In this article, we will cover the following:
Single Sign-On with DUO
Note: If you get stuck at any point, try Duo support. They are very helpful and have wonderful documentation. If you are still having trouble, please don't hesitate to contact us here at Rhombus Support.
Single Sign-On, or SSO, is a way to sync sign-on across multiple applications allowing you to log in to all applications with one user account and password.
Recovery Users
A "Recovery User" is a user account in your organization which bypasses SAML once enabled.
Note: It is recommended to have at least two Super User Accounts as Recovery Users when enabling SSO to ensure you have a method of logging in and disabling SSO in the event SAML encounters errors.
|
Enabling a user account as a Recovery User is done during the SSO configuration process.
|
Setup
1. From DUO setup an Identity Provider (IdP) by navigating to the SSO tab (pictured below), and then following Duo's setup instructions on their Duo SSO article
For our setup, we followed the Duo SAML IdP walkthrough with Microsoft Azure AD.
If you don't have Azure, they offer walkthroughs for Gsuite, and your own SAML IdP setup as well.
If you would like to set up through an AD, Duo provides walkthroughs for Active Directory as well.
2. Next we need to create a Generic SAML application on Duo. Navigate to the Application tab on the left side of the Duo admin panel (pictured below)
3. Click on the "Protect an Application" button on the upper right.
4. In the search bar type "Generic Service Provider" and click "Protect" with the "Protection Type" labeled as "2FA with SSO hosted by Duo."
5. Scroll down to the "Settings" portion and in the "Name" section enter "Rhombus Systems."
6. In the "Service Provider" heading enter the Entity ID and ACS URL credentials (from Rhombus SSO).
| ACS URL | https://console.rhombussystems.com/saml/SSO |
| Entity ID | com:rhombussystems:saml:sp |
| Signed Response | Required |
| Name ID Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
In the "SAML Response" heading select the correct "NameID Format" noted below with the "NameID attribute" specified as "<Email Address>," and then check the box labeled "Sign assertion" in the "Signing options*" field.
Note: To enter ACS URL entry within Duo you need to click under the "URL*" column header as the entry field is hidden.
7. Still within the "SAML Response" heading, make sure "Signature algorithm*" is set to SHA256.
8. Still within the "SAML Response" heading, enter the attributes below in the "Map attributes" section as shown below:
| IdP Attribute | SAML Response Attribute |
| <First Name> | FirstName |
| <Last Name> | LastName |
9. Next scroll all the way to the bottom and hit the "Save" button.
10. Scroll up to the top of the page and click on the "Download XML" in the "Downloads" section.
11. Open the downloaded file which should be named "Rhombus Systems - IDP Metadata.xml" in a text editor of your choosing.
Suggested text editors based on different operating systems:
- Mac: TextEdit
- Windows: Notepad
- Linux: Vim
Mac example:
12. Copy the contents of the xml file and paste it inside the "IDP MetaData XML" text box on the Rhombus SSO page within the Rhombus Console.
13. Turn on the "Use Single Sign-On" and "Just-In-Time User Creation" toggle buttons.
14. Lastly, hit "Save" in the upper right corner and you are good to go!
Final Product
Note: Duo does not have an optional setup to omit Microsoft login as of now, but are currently working on this feature.
Helpful Links
Contact Support or Sales
Have more questions? Contact Rhombus Support at +1 (877) 746-6797 option 2 or support@rhombus.com.
Interested in learning more? Contact Rhombus Sales at +1 (877) 746-6797 option 1 or sales@rhombus.com.
Comments
0 comments
Please sign in to leave a comment.