Anyone have any success with getting Duo and VSA working together. I have been able to get VSA and Okta to work, but not Duo. Any feedback is appreciated.
We currently can use Okta to sign into the VSA. Are you using MFA with okta?
Are you using SWA or SAML with Okta?
We are using Duo for our MFA currently, I was tempted to add Okta if need be to solve our issue, however would prefer one solution if we could.
I was told by Kaseya that you had to use AA and could not use anything else.. Is that not the case.. What version of the VSA are you running?
Using 9.5, followed this saml-doc.okta.com/.../How-to-Configure-SAML-2.0-for-Kaseya.html and Okta works so it appears it works. However, is it supported? that may be another matter.
Yeap it is working for us as well.. We have been using Okta for SSO for over a year now with our end user base.. The problem is that the VSA is not forcing users to sign in via SSO so users can go right to the vsa login page and sign in.. we want to stop that altogether but Kaseya is saying we have to have AA to make that part work and dump Okta.
Yeah that was what I was afraid of, we are leaving AA due to many issues with the platform.
can confirm that DUO/Okta/etc. are all compatible with SSO. its all using the same protocols. however has someone above mentioned, nothing is stopping a user from going straight to the VSA URL to log in. at this time only AA integrates for MFA on the VSA itself...with OTP only.
we are using AAoD and while we do like it, we certainly feel it isnt getting the attention it needs or deserves.
Just curious - did you guys remove the local accounts after setting up SAML? The login page should redirect to your identity provider where 2FA will be enforced. Local accounts are unneeded at that point.
How does it know to send them to 2fa page
That's basically the sole purpose of SAML. Login should ultimately redirect to Okta or Duo or whatever you are using. Pretty much all of us had our own IdP up until Kaseya acquired ScorpionSoft. I think it is ridiculous that Kaseya doesn't officially support other providers. That "strategy" is very, very lame.
So if i remove the local account, how does VSA know what role or scope to assign?
Provisioning and authentication will be two different things. I'll try to jog my memory on what we used to have to do. I recall having to modify a file somewhere to tell Kaseya to redirect authentication to a third-party and I don't see any mention of that in the previously posted Okta article. It also looks like Kaseya has deliberately removed older articles pertaining to competitor SSO solutions from the web.
You cannot delete the user accounts, they are needed.
Has any one tried checking the box "Enable Single Sign on to Kaseya" from the AuthAnvil menu? You will need to also put the Reply to URL in for your idP/SSO provider along with the certificate..
We use AA, so I have no way to test, but I think this is what forces the SSO.