Further Contributors: David Keller
At Black Hat Europe 2024, Cisco Duo established itself because the multifactor authentication (MFA) and single sign-on (SSO) supplier for the Community Operations Middle (NOC), serving because the central software portal for NOC members to entry their functions by way of Duo Central. Through the Black Hat Europe present, we piloted Duo Listing and with the profitable testing there, we did a full deployment at Black Hat Asia 2025. Since this was earlier than the official launch, we couldn’t weblog concerning the IdP (Identification Supplier) portion of Duo but, nevertheless it was extraordinarily profitable within the personal preview, and we expanded the deployment from 20-30 customers in Asia to 100+ at Black Hat USA 2025.
Constructing on that basis, our deployment at Black Hat USA 2025 developed to ship a extra complete and safe identification and entry administration expertise for each customers and directors. Black Hat was the primary buyer of Duo Listing (checkout the announcement vidcast: See What Attackers Will Hate & Customers Will Love), with a profitable proof of worth at Black Hat Asia 2025 as a beta buyer). At Black Hat USA 2025, we expanded the SSO entry to Endace.
Whereas Duo beforehand functioned primarily as an MFA and SSO supplier, the introduction of Duo Listing in mid-2025 allowed us to take our person administration to the subsequent stage at Black Hat USA 2025. Duo’s intuitive IAM (Identification and Entry Administration) gave us management over main authentication, together with person password administration straight inside Duo. Leveraging the brand new World Enrollment Coverage, we required customers to set their passwords as a part of the usual Duo onboarding workflow, as seen within the screenshots beneath, simplifying the method and lowering friction for brand spanking new customers. Directors also can setup authentication to a different authentication supply in the event that they’d favor, moderately than utilizing an enrollment code, through the setup course of.
Group membership straight decided which functions appeared in Duo Central, making certain customers solely noticed the sources they have been approved to entry, eliminating confusion and enhancing safety.
Administrative Models, a web new addition to Black Hat USA 2025, was absolutely embraced by the NOC management. This enabled every NOC service supplier to handle their very own customers and functions independently. For instance, directors assigned to the “Arista” Administrative Unit might handle the “Arista Admins” group and configure the Arista software’s entry insurance policies and settings—empowering companions to implement zero belief entry for their very own sources.
Now, directors could possibly be restricted not solely by Administrative Unit but additionally by entry scope, equivalent to limiting their visibility to Reporting related to their functions and customers. For example, an Arista administrator with the Safety Analyst Position might handle Arista customers, whereas additionally viewing logs and studies, with out overreaching into different functions or person teams.
Right here’s a fast overview of the important thing enhancements:
| Function | Black Hat Europe | Again Hat Asia ’25 | Black Hat USA ’25 |
|---|---|---|---|
| Duo as IdP & SSO | No | Sure | Sure |
| Duo Listing | Examined/Piloted | Full authoritative supply | Full authoritative supply |
| World Enrollment Coverage | Required for onboarding | Required for onboarding | Required for onboarding |
| Admin Models & Roles | Wonderful-grained delegation | ||
| Identification Intelligence | Examined | Validated | Prolonged with reporting |
| Zero Belief Controls | Position-based | Position-based | Superior, Position-based |
By constructing on our expertise from Black Hat Asia 2025, we delivered a extra sturdy, versatile, and user-friendly identification expertise at Black Hat USA 2025. The mix of Duo Listing, group-based entry, and granular administrative controls enabled a real zero belief setting—one the place each accomplice had the autonomy and safety they wanted.
To be taught extra about our method and see the evolution from Asia to USA, take a look at the Black Hat Asia 2025: Identification Intelligence weblog put up.
Interested by how Cisco Duo might help your group obtain zero belief? Attain out or discover extra at Duo’s web site.
Duo Invitation Course of for the Black Hat NOC
The invitation course of for Duo with the Duo IdP isn’t the best to do when you’ve got a brand new person you’ll want to onboard. Ideally you’re utilizing their firm electronic mail deal with as the principle electronic mail of their Duo Listing account. But when it is a new individual, how do you invite them when they don’t have entry to their electronic mail? I needed to unravel this conundrum so I wouldn’t have to manually ship out electronic mail invitations to 100 new customers. One possibility is so as to add their telephone quantity to the profile and ship out an invitation through textual content. However this appears unprofessional and never official to a brand new worker.
That leaves sending out an invitation through electronic mail, however how for the reason that electronic mail would find yourself of their firm mailbox? So, I bought to creating a python script and doing a lot testing over a number of days. The very first thing I did was check if I might ship out an invitation to the exterior electronic mail deal with of the person after which change the e-mail to the corporate electronic mail deal with. Would this nonetheless permit the enrollment to happen?
The reply is sure! Enrollment can nonetheless occur if the e-mail deal with is modified. This gave me what I wanted to script out what I might do. I might get all of the customers, make a JSON physique that I might use with the Duo API, create the brand new customers with the corporate electronic mail in one other discipline in addition to the first, use their exterior electronic mail as the first, ship the invite out to the first electronic mail, then edit the person and swap the 2 emails to what it must be.
I used to be supplied with an excel file of everybody that was to be working within the NOC and so I first transformed that right into a CSV for simpler processing in python. Then utilizing the format given, I made a number of instance customers utilizing my very own electronic mail deal with and the + trick. Then I bought to coding.
I rip out the First Identify, Final Identify, electronic mail deal with, and firm the person has within the sheet, then construct an inside electronic mail deal with for every person. After that’s finished, I exploit the Duo API to examine if any of the customers exist already and take away them from the JSON, so they don’t trigger any errors or get duplicated. After this has been finished, I construct the JSON for every particular person person within the format Duo expects after which loop by way of them to get them created.
Be aware: You’ll be able to bulk create customers, however you can not set customized attributes utilizing the majority create. This is the reason I have to loop by way of the customers and create them individually, so a customized attribute can be utilized.
Because the person ID of every created person is returned from the API, I retailer them in a brand new JSON physique so I can return and alter their electronic mail addresses round later. After all of the customers are created, I exploit the Enrollment API to ship out the Duo invitations after which instantly replace their electronic mail from their exterior electronic mail to the corporate electronic mail.
After all of the customers have had their enrollment hyperlink despatched and their emails up to date, I then ship one other electronic mail to them explaining the enrollment course of and what to search for. You’ll be able to take a look at the code in Github. I’ve made the script a bit extra helpful for different individuals than for simply my very own use case, so go forward and use it, replace it, and customise it to your wants.
The second script I wanted to make was a solution to replace all of the customers’ teams. The second script will get all of the customers in Duo, checks the corporate/division they’re part of after which updates their teams based mostly on an object/dictionary with the all the proper teams they need to be in. Yow will discover that script in Github.
About Black Hat
Black Hat is the cybersecurity trade’s most established and in-depth safety occasion sequence. Based in 1997, these annual, multi-day occasions present attendees with the most recent in cybersecurity analysis, growth, and tendencies. Pushed by the wants of the neighborhood, Black Hat occasions showcase content material straight from the neighborhood by way of Briefings shows, Trainings programs, Summits, and extra. Because the occasion sequence the place all profession ranges and tutorial disciplines convene to collaborate, community, and talk about the cybersecurity subjects that matter most to them, attendees can discover Black Hat occasions in america, Canada, Europe, Center East and Africa, and Asia. For extra data, please go to the Black Hat web site.
We’d love to listen to what you suppose! Ask a query and keep linked with Cisco Safety on social media.
Cisco Safety Social Media
Share:
