[Legacy] Duo

This guide is for an older version of Kantega SSO Enterprise and is no longer maintained. New guides are here: https://kantega-sso.atlassian.net/l/c/rNTaTonz .

Prior to this guide, we have set up:

User syncing from a local Active Directory to https://duo.com/ using Duo Security Authentication Proxy
Duo Access Gateway running on https://dag.example.com/dag
Duo admin console: https://dag.example.com:8443/dag

Begin by adding a new identity Provider in KSSO, selecting “Duo” from the drop-down:

In the Prepare step, copy the ACS URL and save it for later (the ACS URL and Entity ID are identical)

Log in to the Duo administration console in a separate browser tab. Select Applications, then “Protect an Application”.

Search for SAML - Service Provider, then select “Protect this application”

Configure SAML Service Provider

Give the Service Provider a name
Paste the ACS URL from the KSSO “Prepare”-step into the following fields:
- Entity ID
- Assertion Consumer Service
- Service Provider Login URL (if you want IDP initiated login)
Press Save Configuration

Scroll down to Settings and choose a proper name to be displayed to Duo Push users. Then save the changes.

Download your configuration file. The JSON file is used when setting up issues.example.com in Duo Access Gateway.

Configure the application in Duo Admin Console

Log into Duo Access Gateway admin console (https://dag.example.com:8443/dag)
Select Applications
Select the .json-file downloaded from duo.com
Press Upload

Export metadata (optional)

If your JIRA server has direct access to the metadata from Duo Access Gateway you can skip to the next step (preferred)
If the JIRA server does not have access to the metadata URL, download the file.

Go back to the KSSO setup wizard. In the metadata import step, either:

Enter the metadata URL in the Metadata file published online field: https://dag.example.com/dag/saml2/idp/metadata.php (preferred)
Or upload the downloaded metadata file from the previous step
Press Next

On the Location step give the IDP a descriptive name. This will be shown to users when logging in. Press Next.

Review the imported signing certificate (this step is purely informational). Press next.

Select whether users already exist or if you wish to have users automatically created upon login.

To use JIT provisioning and automatically create users the first time they log in, Duo must be configured to send a Name and Email claim in addition to the user name attribute (not covered in this guide).

Press Next.

Review the summary, then press Finish.

You can now begin testing the Duo IDP.