Duo Push Approvals

Users can now approve secret access requests and workflows using Duo push notifications. The push notification includes information, displayed on the user's screen, that helps the approver make the access decision.

Important Duo Security Certificate Authority Changes

This temporary section includes important information that may affect your access to Secret Server. Please read it carefully.

Cisco Duo is replacing its root certificate authority (CA) bundle. The impact on you depends on the application type configured in your Duo Admin Panel. Follow the steps below:

Determine your Application Type

In the Duo Admin Panel, go to Applications > Applications and check the Application Type column.

Application Type Action
Delinea Secret Server or Thycotic Secret Server Minimal—Duo granted an automatic extension until March 31, 2026
Auth API, Web SDK, or other custom application Urgent—authentication failures may begin February 2, 2026

If You Have a Published Secret Server

Secret Server uses Windows certificate validation, not embedded certificate pinning. Secret Server Cloud integrations require no changes. Secret Server On-Premises integrations continue to function as long as the web server receives regular Windows Updates to maintain current root CA certificates.

If You Have a Custom Application

Administrators using custom applications, such as Auth API or Web SDK, must take one of the following actions to avoid authentication failures:

  • Either contact Duo (support@duo.com) to request an extension.
  • Or switch to the published Delinea Secret Server application in the Duo Admin Panel, and update the credentials in Secret Server at Admin > Configuration > Login > Duo.

Key Dates

Date Event
February 2, 2026 Intermittent authentication failures begin for custom applications
March 31, 2026 Duo rotates CA roots; servers with outdated root certificates fail to connect

For details, see Duo's knowledge base article.

Prerequisites

To use Duo push notifications:

  • Duo must set up for Secret Server. See Duo Security Authentication.
  • Duo user must be set up for Duo two-factor authentication. See Duo Security Authentication.
  • The permission "Approve via DUO" must be granted to a role that is assigned to a group that includes all who will be approving requests via Duo. This allows enough flexibility so that those not wanting Duo push approvals can be configured to not receive them.

Assigning the Duo Approval Permission

To associate the permission with users:

  1. Search for Roles.

  2. Click the Create Role button to create a new role. Name it "Duo Push Approver" or another name of your choosing.

  3. Assign the Approve Via DUO Push permission to the new role.

  4. Click the Save button.

  5. If you choose to create a separate group for approvers, do this by navigating to Access > Groups.

  6. Click the Create Group button to create a new group.

  7. Add the desired users (chosen approvers) to that group.

    You can also assign users to the group later. This method is a shortcut when creating a group.

  8. Click the Save button.

  9. Go to the page for the newly created group.

  10. Click the Roles tab.

  11. Click the Edit Roles button.

  12. click the Scope dropdown list to select Unassigned.

  13. Click to select the DUO Push Approver role.

  14. Click the Save button. Setup is now complete.

In addition to having the role you created, the user must be properly set up to receive Duo push notifications. See Duo Security Authentication.
Any notifications will all be sent out at the same time, and the first response (approve or deny) will be the determinant response. A non-response will not result in either an approve or deny response.