Update Duo Universal SDK and Duo Client dependencies in the Duo Security connector to address CA bundle concern

[vfraga]

Current Limitation

Cisco Duo certificate authority (CA) bundle will expire on April 15, 2026; with soft cutoffs scheduled to February 2, 2026.

Our Duo Security connector relies on Duo Universal SDK and Duo Client for Java, which depends on CA certificate pinning to establish trust and successfully validate the TLS connection.

Failure to update the dependencies in the connector will lead to failed TLS handshakes.

Suggested Improvement

Duo has merged two PRs (see: Duo Universal SDK, Duo Client for Java) updating the pinned CA certificate. We must update the dependencies to the versions:

• Duo Universal SDK: 1.3.1
• Duo Client for Java: 0.7.1

Please select the area issue is related to

Authentication & Registration

Version

Duo Security 4.x, 3.x, 2.x, 1.x

Developer Checklist

• [Behavioural Change] Does this change introduce a behavioral change to the product?
•  ↳ Approved by team lead
•  ↳ Label impact/behavioral-change added
• [Migration Impact] Does this change have a migration impact?
•  ↳ Migration label added (e.g., 7.2.0-migration)
•  ↳ Migration issues created and linked
• [New Configuration] Does this change introduce a new configuration?
•  ↳ Label config added
•  ↳ Configuration is properly documented

[KD23243]

Fix has been released in the connector store, hence the issue is being closed [1].

[1] https://store.wso2.com/connector/identity-outbound-auth-duo