# Duo

**Overview**

This guide walks you through the process of configuring Duo Single Sign-On (SSO) using Security Assertion Markup Language (SAML). We will provide instructions for integrating Duo with a SAML Identity Provider (IdP). This documentation uses Azure Active Directory (Azure AD) as the example IdP, but the steps are similar for other providers like Okta, ADFS, and others.

**Step 1: Create SAML Source in Duo SSO**

If you don't have a SAML source set up in Duo SSO yet, please create a new one and provide the following information with us to proceed with the configuration:

* **Entity ID**: The unique identifier used by your IdP to recognize the Duo application.
* **Assertion Consumer Service (ACS) URL**: The endpoint where your IdP sends the SAML authentication responses.
* **Audience Restriction**: The identifier for the service provider (Duo) that the IdP should match with the SAML response.
* **Metadata URL**: The URL where the IdP can retrieve Duo’s metadata to automatically configure the SSO connection.

<figure><img src="https://2804394160-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FD9Htw9DUg294GuYmAyyj%2Fuploads%2Fgit-blob-a878aac62c0ea8e14f230c4e6321db4f650b5e79%2FCleanShot%202024-08-13%20at%2000.19.36%402x.png?alt=media" alt=""><figcaption><p>Create new SSO SAML source</p></figcaption></figure>

<figure><img src="https://2804394160-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FD9Htw9DUg294GuYmAyyj%2Fuploads%2Fgit-blob-6050430426b6ea851946a7cf164004e8b2e73167%2FCleanShot%202024-08-13%20at%2000.04.38%402x.png?alt=media" alt=""><figcaption><p>Duo SAML details</p></figcaption></figure>

#### **Step 2: Create a SAML Application in Azure AD**

1. **Log in to Azure AD:**
   * Sign in to the [Azure portal](https://portal.azure.com) using your administrator credentials.
2. **Register a New Application:**
   * Navigate to **Azure Active Directory > Enterprise applications**.
   * Click on **New application**.
   * Select **Create your own application**.
   * Provide a name for the application and choose **Integrate any other application you don't find in the gallery (Non-gallery)**.<br>

     <figure><img src="https://2804394160-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FD9Htw9DUg294GuYmAyyj%2Fuploads%2Fgit-blob-6a0cb6c252eb52ee023d9506c1291a0e6b700830%2FCleanShot%202024-08-13%20at%2000.25.05%402x.png?alt=media" alt=""><figcaption></figcaption></figure>
3. **Set Up SAML-based SSO:**
   * Under the application’s settings, go to **Single sign-on**.
   * Choose **SAML** as the single sign-on method.<br>

     <figure><img src="https://2804394160-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FD9Htw9DUg294GuYmAyyj%2Fuploads%2Fgit-blob-3354cca9293ec85973847f2cbfc196b2646a477a%2FCleanShot%202024-08-13%20at%2000.27.41%402x.png?alt=media" alt=""><figcaption></figcaption></figure>
4. **Basic SAML Configuration:**
   * Fill in the following fields:
     * **Identifier (Entity ID)**: Enter the **Entity ID** value from **Step 1**
     * **Reply URL (Assertion Consumer Service URL)**: Enter the **Assertion Consumer Service (ACS) URL** from **Step 1**
     * **Sign on URL**: Leave this blank unless Duo provides a specific value.
5. **User Attributes & Claims:**
   * Ensure the required claims are set up. Typically, you should configure:
     * **NameID**: Set this to the user’s email address or another unique identifier.
     * **FirstName**: Given name of the user.
     * **LastName**: Surname of the user.<br>

       <figure><img src="https://2804394160-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FD9Htw9DUg294GuYmAyyj%2Fuploads%2Fgit-blob-67ad88bb436c6c5692bd2afd519e5c4b198bc2c1%2FCleanShot%202024-08-13%20at%2000.39.04%402x.png?alt=media" alt=""><figcaption></figcaption></figure>
6. **SAML Signing Certificate:**
   * Edit **Token signing certificate** then download the PEM certificate<br>

     <figure><img src="https://2804394160-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FD9Htw9DUg294GuYmAyyj%2Fuploads%2Fgit-blob-00a2f5fb1f1e9edf34e4bb1bbb8ca37858e358a8%2FCleanShot%202024-08-13%20at%2000.46.15%402x.png?alt=media" alt=""><figcaption></figcaption></figure>

     <figure><img src="https://2804394160-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FD9Htw9DUg294GuYmAyyj%2Fuploads%2Fgit-blob-907d9d8da6a154ce59f62236ab12a8ad9cc4f068%2FCleanShot%202024-08-13%20at%2000.44.39%402x.png?alt=media" alt=""><figcaption></figcaption></figure>

**Step 3: Configure Duo Single Sign-On**

* Fill the following fields in Duo with the info from Azure
  * **Entity ID:** Enter **Microsoft Entra Identifier** from Azure
  * **Single Sign-On URL:** Enter **Login URL** from Azure
  * **Single Logout URL:** Enter **Logout URL** from Azure

<figure><img src="https://2804394160-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FD9Htw9DUg294GuYmAyyj%2Fuploads%2Fgit-blob-e60997ec64876b03624e851fdab436154114e408%2FCleanShot%202024-08-13%20at%2000.50.43%402x.png?alt=media" alt=""><figcaption><p>Azure SSO</p></figcaption></figure>

<figure><img src="https://2804394160-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FD9Htw9DUg294GuYmAyyj%2Fuploads%2Fgit-blob-b8bfd2d5b9d16521252063bfda280d07b24b4ea6%2FCleanShot%202024-08-13%20at%2000.48.27%402x.png?alt=media" alt=""><figcaption><p>Duo SSO</p></figcaption></figure>

***Note:*** If you experience any issues during the linking process or have questions related to Single Sign-On (SSO) integration, please reach out to our support team at <founders@tryprotege.com>. We are available to assist you and ensure a seamless integration with your authentication system.