--- title: Provisioning Duo with PingOne description: Provision Duo with PingOne. component: pingone page_id: pingone:integrations:p1_provisioning_connection_duo canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_provisioning_connection_duo.html revdate: May 13, 2026 section_ids: provisioning-capabilities: Provisioning capabilities before-you-begin: Before you begin steps: Steps result: Result: validation: Validation duo-directory-attributes: Duo directory attributes duo-provisioning-known-limitations: Duo provisioning known limitations --- # Provisioning Duo with PingOne Duo is a cloud-based security platform that provides multi-factor authentication (MFA) and access protection. By using the Duo connection in PingOne, you can provision users, groups, and memberships between Duo and PingOne. ## Provisioning capabilities The following table summarizes the inbound and outbound provisioning capabilities for each resource type: | Resource | Capability | Description | Inbound | Outbound | | ---------- | -------------- | ------------------------------------------------------------ | ------- | -------- | | User | Create | Generates a new user record in the destination. | Yes | Yes | | | Read | Retrieves or polls user attributes for synchronization. | Yes | Yes | | | Update | Modifies existing attributes, such as `job title`. | Yes | Yes | | | Delete | Deletes a user or temporarily suspends an account. | Yes | Yes | | Group | Create | Provisions a new group in the target application. | No | Yes | | | Rename | Updates the display name or identifier of an existing group. | No | Yes | | | Delete | Removes a group from the target application. | No | Yes | | Membership | Add and remove | Adds or removes users from groups. | No | Yes | ## Before you begin Make sure that you have: * A Duo administrative account. Learn more in [Duo](https://signup.duo.com/). * The following from your Duo account: * **API Host** * **Integration Key** * **Secret Key** * Users assigned to a specific population or group in PingOne designated for Duo provisioning. Learn more in [Adding a user in PingOne](../directory/p1_adduser.html) and [Managing groups](../directory/p1_managing_groups.html). ## Steps 1. Create a Duo connection: 1. In the PingOne admin console, go to **Integrations > Provisioning**. 2. Click **[icon: plus, set=fa]**and then click **New Connection**. 3. Click **Select** for **Identity Store**. 4. Click **Select** for the **Duo** connection, and click **Next**. 5. Enter a **Name** and **Description** for this provisioning connection. 6. Click **Next**. 7. []()In the **Configure Authentication** section, enter the following configurations from your Duo account: | Field | Example | | ------------------- | ------------------------------------------ | | **API Host** | `api-6c03959e.duosecurity.com` | | **Integration Key** | `DIBCOIMTSBAGBE9T7GT6` | | **Secret Key** | `E0TPcSrM2fu4juV6fN295dvSiu9QpRxAwAWq0xHD` | 8. Click **Test Connection** to verify that PingOne can establish a connection to the Duo resource. ### Result: If there are any issues with the connection, a **Test Connection Failed** modal opens. Click **Next** to resume the setup with an invalid connection. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | You can't use the connection for provisioning until you've established a valid connection to Duo. If the connection fails, click **Cancel** in the **Test Connection Failed** modal, verify that you've entered the configuration details in [step g](#p1_configure_authentication_step) correctly, and try again. | 9. Click **Next**. 10. In the **User Actions** section, select the following as needed: | Field | Description | | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Enable users creation** | Creates a user in the target identity store when the user is created in the source identity store. | | **Enable users updation** | Updates user attributes in the target identity store when the user is updated in the source identity store.If **Enable users updation** is selected, you can choose to select **Enable users disable**, which disables a user in the target identity store when the user is disabled in the source identity store. | | **Enable users deprovision** | Deprovisions a user in the target identity store when the user is deprovisioned in the source identity store. If **Enable users deprovision** is selected, the following options appear:- **Remove Action**: Removes or disables a user in the target identity store when the user is deleted in the source identity store. Select **Delete** or **Disable**. Remove Action is only available if you select Enable users disable. - **Deprovision on rule deletion**: Deprovisions users if the associated provisioning rule is deleted. | 11. Click **Save**. 12. To enable the connection, click the toggle at the top of the details panel to the right (blue). | | | | - | ------------------------------------------------------------------------- | | | You can disable the connection by clicking the toggle to the left (gray). | 2. Create an [inbound](p1_create_provisioning_rule_inbound.html) or [outbound](p1_create_provisioning_rule_outbound.html) rule and select the existing Duo connection as the target or source. You can optionally add [attribute mappings](#duo-directory-attributes). For an outbound rule, you can use the following example attribute mappings as a starting point. | PingOne Directory | Duo | | ----------------- | ---------- | | `Username` | `username` | | `Email Address` | `email` | | `Primary Phone` | `phones` | | `Enabled` | `enabled` | | `Given Name` | `realname` | ## Validation Confirm users and groups are successfully provisioned to Duo. View the [sync status](p1_view_sync_status.html) to review synchronization results and any errors. You can find examples in [Outbound provisioning sync summary examples](p1_outbound_group_provisioning_sync_summary_examples.html). ## Duo directory attributes The following table lists common Duo attributes that can be mapped for user provisioning: | Attribute | Description | | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | | `username` | The Duo username for the user. | | `email` | The user's primary email address. | | `phones` | The primary telephone number for the user. | | `enabled` | Indicates whether the Duo user account is enabled. | | `realname` | The user's display or real name in Duo. | | `userType` | Determines the type of user created. You must specify either user or admin for this attribute. Any other value causes the sync to fail. | ## Duo provisioning known limitations The following limitations apply to Duo provisioning: * Currently, inbound group provisioning or group membership synchronization from Duo to PingOne isn't supported. * After an attribute value is synchronized to Duo, it can't be cleared. The value can only be updated to a new value. * When a user record is updated or deleted, the connection automatically removes any unused phone numbers. This automatic cleanup can't be turned off.