Skip navigation
Documentation

Duo Access Gateway - Generic SAML Service Provider

Duo Access Gateway (DAG) adds two-factor authentication, complete with inline self-service enrollment and authentication prompt to cloud services.

We've already added a number of popular SaaS applications to Duo pre-configured for use with the Access Gateway. If you want to protect a cloud service that we don't have listed by name, you can use our generic SAML Service Provider application.

Prerequisites

Before you start you should have already deployed the Duo Access Gateway with a configured authentication source. You should also verify that your cloud app supports SAML 2.0 and locate their instructions for configuring SSO.

Create Your Cloud Application in Duo

Important: When you create your cloud application in Duo you download a configuration file. This file contains information that uniquely identifies this application to Duo. Secure this file as you would any other sensitive or password information. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

  1. Log in to the Duo Admin Panel and click Applications on the left navigation, and then click Protect an Application.

  2. Locate SAML Service Provider in the list of applications, and then click the Protect this Application link.

  3. Enter the following information about your cloud app vendor in the Service Provider section:

    Name Description
    Service Provider Name The name of the service provider.
    Entity ID The service provider identifier.
    Assertion Consumer Service The URL where your service provider receives SAML assertions.
  4. Use your service provider's SSO instructions to complete the SAML Response section:

    Name Description
    NameID format Format of NameID when sent to the service provider.
    NameID attribute The authentication source attribute used to identify the user to the service provider. This attribute is sent as the NameID. This is often a user's e-mail address ("mail" or "email").
    Send attributes By default the DAG sends only the NameID IdP attribute to a service provider. Change this option to "All" if your service provider requires additional attributes included in the SAML response.
    Sign response Leave this option enabled if the DAG needs to sign the SAML response to the service provider. Uncheck the box if the response should not be signed.
    Sign assertion Leave this option enabled if the DAG needs to sign the SAML assertion to the service provider. Uncheck the box if the assertion should not be signed.
    Map attributes If your service provider requires specific names for the attributes sent by the DAG identity provider, you can map the authentication source attributes to the required names here. Enter the attribute name from your authentication source on the left, and the new attribute name on the right. Consult your service provider's documentation for the required attribute names.
    Create attributes If your service provider requires that the DAG identity provider sends an attribute with a specific value, you can define that here. Enter the new attribute name on the left, and the static attribute value on the right. Consult your service provider's documentation for the required attribute names.

    Here's an example generic SAML Service Provider configuration:

    Generic SAML Provider

  5. After entering the service provider information click the Save Configuration button and download the configuration file.

    Generic SAML Provider Download

If your service provider requires IdP-initiated logins using SSO, the login URL is composed of the URL to your DAG logon page plus the entity id of the service to which you are authenticating, e.g. https://yourserver.example.com/dag/saml2/idp/SSOService.php?spentityid=Your_SP_Entity_ID.

Add Your Cloud Application to Duo Access Gateway

  1. From the DAG server's console, click the Configure icon in the "Duo Access Gateway" application group to log on to https://yourserver.example.com/dag. Log in with the administrator password and click Applications.

  2. Click the Choose File button in the "Add Application" section of the page and locate the SAML application JSON file you downloaded from the Duo Admin Panel earlier. Click the Upload button after selecting the JSON configuration file.

    Upload Service Provider JSON

  3. The new SAML application is added.

    Upload Service Provider JSON

  4. You may want to customize the logo shown for a generic SAML application, as this logo is shown to users in the Duo Access Gateway Launcher. Duo's pre-defined SAML applications show the service provider's logo, while generic SAML apps show a Duo logo by default.

    To change the logo shown, click the Edit Logo button to the right of the SAML SP-initiated logon URL and default logo.

    Edit Generic SAML App Logo

  5. Select a PNG image to use for the generic SAML application's logo and then click Save

    Select Custom SAML App Logo

  6. Your generic SAML application now has a custom logo.

    Custom Generic SAML App Logo

Configure Your Service Provider

You'll need to provide some information about Duo Access Gateway to your cloud application provider, like URL information, a metadata file, a certificate file, or a certificate thumbprint. You can find this information in the "Metadata" section at the bottom of the DAG console's "Applications" page.

DAG Metadata Information

Refer to your service provider's SSO configuration guide for instructions.

Enable Trusted Sessions

If you want your new SAML application to also use SSO for Duo authentications, be sure to configure the "Remembered Devices" policy for SSO on your new application. See the Duo Access Gateway with Single Sign-On instructions.

Ready to Get Started?

Sign Up Free