Configure Duo as an SSO source for the Command Platform
This article covers how to configure a Command Platform single sign-on (SSO) source for use with Duo.
Create the Command Platform application in Duo
If you haven’t already, you will need to create an application in Duo that will be configured with the Command Platform.
To create a new application in Duo:
- Navigate to the Duo Admin Portal.
- Select Applications.
- Select Protect an Application.
- Search for
Generic Service Provider
and select Protect for the option with the Protection Type 2FA with SSO hosted by Duo.
Configure the Command Platform
You can now add the Entity ID and Single Sign-On URL provided by Duo to configure the Command Platform:
- Under the Metadata section in Duo, click Copy beside the field labeled Entity ID.
- In the section on the Command Platform titled Provide the required fields from your IdP, paste the Entity ID into the corresponding field.
- Repeat this step for the Single Sign-On URL.
Now that you are finished with the Metadata section in Duo, move on to the certificate.
Download Duo certificate
In the Downloads section, click Download Certificate.
Add Duo certificate to the Command Platform
After downloading the Duo certificate, navigate to the Command Platform:
- From the left menu of the Platform Home page, click the Administration link.
- In the left menu of the Administration page, click Settings.
- Click the SSO Settings tab in the Authentication Settings section.
- Under the section titled Add your IdP Certificate, drag and drop your IdP certificate or click the Browse button to search for it on your local machine.
Add Service Provider metadata to Duo
In the Service Provider section of your cloud application in Duo, you now need to enter the Entity ID, ACS URL, and Default Relay State provided by the Command Platform:
- From the Command Platform section titled Copy the following data into your external IdP, click Copy beside the field labeled Assertion Consumer Service (ACS) URL.
- Paste this into the corresponding field in Duo.
- Repeat this for the Entity ID field.
- Finally, repeat this for the Default Relay State field.
Configure the SAML response in Duo
To configure the SAML response in Duo:
- Set the NameID format to emailAddress.
- Set the NameID attribute to <Email Address>.
- Select both the Sign response and Sign assertion check boxes.
- In the Map attributes section, add <Email Address> as an IdP Attribute. Under SAML Response Attribute, enter
Email
. - Add <First Name> as an IdP Attribute. Under SAML Response Attribute, enter
FirstName
. - Add <Last Name> as an IdP Attribute. Under SAML Response Attribute, enter
LastName
.
This completes the Duo configuration with settings from the Command Platform. Before clicking Save at the bottom of the screen, you can name your Duo Cloud Application.
Set up a default access profile
A default access profile allows you to define the products and roles that are automatically assigned to new users provisioned in Duo. See our default access profile documentation for instructions.
Group Synchronization
Group Synchronization allows you to control user group assignment from within your IdP.
This capability is made possible by including an attribute in your SAML response labelled rbacGroups
that contains the name(s) of the Command Platform User Groups for each user. Your users will be automatically assigned to the corresponding groups in the Command Platform and will inherit the product, role, and resource access associated with those groups.
With Group Sync enabled, IdP users will be removed from any Command Platform groups not included in their SAML assertion. IdP Users will retain any roles or permissions assigned directly to them, including those from a default access profile.
Configure user groups
As Group Synchronization requires the use of Command Platform User Groups, it is important that you have configured groups before activating. Read our Command Platform User Groups documentation for details on how to do this.
Users local to the Rapid7 Command Platform
If you purchased or trialed Rapid7 products, you may have several local users that can sign in to the Command Platform through insight.rapid7.com. These users will retain the ability to sign in this way until they authenticate using SSO.
- Local users will lose their ability to sign in through insight.rapid7.com after they authenticate using SSO for the first time, but will retain their existing direct access (such as with product and role assignment).
- Users managed by your IdP cannot be converted back to local users.
Local users and IdP users can be differentiated within the User Management section of Command Platform Administration, as IdP users will have a circled user badge beside their name.
Rapid7 recommends keeping at least one local Platform Administrator user to support external IdP configuration or troubleshooting.
You can still configure password policies for your users.
- If you choose to apply an MFA policy to the Command Platform in addition to an IdP MFA policy, users may be prompted to authenticate twice when accessing the Command Platform from the IdP.
- If you choose to apply a password policy, note that local users will encounter an authentication error when their Command Platform password expires. If this occurs, reset the Command Platform password at the insight.rapid7.com credential prompt.