惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

B
Blog RSS Feed
V2EX - 技术
V2EX - 技术
P
Privacy & Cybersecurity Law Blog
T
The Exploit Database - CXSecurity.com
美团技术团队
WordPress大学
WordPress大学
博客园 - 司徒正美
S
Securelist
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
博客园 - Franky
Attack and Defense Labs
Attack and Defense Labs
Security Latest
Security Latest
L
LINUX DO - 最新话题
NISL@THU
NISL@THU
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
腾讯CDC
Y
Y Combinator Blog
The Hacker News
The Hacker News
Security Archives - TechRepublic
Security Archives - TechRepublic
IT之家
IT之家
T
Threatpost
Hugging Face - Blog
Hugging Face - Blog
Scott Helme
Scott Helme
S
SegmentFault 最新的问题
Cyberwarzone
Cyberwarzone
C
Cisco Blogs
阮一峰的网络日志
阮一峰的网络日志
U
Unit 42
B
Blog
Microsoft Azure Blog
Microsoft Azure Blog
P
Proofpoint News Feed
小众软件
小众软件
V
Vulnerabilities – Threatpost
J
Java Code Geeks
V
Visual Studio Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
A
Arctic Wolf
博客园 - 【当耐特】
Microsoft Security Blog
Microsoft Security Blog
S
Security @ Cisco Blogs
雷峰网
雷峰网
Help Net Security
Help Net Security
The Last Watchdog
The Last Watchdog
Recent Announcements
Recent Announcements
G
Google Developers Blog
C
CERT Recently Published Vulnerability Notes
T
Troy Hunt's Blog
MyScale Blog
MyScale Blog

The Duo Blog

Identity orchestration & cloud-native IAM: Time to rethink | Cisco Duo Active Directory security: how to stop modern threats | Cisco Duo Continuous identity security explained | Cisco Duo Salesforce The modern MFA toolkit: push, biometrics, and security keys | Cisco Duo Cisco Duo Identity Summit Preview | Cisco Duo Duo Brings Identity and Authorization Across AI Agent Gateways | Cisco Duo Passwordless for Microsoft 365 starts with federation Custom Admin Roles: Granular control for every Duo admin Token theft, vendor abuse, and the new identity threat surface How Duo Directory automates user lifecycle management Cisco Systems Named a Customers’ Choice in Gartner Peer Insights™ 2026 Voice of the Customer for Access Management Identity provider resilience: backup and split IdP approaches | Cisco Duo Agentic AI Security: Three Threats Your Team Should Know | Cisco Duo Secure client access at scale with Duo and Meraki | Cisco Duo IdP Concentration Risk: Why Single-IdP Dependency Puts You at Risk | Cisco Duo Endpoint Management as an Attack Vector: Lessons from Stryker | Cisco Duo Passwordless authentication without cookies: Duo Push updates Introducing Duo Agentic Identity Solving the double prompt: Better UX with AMR in Duo SSO Simplify compliance with MFA, device trust, and policies Cisco Systems Named a Customers’ Choice in Gartner® Peer Insights™ 2026 Voice of the Customer for User Authentication Why identity-led security matters for MSPs right now The Hitchhiker’s Guide to Shibboleth Launching Active Directory Defense: Strengthen On-Prem AD Security | Duo Security Industry specific IAM for MSPs Duo delivers: 99.99% uptime SLA for every customer Cisco Secures 125K user identities with Duo while advancing passwordless journey NIST AAL2/3 compliance with Duo Mobile Proximity Verification From protocol to practice: Secure the AI agent ecosystem with Duo How to secure the holidays & prep your 2026 IAM strategy Simplify MSP technician authentication with Duo Delegated Access Standing out in a crowded MSP market Securing for third-party risk with Duo for identity management Thwarting adversary-in-the-middle attacks with Proximity Verification OAuth 2.0's next chapter: Enabling the AI security revolution The dawn of a simpler, helpful policy experience
Duo + PlainID: Dynamic Authorization Meets Enterprise Identity | Cisco Duo
Colin Medfisch · 2026-07-06 · via The Duo Blog

Partnership

Colin Medfisch headshot

4 minute read

Duo is joining PlainID's IDP Authorizer program. Your tokens are about to get smarter.

The problem: static tokens in a dynamic world

When a user authenticates through an IdP, the resulting token carries claims that downstream applications use to make access decisions. In most enterprise environments today, those claims are static. They reflect what was mapped at configuration time, not what the user should actually be able to do right now.

A user whose role changed this morning still carries yesterday's entitlements in their token. An employee who moved from Engineering to Sales still has access to developer tools until someone manually updates the IdP mapping. The token does not know what changed, it only knows what was configured.

Organizations that have invested in dedicated authorization engines like PlainID have already solved the "what can this user do" problem. They have policies, context, and real-time evaluation. But that investment only pays off if the IdP can call out to the authorization engine at token issuance time and inject those decisions as claims.

Duo has not supported this pattern. Until now.

Duo joins PlainID's IDP Authorizer program

We are partnering with PlainID to bring deeper dynamic authorization to Duo's access flows. Duo is joining PlainID's IDP Authorizer program, which means PlainID customers can use Duo as their identity provider without giving up fine-grained, policy-driven token enrichment.

PlainID evaluates authorization policies at authentication time and returns claims that Duo injects into the token before it reaches the application. Applications get context-aware access decisions without needing their own integration to PlainID.

How it works

The integration is powered by a new capability in Duo: Inline Hooks. These are synchronous callout points in Duo's token issuance pipeline that let external services enrich tokens and assertions with dynamic claims.

  1. A user authenticates through Duo SSO

  2. Before token issuance, Duo calls PlainID with user and session context

  3. PlainID evaluates its authorization policies and responds with claims to include

What we are delivering

The integration starts with token enrichment and assertion modification:

  • Token Inline Hooks: Enrich OIDC/OAuth tokens with dynamic claims from PlainID at issuance time

  • SAML Assertion Inline Hooks: Modify SAML assertions with dynamic attributes before signing

External Authorization Hooks, which route runtime permit/deny decisions to PlainID for use cases like MCP tool access, will follow as the platform matures.

The underlying hook platform is engine-agnostic by design. PlainID is our first partner and validates the pattern, but the contract works with any HTTP-based policy decision point.

Why this matters

For teams running PlainID today: You no longer need to choose between Duo and your authorization investment. Duo handles identity. PlainID handles what users can do. The hook connects them at the moment it matters most.

For teams migrating to Duo: Token extensibility has been a blocker for some organizations. With this integration, that blocker is going away.

For teams planning for AI agents: As agents interact with enterprise systems, authorization decisions get more complex, not less. Having PlainID's policy engine available during Duo authentication flows means those decisions can be made consistently whether a human or an agent is requesting access.

Timeline

Token and SAML Assertion Inline Hooks are entering Alpha (limited availability with select design partners for validation and feedback) soon. We will be working with design partners to validate the integration before broader availability.

This is early, and we are sharing it now because the partnership is real, the architecture is taking shape, and we want to hear from teams who have been waiting for this.

Get involved

This integration expands on Duo’s list of hundreds of technology partnerships. You can learn more about our complete ecosystem of integrations at ecosystem.duo.com.

If you are interested in participating as a design partner, or if PlainID integration has been a factor in your identity strategy, reach out to your Duo contact today and get connected with the Duo Product team.