Step 1: Configure Single Sign-On
The Duo SAML integration is unique in that it requires a 3rd party IDP to federate the authentication. This means that along with the connection credentials, you’ll also need to configure a Single Sign-On Authentication Source and a Cloud Application in your Duo Workspace.
You may use any Duo-supported IDP to handle the Federated authentication. Since each IDP will have different ways of setting up the SSO connection between Duo and the IDP, please refer to the documentation that Duo provides to configure a Duo SSO Connection.
Duo Single Sign-On Documentation
Step 2: Create a Cloud Application
After configuring the Duo SSO Connection with the IDP of your choice, the next step is to create a Cloud Application in Duo. This app will handle the connection with Duo.
Navigate to the Duo Admin Panel and click on Applications on the left sidebar. Click on the “Protect an Application” button.
Locate the entry for “Generic SAML Service Provider” with a protection type of “2FA with SSO hosted by Duo (Single Sign-On)” in the applications list. Click “Protect” to the far-right to start configuring “Generic Service Provider”.
Step 3: Upload Identity Provider Metadata
You will need to obtain the Metadata URL from Duo. The Metadata URL can be found in your application settings page within Duo.
Copy the Metadata URL and paste it into the “Identity Provider Metadata URL” field in Teaminal’s SSO settings page.
Step 4: Enter Service Provider Details
Next, you’ll begin to configure the Generic Service Provider settings, starting with the Entity ID.
Copy the “Metadata URL” field from Teaminal’s SSO settings page into the “Entity ID” field under the “Service Provider” section.
Next, copy the “Assertion Consumer URL” from Teaminal’s SSO settings page and paste into the “Assertion Consumer Service (ACS) URL” field.
You may leave the Single Logout URL, Service Provider Login URL, and Default Relay State fields empty.
Step 5: Configure SAML Response Settings
Scroll down on this page in Duo to the SAML Response section. Ensure that the NameID format has the id that you’d like to use for the unique identifier selected and matches the NameID attribute that you’d like to use as the value. If you’re using email as the unique id, the options would look like the below.
Ensure the Signature algorithm is SHA256 and that the Signing options have both Sign response and Sign assertion selected.
Step 6: Configure the SAML Attributes
You’ll need to map the following user attributes: id
, email
, firstName
, and lastName
. In the Map Attributes section enter these on the right side under SAML Response Attribute. On the left side, click the empty field box and select the pre-populated values that look like e.g. “
You can map any values you like, but these four values are required in SAML responses. If your users don’t have a Last Name value for instance, you could map Display Name or any other value to lastName
. The SAML response will be rejected if lastName
is not included.
Ensure the Match attributes section of your General Service Provider Application Settings page in Duo aligns with the following.
Step 7: Save and Test
Click “Save” at the bottom of the page to save your settings. To test the connection, navigate to the applications page in Duo and try to log in to Teaminal.
If you have any issues, please reach out to [email protected] for support.