Skip to Content

Configure Duo Single Sign-On with SAML as Vinyl Security Provider

This article steps through how to configure Duo Single Sign-On with SAML as an SSO Security Provider in Vinyl. The Duo Single Sign-On configuration needs to be set up first, followed by configuring the Vinyl Security Provider information to connect to Duo Single Sign-On.

Duo Single Sign-On with SAML

Duo Single Sign-On offers a SAML-based service that provides companies with control over the authorization and authentication of hosted user accounts that can access web-based entities. Vinyl acts as the identify provider and, when configured along with Duo Single Sign-On, can be used to authenticate and authorize Users into a Vinyl app.

Before configuring Duo Single Sign-On for use with Vinyl, you will need to enable Duo Single Sign-On for your Duo account and configure an authentication source. See the Duo Single Sign-On for Generic SAML Service Providers article for guidance.

The Duo Single Sign-On service is based on the SAML v2.0 specifications.

Duo Single Sign-On Configuration Settings

To get started, configure Duo Single Sign-On for use with your Vinyl app:

  1. Log into the Duo Admin Panel
  2. Go to Applications
  3. Click Protect an Application and locate the Generic SAML Service Provider with protection type 2FA with SSO hosted by Duo (Single Sign-On) in the applications list
  4. Click Protect to start configuring the Generic SAML Service Provider

  5. On the Generic SAML Service Provider page you will need to reference some of the Metadata and Downloads values for the Vinyl configuration:

    duoconfig.png

  6. Copy the Metadata URL and download the Certificate

  7. In the Service Provider section, enter the following information:

    serviceprovider.png

    • Metadata Discovery: None (manual input)
    • Entity ID: Corresponds with Sign In Provider URL. Example: https://example.zudy.com/signin-{{ProviderName}}
    • ACS URL: The URL where your service provider receives SAML assertions. This will be the same value as your Entity ID.

Vinyl Security Provider

After the Duo Single Sign-On configuration is complete, you will configure Duo in Vinyl as a SAML Security Provider.

duovinylconfig.png

Duo Single Sign-On SAML Provider configuration example

Vinyl Configuration Specific to Duo Single Sign-On

Follow the basic configuration for Vinyl as a SAML Security Provider. In addition, review and confirm the following settings which are specific to integration with Duo Single Sign-On:

Settings

  • Name: Duo Single Sign-On
  • Type: SAML
  • Enabled: True

Tokens

  • Audience, Recipient, and Issuer: values must match the Entity ID value provided from Duo Single Sign-On. Example: https://vinyl.example.com/signin-Duo

Endpoints

  • Metadata Endpoint: value must match the Metadata URL value provided from Duo Single Sign-On. Example: https://example.sso.duosecurity.com/saml2/sp/12345

Properties

  • SignatureRequirement: value set to AssertionAndResponse.

Claims

  • Configure Claims records to instruct how to handle the identity creation and group mapping. Example: Name ID is a Usage type, with emailAddress as the Identifier value. You may also configure Group as a Usage type, with groups as the Identifier.

Lastly you will need to upload the Certificate information downloaded from Duo Single Sign-On:

  1. Click + Certificate from the Certificates area on Provider settings
  2. Select Signature Validation for Usage
  3. Select X.509 Certificate for Type
  4. Select PEM for Format
  5. Enter the Duo Security Certificate information. Be sure to remove the start and end notation from the certificate.

Resources