SSO Duo Setup
The following instructions set up an identity provider in Duo.
Introduction
Duo users can use their managed Google account credentials to sign in to enterprise cloud applications via Single Sign-On (SSO) using SAML 2.0. Tehama can be integrated with Duo through SAML 2.0 and presented as a managed application alongside other Duo integrated applications.
Once enabled, authentication to Tehama must be made through Duo - local authentication through https://app.tehama.io is no longer possible except by using the Tehama Org Admin account. Duo/Tehama Integration is limited to authentication only.
User accounts are required for both Duo and Tehama. Both accounts must be configured with the same email address for SSO to work, and the user must accept the Tehama Welcome email before they will be able to launch a connection via Duo SSO.
Integration Summary
Integration with Duo SSO is a five-step process as follows.
- Obtain initial configuration settings from Tehama
- Create an application in Duo
- Add the application to a Duo Access Gateway (DAG)
- Obtain the required Federation Metadata XML from the DAG
- Enter it back into Tehama
Prerequisites for Duo Integration
- A Tehama Account with Org Admin privileges
- A Duo account with Administrator privileges
- A Duo Access Gateway (DAG)
Setup Time - 15 minutes
Create a connected application
Login to Tehama using the Org Admin Account and click on the ORGANIZATION tab in the navigation bar.
Select the AUTHENTICATION tab.
Check "Enable SAML Single-Sign on".
Open a second browser tab and sign in to your Duo Admin Account.
Select Applications from the top level menu.
Select Protect an Application.
Enter SAML - Service Provider in the Filter field, and select Protect this Application.
Provide an appropriate application name. Then copy the Entity ID from the AUTHENTICATION METHOD section of the Tehama Web UI's Authentication page (this field is visible on the page when "Enable SAML Single-Sign on" is checked) and paste it into the Entity ID field. Copy the Callback URL from same place and paste it into the Assertion Consumer Service field on the Duo admin page.
Leave all other fields at their default values.
Click Save Configuration to continue.
Finally, select Download your configuration file to obtain a copy of the application configuration json file, it will be saved as SAML - Service Provider.json.
This completes the initial application configuration.
Next log on to the Duo Access Gateway and select Applications from the top level menu.
Upload the previously created application configuration json file.
Optionally, select Edit Logo to assign a logo to the newly created application.
Click on the Download XML metadata link to obtain a copy of the Federation Metadata. It will be saved as dag.xml.
You may now log out of the Duo Access Gateway.
Open the dag.xml and copy the IDP metadata to the clipboard.
Return to the Tehama Web UI and paste the IDP metadata from the clipboard into the Federation Metadata XML box.
and click SAVE.
Now that you have completed this step, each existing team member in your organization will receive an email inviting them to configure their SSO login by clicking on the provided link, CONFIGURE SSO LOGIN, and to follow the instructions.
Each subsequently added team member will receive the same email and must also configure their SSO login by clicking on the provided link.
Application configuration is now complete.
You will still need to return to the Duo Console to assign User and Group settings as appropriate for your organization before it will be possible to access Tehama using Duo integration.