Enforce Zero Trust Security Policies for Public Applications integrated with Duo

  • Updated on

This section describes how to enforce Cloud Secure Edge (CSE) zero-trust security policies for public (SaaS) applications integrated with Duo. If instead you want your end users to use Duo SSO to authenticate into CSE, see configuring your Duo IdP to manage your directory of users.

As described in the Securing Public Applications overview, CSE secures SaaS applications with two independent techniques. They are alternatives or complements — use either on its own, or both together:

  • IdP Federation — route Duo authentication through CSE so device trust is validated at sign-in, across all applications behind Duo. The strongest control.

  • IP Allowlisting — require traffic to egress through CSE (Service Tunnel) before Duo or the application grants access. Lighter, per-application, and also works for apps not federated with Duo.