Configure Duo as an SSO source for the Insight Platform

This article covers how to configure an Insight Platform single sign-on (SSO) source for use with Duo.

Create the Insight Platform application in Duo

If you haven’t already, you will need to create an application in Duo that will be configured with the Insight Platform.

To create a new application in Duo:

  1. Navigate to the Duo Admin Portal.
  2. Select Applications.
  3. Select Protect an Application.
  4. Search for Generic Service Provider and select Protect for the option with the Protection Type 2FA with SSO hosted by Duo.

Configure the Insight Platform

You can now add the Entity ID and Single Sign-On URL provided by Duo to configure the Insight Platform:

  1. Under the Metadata section in Duo, click Copy beside the field labeled Entity ID.
  2. In the section on the Insight Platform titled Provide the required fields from your IdP, paste the Entity ID into the corresponding field.
  3. Repeat this step for the Single Sign-On URL.

Now that you are finished with the Metadata section in Duo, move on to the certificate.

Download Duo certificate

In the Downloads section, click Download Certificate.

Add Duo certificate to the Insight Platform

After downloading the Duo certificate, navigate to the Insight Platform:

  1. Click the SSO Settings tab in Company Settings.
  2. Under the section titled Add your IdP Certificate, drag and drop your IdP certificate or click the Browse button to search for it on your local machine.

Add Service Provider metadata to Duo

In the Service Provider section of your cloud application in Duo, you now need to enter the Entity ID, ACS URL, and Default Relay State provided by the Insight Platform:

  1. From the Insight Platform section titled Copy the following data into your external IdP, click Copy beside the field labeled Assertion Consumer Service (ACS) URL.
  2. Paste this into the corresponding field in Duo.
  3. Repeat this for the Entity ID field.
  4. Finally, repeat this for the Default Relay State field.

Configure the SAML response in Duo

To configure the SAML response in Duo:

  1. Set the NameID format to emailAddress.
  2. Set the NameID attribute to <Email Address>.
  3. Select both the Sign response and Sign assertion check boxes.
  4. In the Map attributes section, add <Email Address> as an IdP Attribute. Under SAML Response Attribute, enter Email.
  5. Add <First Name> as an IdP Attribute. Under SAML Response Attribute, enter FirstName.
  6. Add <Last Name> as an IdP Attribute. Under SAML Response Attribute, enter LastName.

This completes the Duo configuration with settings from the Insight Platform. Before clicking Save at the bottom of the screen, you can name your Duo Cloud Application.

Set up a default access profile

A default access profile allows you to define the products and roles that are automatically assigned to new users provisioned in Duo. See our default access profile documentation for instructions.

Group Synchronization

Group Synchronization allows you to control user group assignment from within your IdP.

This capability is made possible by including an attribute in your SAML response labelled rbacGroups that contains the name(s) of the Insight Platform User Groups for each user. Your users will be automatically assigned to the corresponding groups in the Insight Platform and will inherit the product, role, and resource access associated with those groups.

With Group Sync enabled, IdP users will be removed from any Insight Platform groups not included in their SAML assertion. IdP Users will retain any roles or permissions assigned directly to them, including those from a default access profile.

Configure user groups

As Group Synchronization requires the use of Insight Platform User Groups, it is important that you have configured groups before activating. Read our Insight Platform User Groups documentation for details on how to do this.

Users local to the Insight Platform

If you purchased or trialed Rapid7 products, you may have several local users that can sign in to the Insight Platform through insight.rapid7.com. These users will retain the ability to sign in this way until they authenticate using SSO.

  • Local users will lose their ability to sign in through insight.rapid7.com after they authenticate using SSO for the first time, but will retain their existing direct access (such as with product and role assignment).
  • Users managed by your IdP cannot be converted back to local users.

Local users and IdP users can be differentiated within the User Management section of the Insight Platform, as IdP users will have a circled user badge beside their name.

Difference between IdP and Local users

Rapid7 recommends keeping at least one local Platform Administrator user to support external IdP configuration or troubleshooting.

You can still configure password policies for your users.

  • If you choose to apply an MFA policy to the Insight Platform in addition to an IdP MFA policy, users may be prompted to authenticate twice when accessing the Insight Platform from the IdP.
  • If you choose to apply a password policy, note that local users will encounter an authentication error when their Insight Platform password expires. If this occurs, reset the Insight Platform password at the insight.rapid7.com credential prompt.