惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

月光博客
月光博客
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
人人都是产品经理
人人都是产品经理
IT之家
IT之家
Cyberwarzone
Cyberwarzone
T
Troy Hunt's Blog
有赞技术团队
有赞技术团队
阮一峰的网络日志
阮一峰的网络日志
T
Threat Research - Cisco Blogs
S
SegmentFault 最新的问题
Apple Machine Learning Research
Apple Machine Learning Research
G
GRAHAM CLULEY
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
博客园 - 叶小钗
Last Week in AI
Last Week in AI
C
CERT Recently Published Vulnerability Notes
The Hacker News
The Hacker News
Jina AI
Jina AI
T
Tor Project blog
V
Vulnerabilities – Threatpost
酷 壳 – CoolShell
酷 壳 – CoolShell
Spread Privacy
Spread Privacy
博客园_首页
C
Cybersecurity and Infrastructure Security Agency CISA
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Simon Willison's Weblog
Simon Willison's Weblog
Security Latest
Security Latest
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
博客园 - 司徒正美
V2EX - 技术
V2EX - 技术
I
Intezer
The Cloudflare Blog
Cisco Talos Blog
Cisco Talos Blog
SecWiki News
SecWiki News
博客园 - 【当耐特】
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
L
Lohrmann on Cybersecurity
Scott Helme
Scott Helme
Google Online Security Blog
Google Online Security Blog
量子位
The Last Watchdog
The Last Watchdog
AI
AI
Application and Cybersecurity Blog
Application and Cybersecurity Blog
S
Security Affairs
P
Palo Alto Networks Blog
S
Secure Thoughts
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Attack and Defense Labs
Attack and Defense Labs

The Duo Blog

Active Directory security: how to stop modern threats | Cisco Duo Continuous identity security explained | Cisco Duo Salesforce The modern MFA toolkit: push, biometrics, and security keys | Cisco Duo Cisco Duo Identity Summit Preview | Cisco Duo Duo Brings Identity and Authorization Across AI Agent Gateways | Cisco Duo Passwordless for Microsoft 365 starts with federation Custom Admin Roles: Granular control for every Duo admin Token theft, vendor abuse, and the new identity threat surface How Duo Directory automates user lifecycle management Cisco Systems Named a Customers’ Choice in Gartner Peer Insights™ 2026 Voice of the Customer for Access Management Identity provider resilience: backup and split IdP approaches | Cisco Duo Agentic AI Security: Three Threats Your Team Should Know | Cisco Duo Secure client access at scale with Duo and Meraki | Cisco Duo IdP Concentration Risk: Why Single-IdP Dependency Puts You at Risk | Cisco Duo Endpoint Management as an Attack Vector: Lessons from Stryker | Cisco Duo Passwordless authentication without cookies: Duo Push updates Introducing Duo Agentic Identity Solving the double prompt: Better UX with AMR in Duo SSO Simplify compliance with MFA, device trust, and policies Cisco Systems Named a Customers’ Choice in Gartner® Peer Insights™ 2026 Voice of the Customer for User Authentication Why identity-led security matters for MSPs right now The Hitchhiker’s Guide to Shibboleth Launching Active Directory Defense: Strengthen On-Prem AD Security | Duo Security Industry specific IAM for MSPs Duo delivers: 99.99% uptime SLA for every customer
Duo + PlainID: Dynamic Authorization Meets Enterprise Identity | Cisco Duo
Colin Medfisch · 2026-07-06 · via The Duo Blog

Partnership

Colin Medfisch headshot

4 minute read

Duo is joining PlainID's IDP Authorizer program. Your tokens are about to get smarter.

The problem: static tokens in a dynamic world

When a user authenticates through an IdP, the resulting token carries claims that downstream applications use to make access decisions. In most enterprise environments today, those claims are static. They reflect what was mapped at configuration time, not what the user should actually be able to do right now.

A user whose role changed this morning still carries yesterday's entitlements in their token. An employee who moved from Engineering to Sales still has access to developer tools until someone manually updates the IdP mapping. The token does not know what changed, it only knows what was configured.

Organizations that have invested in dedicated authorization engines like PlainID have already solved the "what can this user do" problem. They have policies, context, and real-time evaluation. But that investment only pays off if the IdP can call out to the authorization engine at token issuance time and inject those decisions as claims.

Duo has not supported this pattern. Until now.

Duo joins PlainID's IDP Authorizer program

We are partnering with PlainID to bring deeper dynamic authorization to Duo's access flows. Duo is joining PlainID's IDP Authorizer program, which means PlainID customers can use Duo as their identity provider without giving up fine-grained, policy-driven token enrichment.

PlainID evaluates authorization policies at authentication time and returns claims that Duo injects into the token before it reaches the application. Applications get context-aware access decisions without needing their own integration to PlainID.

How it works

The integration is powered by a new capability in Duo: Inline Hooks. These are synchronous callout points in Duo's token issuance pipeline that let external services enrich tokens and assertions with dynamic claims.

  1. A user authenticates through Duo SSO

  2. Before token issuance, Duo calls PlainID with user and session context

  3. PlainID evaluates its authorization policies and responds with claims to include

What we are delivering

The integration starts with token enrichment and assertion modification:

  • Token Inline Hooks: Enrich OIDC/OAuth tokens with dynamic claims from PlainID at issuance time

  • SAML Assertion Inline Hooks: Modify SAML assertions with dynamic attributes before signing

External Authorization Hooks, which route runtime permit/deny decisions to PlainID for use cases like MCP tool access, will follow as the platform matures.

The underlying hook platform is engine-agnostic by design. PlainID is our first partner and validates the pattern, but the contract works with any HTTP-based policy decision point.

Why this matters

For teams running PlainID today: You no longer need to choose between Duo and your authorization investment. Duo handles identity. PlainID handles what users can do. The hook connects them at the moment it matters most.

For teams migrating to Duo: Token extensibility has been a blocker for some organizations. With this integration, that blocker is going away.

For teams planning for AI agents: As agents interact with enterprise systems, authorization decisions get more complex, not less. Having PlainID's policy engine available during Duo authentication flows means those decisions can be made consistently whether a human or an agent is requesting access.

Timeline

Token and SAML Assertion Inline Hooks are entering Alpha (limited availability with select design partners for validation and feedback) soon. We will be working with design partners to validate the integration before broader availability.

This is early, and we are sharing it now because the partnership is real, the architecture is taking shape, and we want to hear from teams who have been waiting for this.

Get involved

This integration expands on Duo’s list of hundreds of technology partnerships. You can learn more about our complete ecosystem of integrations at ecosystem.duo.com.

If you are interested in participating as a design partner, or if PlainID integration has been a factor in your identity strategy, reach out to your Duo contact today and get connected with the Duo Product team.