Configure Duo as an SSO source for the Command Platform
Copy link

This article covers how to configure a Command Platform single sign-on (SSO) source for use with Duo.

Create the Command Platform application in Duo
Copy link

If you haven’t already, you will need to create an application in Duo that will be configured with the Command Platform.

To create a new application in Duo:

  1. Navigate to the Duo Admin Portal.
  2. Select Applications.
  3. Select Protect an Application.
  4. Search for Generic Service Provider and select Protect for the option with the Protection Type 2FA with SSO hosted by Duo.

Configure the Command Platform
Copy link

You can now add the Entity ID and Single Sign-On URL provided by Duo to configure the Command Platform:

  1. Under the Metadata section in Duo, click Copy beside the field labeled Entity ID.
  2. In the section on the Command Platform titled Provide the required fields from your IdP, paste the Entity ID into the corresponding field.
  3. Repeat this step for the Single Sign-On URL.

Now that you are finished with the Metadata section in Duo, move on to the certificate.

Download Duo certificate
Copy link

In the Downloads section, click Download Certificate.

Add Duo certificate to the Command Platform
Copy link

After downloading the Duo certificate, navigate to the Command Platform:

  1. From the left menu of the Platform Home page, click the Administration link.
  2. In the left menu of the Administration page, click Settings.
  3. Click the SSO Settings tab in the Authentication Settings section.
  4. Under the section titled Add your IdP Certificate, drag and drop your IdP certificate or click the Browse button to search for it on your local machine.

Add Service Provider metadata to Duo
Copy link

In the Service Provider section of your cloud application in Duo, you now need to enter the Entity ID, ACS URL, and Default Relay State provided by the Command Platform:

  1. From the Command Platform section titled Copy the following data into your external IdP, click Copy beside the field labeled Assertion Consumer Service (ACS) URL.
  2. Paste this into the corresponding field in Duo.
  3. Repeat this for the Entity ID field.
  4. Finally, repeat this for the Default Relay State field.

Configure the SAML response in Duo
Copy link

To configure the SAML response in Duo:

  1. Set the NameID format to emailAddress.
  2. Set the NameID attribute to <Email Address>.
  3. Select both the Sign response and Sign assertion check boxes.
  4. In the Map attributes section, add <Email Address> as an IdP Attribute. Under SAML Response Attribute, enter Email.
  5. Add <First Name> as an IdP Attribute. Under SAML Response Attribute, enter FirstName.
  6. Add <Last Name> as an IdP Attribute. Under SAML Response Attribute, enter LastName.

This completes the Duo configuration with settings from the Command Platform. Before clicking Save at the bottom of the screen, you can name your Duo Cloud Application.

Set up a default access profile
Copy link

A default access profile allows you to define the products and roles that are automatically assigned to new users provisioned in Duo. See our default access profile documentation for instructions.

Group Synchronization
Copy link

Group Synchronization allows you to control user group assignment from within your IdP.

This capability is made possible by including an attribute in your SAML response labelled rbacGroups that contains the name(s) of the Command Platform User Groups for each user. Your users will be automatically assigned to the corresponding groups in the Command Platform and will inherit the product, role, and resource access associated with those groups.

⚠️

With Group Sync enabled, IdP users will be removed from any Command Platform groups not included in their SAML assertion. IdP Users will retain any roles or permissions assigned directly to them, including those from a default access profile.

Configure user groups
Copy link

As Group Synchronization requires the use of Command Platform User Groups, it is important that you have configured groups before activating. Read our Command Platform User Groups documentation for details on how to do this.