Set up Duo

Configure single sign-on (SSO) for your PCD environment using Duo as a SAML 2.0 identity provider.

Overview

Configure single sign-on (SSO) for your PCD environment using Duo. This integration allows users to authenticate to PCD using their existing Duo credentials and enables Duo's multi-factor authentication (MFA) policies for all PCD logins.

In this guide, you will create a Duo SAML application, map user attributes, and connect Duo to your PCD deployment.

Prerequisites

Before you begin, ensure you have:

Administrative access to the Duo Admin Panel.
Administrative access to your PCD environment.
Your PCD domain FQDN (fully qualified domain name), without the region name.
Users enrolled in Duo who need access to PCD.

Step 1: Create a SAML Application in Duo

Create a new generic SAML service provider application in the Duo Admin Panel to handle the SSO integration.

Log in to the Duo Admin Panel at admin.duosecurity.com.
Navigate to Applications and select Protect an Application.
Search for Generic Service Provider and select Protect next to it.
Note the Entity ID, Single Sign-On URL, and Certificate values — you will need these when configuring PCD.

Step 2: Configure SAML Settings in Duo

Configure the service provider settings so Duo can send SAML assertions to your PCD deployment.

Under Service Provider, configure the following fields.

Field

Value

Entity ID

https://<FQDN>/keystone

Assertion Consumer Service (ACS) URL

https://<FQDN>/sso/<DOMAIN_NAME>/Shibboleth.sso/SAML2/POST

NameID format

EmailAddress

Note

Replace <FQDN> with your PCD domain FQDN without any region suffix. Use IDP1 for the default domain, or substitute your specific domain name for <DOMAIN_NAME>.

For example, use companyx.app.pcd.platform9.com, not companyx-regionone.app.pcd.platform9.com.

Under SAML Response, configure the following.

Field

Value

Signature algorithm

SHA-256

Signing options

Sign response

Save the application.

Step 3: Map Attributes in Duo

Add attribute statements so that Duo passes the user's name and email to PCD.

In your Duo SAML application, navigate to SAML Response > Map Attributes.
Add the following attribute mappings.

SAML Attribute Name

Duo User Attribute

FirstName

<user.first_name>

LastName

<user.last_name>

Email

<user.email>

Save the attribute mappings.

Step 4: Download the Duo Metadata

Download the SAML metadata XML from Duo so you can register it in PCD.

In your Duo SAML application, select Download XML Metadata or note the Metadata URL from the application overview.

You will supply either the metadata URL or the XML content in the next step.

Step 5: Configure SSO in PCD

Connect your PCD deployment to the Duo SAML application.

Log in to your PCD environment.
Navigate to Settings > Enterprise SSO.
Enable SSO and configure the following fields.

Field

Value

SSO Provider

Select Other (Duo is not listed as a named provider; use the generic SAML path).

Entity ID

Enter the Entity ID from your Duo SAML application.

SAML Metadata URL

Enter the metadata URL from Duo, or leave blank if supplying the XML directly.

SSO Provider Attribute Map in XML

Paste the attribute map XML below.

Paste the following attribute map XML into the SSO Provider Attribute Map in XML field. Adjust attribute names if you used different names in Step 3.

<Attributes
    xmlns="urn:mace:shibboleth:2.0:attribute-map"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

    <Attribute
        id="FirstName"
        name="FirstName"
        nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
    </Attribute>

    <Attribute
        id="LastName"
        name="LastName"
        nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
    </Attribute>

    <Attribute
        id="Email"
        name="Email"
        nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
    </Attribute>

</Attributes>

Select Save.

Step 6: Configure SAML Groups in PCD

Set up SAML groups to manage user permissions and role assignments.

On the Enterprise SSO page, select SAML Groups.
Select Add Group.
Configure the group settings.

Field

Description

Name

Enter a unique name for the group.

Description

Enter a brief description.

SAML Attribute Key for First Name

Enter FirstName (or the attribute name you configured in Step 3).

SAML Attribute Key for Last Name

Enter LastName.

SAML Attribute Key for Email

Enter Email.

Configure the group mapping.

Field

Description

SAML Group Attribute

Enter the group attribute name configured in your Duo attribute mappings.

Criteria

Select Any one of.

SAML Group Values

Enter the Duo group names whose members should match this mapping.

Under Tenants & Roles, assign the group to the appropriate tenants and roles (Administrator, Self-Service User, or ReadOnly).
Select Save.

Step 7: Test the SSO Configuration

Verify that your Duo SSO integration works correctly.

Log out of your current PCD session.
Open a new private or incognito browser window.
Navigate to your PCD login page.
Select Sign In with SSO.
Complete the authentication process using your Duo credentials and MFA.
Verify that you can access PCD resources according to your assigned role.

You have now successfully configured SSO integration between PCD and Duo. Users can authenticate using their Duo credentials and access PCD resources based on their assigned roles.

Next Steps

To troubleshoot SSO login failures, see SSO Troubleshooting Guide.
To understand role permissions, see RBAC Roles and Permissions.

PreviousSet up PingOne NextSSO Troubleshooting Guide

Last updated 4 days ago

Was this helpful?