Skip to main content

Setting Up SSO with DUO

Support
Updated

Topics included in this article:

Overview

Single Sign-On is a way to sync sign-on across multiple applications, allowing you to log in to all applications with one user account and password.

Rhombus supports any SAML SSO (single sign-on) identity providers. This article covers how to configure SSO with DUO.

 

Single Sign-On with DUO

Note: If you get stuck at any point, contact Duo Support

 

Recovery Users

A Recovery User is a user account in your organization that bypasses SAML once enabled.

Note: We recommend having at least two Super User Accounts as Recovery Users when enabling SSO to ensure you have a method of logging in and disabling SSO in the event SAML encounters errors.

Enabling a user account as a Recovery User is performed during the SSO configuration process in the Rhombus Console.

1. Log into the Rhombus Console, navigate to "Settings," and click "Single Sign-On."

Settings > Single Sign-On.png

 

2. Click the dropdown for "Single Sign-On" and select any of the options you wish to include.

  • Select specific users as "Recovery Users." We recommend selecting at least two.
  • Choose to enable Single Sign-On for the Rhombus Console and/or the Rhombus Key app.
  • Enable Just-In-Time User Creation if desired. Just-In-Time User Creation can be enabled to dynamically create a Rhombus user account matching the SSO login email the first time that user logs into the console.
Screenshot 2026-03-06 at 4.28.02 PM.png

 

3. Click the dropdown menu that reads "Select SSO Recovery Users." Click the checkbox beside the users you wish to set as Recovery Users, and click "Save."

Screenshot 2026-03-06 at 4.44.07 PM.png

 

Setup

DUO Setup

1. Log in to DUO and navigate to the "Single Sign-On" tab. Set up an Identity Provider (IdP) and complete the instructions outlined in the DUO SSO article.

mceclip0.png

Note: DUO offers documentation for various configurations. 

 

2. Next, create a Generic SAML application on DUO. Navigate to the "Applications" tab on the left side of the DUO admin panel.

mceclip1.png

 

3. Click the "Protect an Application" button in the upper right. 

mceclip2.png

 

4. In the search bar, type "Generic Service Provider," and click "Protect," with the "Protection Type" labeled as "2FA with SSO hosted by DUO."

mceclip3.png

 

5. Scroll down to "Settings," and in the "Name" field, enter "Rhombus Systems."

mceclip5.png

 

6. In the "Service Provider" heading, enter the "Entity ID" and "ACS URL" credentials (from Rhombus SSO). 

ACS URL https://console.rhombus.com/saml/SSO
Entity ID com:rhombus:saml:sp
Signed Response Required
Name ID Format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
mceclip6.png

 

In the "SAML Response" heading, select the correct "NameID Format" noted below with the "NameID attribute" specified as "<Email Address>," and then check the box labeled "Sign assertion" in the "Signing options" field. 

mceclip7.png
mceclip8.png

 

Note: To enter the "ACS URL" entry within DUO, you need to click under the "URL" column header as the entry field is hidden.

 

7. Within the "SAML Response" heading, ensure the "Signature algorithm" is set to "SHA256."

mceclip9.png

8. Within the "SAML Response" heading, fill out the "Map attributes" section as shown below.

IdP Attribute SAML Response Attribute
<First Name> FirstName
<Last Name> LastName

mceclip10.png

9. Scroll to the bottom of the page, and click "Save."

 

10. Scroll to the top of the page, and click "Download XML" in the "Downloads" section.

mceclip4.png

 

11. Open the downloaded file, which should be named "Rhombus Systems - IDP Metadata.xml" in a text editor of your choosing.

Suggested text editors based on different operating systems:

  • Mac: TextEdit
  • Windows: Notepad
  • Linux: Vim

Mac example:

mceclip11.png

 

Rhombus Console Setup

1. Log in to the Rhombus Console, navigate to "Settings," and click "Single Sign-On."

Settings > Single Sign-On.png

 

2. Under the Single Sign-On dropdown menu, enter your team name and click the toggle beside "Use Single Sign-On for Rhombus Console." Enable "Just-In-Time User Creation."

3. Copy the contents of the xml file and paste it inside the "IDP MetaData XML" text box on the Rhombus SSO page within the Rhombus Console.

4. Click "Save" in the upper-right. 

 

Final Product

loging_into_duo.gif

Note: DUO does not have an optional setup to omit Microsoft login as of now, but are currently working on this feature.

 

Helpful Links

 

Contact Support or Sales

Have more questions? Contact Rhombus Support at +1 (877) 746-6797 option 2 or support@rhombus.com.

Interested in learning more? Contact Rhombus Sales at +1 (877) 746-6797 option 1 or sales@rhombus.com.

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk