Configure SSO with Duo
  • 1 Minute to read
  • PDF

Configure SSO with Duo

  • PDF

Article summary

About this document


This document provides a step-by-step procedure to configure SSO in SAFE with Duo.

Configure SSO with Duo


  1. Log in to your Duo Administration Console.
    Duo 1
  2. Navigate to the Applications tab and click Protect an Application from left navigation.
    Duo 2
  3. Search for Generic Service Provider. Based on the Authentication source in your Duo application, the system displays two options:
    1. If you see the Configure button on the right, it means that you haven’t configured an authentication source yet. Please follow the steps in the documentation to configure an authentication source.
    2. If you see the Protect button on the right, it means that you have already configured an authentication source and can proceed with protecting the SAFE application in Duo.

Protecting SAFE application in Duo


  1. Click on the Protect button on the right.
    Duo 3
  2. Directly scroll down to the Service Provider section.
    Duo 4
  3. In the Service Provider section, provide the below information:
    1. Entity ID: Select the correct entity id for your regional instance.
    2. Assertion Consumer Service (ACS) URL: Select the correct Reply URL for your regional instance.
    3. Single Logout URL: Leave as blank
    4. Service Provider Login URL: Leave as blank
    5. Default Relay State: Leave as blank
      Duo 5
  4. In the SAML Response section, provide the below information:
    1. NameID format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    2. NameID attribute: Select <Email Address>.
    3. Signature algorithm: Select SHA256.
    4. Signing options: Select both the below options:
      1. Sign response
      2. Sign assertion
    5. Map attributes: Refer to the table for details.
    6. Create attributes: Leave as Blank.
    7. Role attributes: Leave as Blank.
    8. AttributeTransformations: Leave as Blank.
    9. Universal Prompt: No changes required.
      Duo 6
  5. In the Policy section, you can leave it as default or define it as required.
  6. In the Settings section, you can leave it as default or make changes such as Name, etc.
  7. Click on the Save button at the bottom of the page.
  8. After saving the application successfully, go back to the Downloads section and click on the Download XML to download the XMLMetadata file.
    Duo 7
  9. Now, create a service request to the SAFE support team with the SAML data (file downloaded above) to enable the SSO.

Map Attributes

IdP AttributeSAML Response Attribute
<Email Address>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
<First Name>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
<Last Name>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname






Was this article helpful?

What's Next