able to do right now.

A user whose role changed this morning still carries yesterday's entitlements in their token. An employee who moved from Engineering to Sales still has access to developer tools until someone manually updates the IdP mapping. The token does not know what changed, it only knows what was configured.

Organizations that have invested in dedicated authorization engines like PlainID have already solved the "what can this user do" problem. They have policies, context, and real-time evaluation. But that investment only pays off if the IdP can call out to the authorization engine at token issuance time and inject those decisions as claims.

Duo has not supported this pattern. Until now.

Duo joins PlainID's IDP Authorizer program

We are partnering with PlainID to bring deeper dynamic authorization to Duo's access flows. Duo is joining PlainID's IDP Authorizer program, which means PlainID customers can use Duo as their identity provider without giving up fine-grained, policy-driven token enrichment.

PlainID evaluates authorization policies at authentication time and returns claims that Duo injects into the token before it reaches the application. Applications get context-aware access decisions without needing their own integration to PlainID.

How it works

The integration is powered by a new capability in Duo: Inline Hooks. These are synchronous callout points in Duo's token issuance pipeline that let external services enrich tokens and assertions with dynamic claims.

  1. A user authenticates through Duo SSO

  2. Before token issuance, Duo calls PlainID with user and session context

  3. PlainID evaluates its authorization policies and responds with claims to include

What we are delivering

The integration starts with token enrichment and assertion modification:

  • Token Inline Hooks: Enrich OIDC/OAuth tokens with dynamic claims from PlainID at issuance time

  • SAML Assertion Inline Hooks: Modify SAML assertions with dynamic attributes before signing

External Authorization Hooks, which route runtime permit/deny decisions to PlainID for use cases like MCP tool access, will follow as the platform matures.

The underlying hook platform is engine-agnostic by design. PlainID is our first partner and validates the pattern, but the contract works with any HTTP-based policy decision point.

Why this matters

For teams running PlainID today: You no longer need to choose between Duo and your authorization investment. Duo handles identity. PlainID handles what users can do. The hook connects them at the moment it matters most.

For teams migrating to Duo: Token extensibility has been a blocker for some organizations. With this integration, that blocker is going away.

For teams planning for AI agents: As agents interact with enterprise systems, authorization decisions get more complex, not less. Having PlainID's policy engine available during Duo authentication flows means those decisions can be made consistently whether a human or an agent is requesting access.

Timeline

Token and SAML Assertion Inline Hooks are entering Alpha (limited availability with select design partners for validation and feedback) soon. We will be working with design partners to validate the integration before broader availability.

This is early, and we are sharing it now because the partnership is real, the architecture is taking shape, and we want to hear from teams who have been waiting for this.

Get involved

This integration expands on Duo’s list of hundreds of technology partnerships. You can learn more about our complete ecosystem of integrations at ecosystem.duo.com.

If you are interested in participating as a design partner, or if PlainID integration has been a factor in your identity strategy, reach out to your Duo contact today and get connected with the Duo Product team.