PlainID and Cisco Duo: Real-Time Authorization at SSO Sign-In

PlainID and Cisco Duo: Real-Time Authorization at SSO Sign-In

PlainID and Cisco Duo are partnering to bring real-time authorization into Duo SSO. When a user signs in, Duo now calls PlainID during token issuance, PlainID evaluates policy against the live session, and Duo issues a token that already carries the right access decisions. The application receives it and acts on it without needing its own integration to PlainID.

The Static Token Problem Every Identity Team Knows

Tokens issued at authentication carry the claims that downstream applications rely on to decide what a user can do. In most enterprises, those claims sit static. Someone mapped them at configuration time, so they trail behind the user’s real authorization state, which shifts with role, context, and data sensitivity.

PlainID customers already solved that on the runtime side. The policies exist, the contextual signals feed in, and the engine evaluates decisions in real time. The IdP just had no clean way to consult those policies at the exact moment it mints the token. The Duo integration closes that gap.

What the PlainID and Duo Integration Actually Does

Duo built a new capability called Inline Hooks. Inline Hooks are synchronous callout points inside Duo’s token issuance pipeline, and they let external services enrich tokens and SAML assertions with dynamic claims before the application ever sees them.

The flow runs in four steps:

  1. A user authenticates through Duo SSO.
  2. Before issuing the token, Duo calls PlainID with the user and session context.
  3. PlainID evaluates the relevant policies and returns the claims to include.
  4. Duo mints the enriched token and passes it to the application.

The application receives a token that already reflects the current authorization decision, so teams skip the round-trip back to PlainID and skip the client-side integration work that used to come with it.

Two capabilities land in the first release. Token Inline Hooks enrich OIDC and OAuth tokens with dynamic claims from PlainID at issuance. SAML Assertion Inline Hooks modify SAML assertions with dynamic attributes before signing. External Authorization Hooks, which route runtime permit and deny decisions to PlainID for use cases like MCP tool access, come next as the integration matures.

Why Duo Chose to Integrate with PlainID

Duo designed Inline Hooks to be engine-agnostic, and chose PlainID as the first integration partner. The choice puts real weight behind a pattern PlainID has been advocating for years, which is that authentication and authorization are distinct disciplines, and the cleanest architecture keeps them separate while connecting them at the token.

So for PlainID customers running Duo, the two now work in concert. Duo owns identity, PlainID owns what users and agents can do, and the Inline Hook does the handshake at the moment the token gets issued.

What This Means for Regulated Enterprises

Regulators keep asking one question. Who accessed what, under what conditions, and what policy justified letting them in. Static IdP tokens make that hard to evidence, because the claims inside them reflect configuration from weeks ago, not the policy state at the moment of access.

PlainID evaluates the policy at issuance time, so the token reflects the current authorization state, and every decision lands in PlainID’s audit log written in language the audit committee can read.

For teams working through DORA, NIS2, or the next round of internal audit, this shifts the work from reconstructing a decision after the fact to evidencing it directly.

What This Means for Teams Securing Agentic AI

Agents ride on human identity but make their own runtime access decisions. A support agent built on MCP might call three internal tools inside one session, and each call needs a separate decision keyed to the user’s role, the agent’s intent, and the sensitivity of the data it wants to read or write.

PlainID already governs those decisions across the agent flow, from the prompt through data retrieval, tool invocation, and the response. Bringing the Duo authentication event into the same policy model means human identity and non-human identity fall under one policy engine. What the user delegates to the agent, and what the agent then does, come from the same source of truth.

Where the Identity Stack Is Heading

Gartner named the Authorization Management Platforms category in its 2025 Innovation Insight report for a reason. Authorization is moving out of individual applications and consolidating into a dedicated control plane. The Duo integration is one of the clearer expressions of that pattern in production.

It also arrives at a useful moment. CrowdStrike acquired SGNL in January 2026 and is folding authorization into Falcon. Ping launched Identity for AI in March 2026. Bundling has its place, but enterprises that want to keep their IdP choice open, and their authorization logic portable, need a runtime authorization platform that plugs into whichever identity stack they run. Cisco Duo and PlainID together give teams exactly that architecture.

Token Inline Hooks and SAML Assertion Inline Hooks are entering Alpha now. PlainID and Duo are working with design partners ahead of broader availability.

Talk to PlainID About the Duo Integration

If you run Duo SSO and PlainID, or if you have been evaluating either, the design partner program is open. Reach out to your PlainID account team, and we will walk through the architecture, the policy patterns already in production with Fortune 2000 customers, and what is coming next. Talk to the PlainID team now.


Related articles

How to Evaluate Enterprise Authorization Management Platforms for Complex Environments

How to Evaluate Enterprise Authorization Management Platforms for Complex Environments

Evaluating an enterprise authorization management platform comes down to six capabilities: centralized policy management, real-time…

Read more
PlainID Brings Google BigQuery’s Native Data Controls Into One Control Plane

PlainID Brings Google BigQuery’s Native Data Controls Into One Control Plane

PlainID’s Data Platform Authorizer Program expands to support Google Big Query in addition to Snowflake,…

Read more
Intent-Based Access Control for AI Agents

Intent-Based Access Control for AI Agents

Security and IAM leaders have a narrow window with agentic AI that they did not…

Read more