In this article we will go over how to setup Single Sign-On (SSO):
Note: If you get stuck at any point, try Duo support. They are very helpful and have wonderful documentation. If you are still having troubles please don't hesitate to contact us here at Rhombus Support.
- A Recovery User is a user account in your organization which bypasses SAML once enabled.
- It is recommended the leave 2 Super User Accounts as Recovery Users when enabling SSO to ensure you have a method of logging and disabling SSO in the event SAML encounters errors.
|• Enabling a user account as a Recovery User is done during the SSO configuration process.
• Any user with a Blue Checkmark will be a Recovery User
• When finished, select OK.
1. From DUO setup an Identity Provider (IdP) by navigating to the SSO tab (pictured below), and then following Duo's setup instructions on their Duo SSO article
For our setup we followed the Duo SAML IdP walkthrough with Microsoft Azure AD.
If you don't have Azure, they offer walkthroughs for Gsuite, and your own SAML IdP setup as well.
If you would like to setup through an AD, Duo provides walkthroughs for Active Directory as well.
2. Next we need to create a Generic SAML application on Duo. Navigate to the Application tab on the left side of the Duo admin panel (pictured below)
3. Click on the 'Protect an Application' button on the upper right
4. In the search bar type 'Generic Service Provider' and click 'Protect' with the Protection Type labeled '2FA with SSO hosted by Duo'
5. Scroll down to the 'Settings' portion and in the 'Name' section enter 'Rhombus Systems'
6. In the 'Service Provider' heading enter the Entity ID and ACS URL credentials (from Rhombus SSO).
|Name ID Format||urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress|
In the 'SAML Response' heading select the correct 'NameID Format' noted below with 'NameID attribute' specified as '<Email Address>', and then check the box labeled 'Sign assertion' in the 'Signing options*' field.
Note: To enter ACS URL entry within Duo you need to click under the 'URL*' column header as the entry field is hidden
7. Still within the 'SAML Response' heading make sure 'Signature algorithm*' is set to SHA256
8. Still within the 'SAML Response' heading, enter in the attributes below in the 'Map attributes' section:
|IdP Attribute||SAML Response Attribute|
9. Next scroll all the way to the bottom and hit the 'Save' button
10. Scroll up to the top of the page and click on the 'Download XML' in the 'Downloads' section
11. Open the downloaded file which should be named 'Rhombus Systems - IDP Metadata.xml' in a text editor of your choosing
Suggested text editors based on operating system:
- Mac: TextEdit
- Windows: Notepad
- Linux: Vim
12. Copy the contents of the xml file and paste it inside the 'IDP MetaData XML' text box on the rhombus sso page within the Rhombus console
13. Turn on the 'Use Single Sign-On' and 'Just-In-Time User Creation' toggle buttons
14. Hit save in the upper right corner and you are good to go!
Note: Duo does not have an optional setup to omit Microsoft login as of now, but are currently working on this feature.