---
title: "Configure SSO with Duo"
slug: "configure-sso-with-duo"
updated: 2025-04-02T07:37:13Z
published: 2025-04-02T07:37:13Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.safe.security/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure SSO with Duo

## About this document

This document provides a step-by-step procedure to configure SSO in SAFE with Duo.

## Configure SSO with Duo

1. Log in to your **Duo Administration Console**.  
![Duo 1](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/image-1692607911507.png)
2. Navigate to the **Applications** tab and click **Protect an Application**from left navigation.  
![Duo 2](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Duo%202.png)
3. Search for **Generic Service Provider**. Based on the Authentication source in your Duo application, the system displays two options:
  1. If you see the **Configure** button on the right, it means that you haven’t configured an authentication source yet. Please follow the steps in the [documentation](https://duo.com/docs/sso#configure-your-authentication-source) to configure an authentication source.
  2. If you see the **Protect** button on the right, it means that you have already configured an authentication source and can proceed with protecting the SAFE application in Duo.

## Protecting SAFE application in Duo

1. Click on the **Protect** button on the right.  
![Duo 3](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Duo%203.png)
2. Directly scroll down to the **Service Provider** section.  
![Duo 4](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Duo%204.png)
3. In the **Service Provider**section, provide the below information:
  1. **Entity ID**: Select the correct entity id for [your regional instance](https://docs.safe.security/safe-4/docs/en/generic-sso-parameters?highlight=SAFE%20Specific%20SSO%20Parameters).
  2. **Assertion****Consumer****Service****(ACS) URL**: Select the correct Reply URL for [your regional instance](https://docs.safe.security/safe-4/docs/en/generic-sso-parameters?highlight=SAFE%20Specific%20SSO%20Parameters).
  3. **Single Logout URL**: Leave as blank
  4. **Service****Provider****Login****URL**: Leave as blank
  5. **Default Relay State**: Leave as blank  
![Duo 5](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Duo%205.png)
4. In the **SAML Response**section, provide the below information:
  1. **NameID format**: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  2. **NameID attribute**: Select <Email Address>.
  3. **Signature****algorithm**: Select SHA256.
  4. **Signing****options**: Select both the below options:
    1. Sign response
    2. Sign assertion
  5. **Map attributes**: Refer to the [table](/safe-4/docs/configure-sso-with-duo#map-attributes) for details.
  6. **Create****attributes**: Leave as Blank.
  7. **Role****attributes**: Leave as Blank.
  8. **Attribute****Transformations**: Leave as Blank.
  9. **Universal****Prompt**: No changes required.  
![Duo 6](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Duo%206.png)
5. In the **Policy** section, you can leave it as default or define it as required.
6. In the **Settings** section, you can leave it as default or make changes such as Name, etc.
7. Click on the **Save** button at the bottom of the page.
8. After saving the application successfully, go back to the **Downloads** section and click on the **Download XML** to download the **XML****Metadata** file.  
![Duo 7](https://cdn.document360.io/23dc20b8-a989-48c0-8653-f1d3e4abc734/Images/Documentation/Duo%207.png)
9. Now, create a [service request](https://safe-security.atlassian.net/servicedesk/customer/portal/11) to the SAFE support team with the SAML data (file downloaded above) to enable the SSO.

#### ****Map Attributes

| IdP Attribute | SAML Response Attribute |
| --- | --- |
| <Email Address> | [http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress](http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress) |
| <First Name> | [http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname](http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname) |
| <Last Name> | [http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname](http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname) |

## <meta charset="utf-8">