Duo Single Sign-On for GoodData

Last updated: January 8th, 2026

Add strong authentication and flexible security policies to GoodData logins with Duo Single Sign-On. Duo Single Sign-On. Our cloud-hosted Open ID identity provider supports multiple user directories backed by Duo identity and access management (IAM), offering self-service user enrollment options and support for a variety of authentication methods — such as passkeys and security keys, Duo Push, or Verified Duo Push — in the Universal Prompt.

About Duo Single Sign-On

Duo Single Sign-On is our cloud-hosted SSO product which layers Duo's strong authentication and flexible policy engine on top of GoodData logins using the Security Assertion Markup Language (SAML) 2.0 or OpenID Connect (OIDC) authentication standards. Duo Single Sign-On acts as an OpenID provider (OP), authenticating your users using existing on-premises Active Directory (AD) or any SAML 2.0 IdP and prompting for two-factor authentication before permitting access to GoodData.

Duo Single Sign-On is available in Duo Premier, Duo Advantage, and Duo Essentials plans, which also include the ability to define policies that enforce unique controls for each individual SSO application. For example, you can require that Salesforce users complete two-factor authentication at every login, but only once every seven days when accessing GoodData. Duo checks the user, device, and network against an application's policy before allowing access to the application.

Configure Single Sign-On

Before configuring GoodData with Duo SSO using OpenID Connect (OIDC) authentication you'll first need to configure a working authentication source.

Once you have your SSO authentication source working, continue to the next step of creating the GoodData application in Duo.

When configuring an application to be protected with Duo Single Sign-On you'll need to send attributes from Duo Single Sign-On to the application. Active Directory will work with no additional setup, but if you used a SAML identity provider as your authentication source please verify that you configured it to send the correct SAML attributes.

These default attributes automatically map certain attributes from your authentication source.

Default Attribute	Active Directory	SAML IdP
`<Username>`	sAMAccountName	Username
`<Email Address>`	mail	Email
`<Display Name>`	displayName	DisplayName
`<First Name>`	givenName	FirstName
`<Last Name>`	sn	LastName
`<AMR>`	Not Applicable	Not Applicable

Note: AMR will be reported as [`pwd`, `auth-factor-dependent`].

Create the GoodData Application in Duo

Log in to the Duo Admin Panel and navigate to Applications → Application Catalog.
Locate the entry for GoodData with the "SSO" label in the catalog. Click the + Add button to start configuring GoodData. See Protecting Applications for more information about protecting applications with Duo and additional application options. You'll need the information on the GoodData page under Metadata later.
No active Duo users can log in to new applications until you grant access. Update the User access setting to grant access to this application to users in selected Duo groups, or to all users. Learn more about user access to applications. If you do not change this setting now, be sure to update it so that your test user has access before you test your setup.
This setting only applies to users who exist in Duo with "Active" status. This does not affect application access for existing users with "Bypass" status, existing users for whom the effective Authentication Policy for the application specifies "Bypass 2FA" or "Skip MFA", or users who do not exist in Duo when the effective New User Policy for the application allows access to users unknown to Duo without MFA.
The Metadata section contains OpenID provider information about Duo Single Sign-On you will provide to GoodData at a later configuration step.
Scopes are used by GoodData during authentication to authorize access to a user's details. Each scope returns a set of user attributes (claims) that must be mapped to IdP attributes. When an application sends an OIDC request to Duo SSO, the response sends only the claims from the requested scopes.

We've automatically enabled the following scopes and mapped the listed attributes. You can change the attribute sent from your authentication source by modifying the IdP Attribute name related to each claim:
- Profile Scope:
  
  IdP Attribute Claim
  
  <First Name> given_name
  
  <Last Name> family_name
  
  <Display Name> name
- Email Scope:
  
  IdP Attribute Claim
  
  <Email> email
- gd_user_groups_scope:
  
  IdP Attribute Claim
  
  <groups> gd_user_groups_claim
You can adjust additional settings for your new SSO application at this time — like changing the application's name from the default value, enabling self-service, or assigning a group policy.
Keep the Duo Admin Panel tab open. You will come back to it later.

IdP Attribute	Claim
<First Name>	given_name
<Last Name>	family_name
<Display Name>	name

IdP Attribute	Claim
<Email>	email

IdP Attribute	Claim
<groups>	gd_user_groups_claim

Duo Universal Prompt

The Duo Universal Prompt provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.

Universal Prompt	Traditional Prompt

The Duo GoodData application supports the Universal Prompt by default, so there's no additional action required on your part to start using the newest authentication experience.

Activate Universal Prompt

Activation of the Universal Prompt is a per-application change. Activating it for one application does not change the login experience for your other Duo applications. Universal Prompt is already activated for new GoodData applications at creation.

The "Universal Prompt" area of the application details page shows that this application's status is "Activation complete", with these activation control options:

Show traditional prompt: Your users experience Duo's traditional prompt via redirect when logging in to this application.
Show new Universal Prompt: (Default) Your users experience the Universal Prompt via redirect when logging in to this application.

The application's Universal Prompt status shows "Activation complete" both here and on the Universal Prompt Update Progress report.

Universal Prompt Info - Universal Prompt Activation Complete

For the time being, you may change this setting to Show traditional prompt to use the legacy experience. Keep in mind that support for the traditional Duo prompt ended for the majority of applications in March 2024. This option will be removed in the future.

Universal Update Progress

Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications. You can also activate the new prompt experience for multiple supported applications from the report page instead of visiting the individual details pages for each application.

Configure GoodData

Create a Token

Log into your GoodData account as an administrator.
In the web address bar, make note of your hostname. You will need it later.

Example: If the URL in the web address bar is https://yourhostname.com/getting-started, then your hostname is yourhostname.com.
In the sidebar menu, click Settings. The "Settings" page opens.
Scroll down to "Developer". On the "Personal access tokens" row, click Manage. The "Manage personal access tokens" pop-up window opens.
Click Create. The "Create personal access token" pop-up window opens.
Enter a unique name for your token into the Name field and then click Create.
Click Copy token and paste the token into a text editor. You will need it later.

Note: If you lose your token, you can repeat steps 3 through 7 to generate a new token.
Click Close to close the pop-up window.

Create an IdP Configuration API

You will make a POST request to create your IdP configuration API.

Open your preferred client to make an Application Programming Interface (API) request.
Make an API request to POST https://yourhostname.com/api/v1/entities/identityProviders.
Parse the appropriate Content-type and Authorization headers with the personal access token that you copied and saved earlier.
Go to the Create an Identity Provider section of the GoodData "Set Up Authentication Using OpenID Connect Identity Provider" article.

Copy the "Request body example" text and paste it in your client below the headings you created earlier. See the code block below for an example of the intitial setup.

POST https://https://yourhostname.com/api/v1/entities/identityProviders
Content-type: application/vnd.gooddata.api+json
Authorization: * * * * * *

{
  "data": {
      "id": "id1",
      "type": "identityProvider",
      "attributes": {
          "identifiers": ["gooddata.com"],
          "idpType": "CUSTOM_IDP",
          "oauthClientId": "string",
          "oauthClientSecret": "string",
          "oauthIssuerId": "myOidcProvider",
          "oauthIssuerLocation": "string",
          "oauthSubjectIdClaim": "oid"
      }
   }
}

On the "id" line, replace id1 with a unique name for your IdP configuration.
On the "identifiers" line, replace gooddata.com with your email domain.

Example: If your email address is user@example.com, then your email domain is example.com.
Return to the Duo Admin Panel. Under "Metadata", copy the following fields and paste them over the text on their respective lines in your client as follows:
- Copy the Client ID and paste it over string on the "oauthClientId" line.
- Copy the Client Secret and paste it over string on the "oauthClientSecret" line.
- Copy the Issuer URL and paste it over string on the "oauthIssuerLocation" line.
In your client on the "oauthIssuerID" line, replace myOidcProvider with duo.

On the "oauthSubjectIdClaim" line, replace oid with email. See the code block below for an example of the completed API.

POST https://https://yourhostname.com/api/v1/entities/identityProviders
Content-type: application/vnd.gooddata.api+json
Authorization: * * * * * *

{
  "data": {
      "id": "my-idp-config",
      "type": "identityProvider",
      "attributes": {
          "identifiers": ["example.com"],
          "idpType": "CUSTOM_IDP",
          "oauthClientId": "AB1C23D4E56F7GH8IJKL",
          "oauthClientSecret": "a1bC2defgh345iJK6LMnoPqRSTUvwxyZa7B8cdeF",
          "oauthIssuerId": "duo",
          "oauthIssuerLocation": "https://sso-abc1def2.sso.duosecurity.com/oidc/AB1C23D4E56F7GH8IJKL",
          "oauthSubjectIdClaim": "email"
      }
   }
}

Keep your client open. You will come back to it later.

Add the Redirect URI

Return to the Duo Admin Panel. Under "Relying Party", type https://yourhostname.com/login/oauth2/code/duo using your hostname you noted earlier.
In the Duo Admin Panel, scroll down to the bottom of the page and click Save.
Keep the Duo Admin Panel tab open. You will come back to it later to configure the remaining APIs.

Get Your IdP Configuration API

You will make a GET request for your IdP configuration API.

Return to your client.
Make an API request to GET https://yourhostname.com/api/v1/entities/identityProviders.

Parse the appropriate Authorization header with the personal access token that you copied and saved earlier. See the code block below for an example.

POST https://https://yourhostname.com/api/v1/entities/identityProviders
Content-type: application/vnd.gooddata.api+json
Authorization: * * * * * *

Make sure the IdP configuration API you created earlier is pulled in.
Keep your client open. You will need it for the next section.

Link the Active IdP API

You will make a POST request when you switch the active IdP API.

Return to your client.
Make an API request to POST https://yourhostname.com/api/v1/actions/organization/switchActiveIdentityProvider.
Parse the appropriate Content-type and Authorization headers with the personal access token that you copied and saved earlier.
Go to the Update the OIDC Settings of the Organization section of the GoodData "Set Up Authentication Using OpenID Connect Identity Provider" article.

Copy the "Payload" text and paste it in your client below the headings you created earlier. See the code block below for an example of the intitial setup.

POST https://yourhostname.com/api/v1/actions/organization/switchActiveIdentityProvider
Content-type: application/json
Authorization: * * * * * *

{
  "idpId": "my-idp-123"
}

On the "idpId" line, replace my-idp-123 with the name of the IdP configuration you created earlier. See the code block below for an example of the completed API.

POST https://yourhostname.com/api/v1/actions/organization/switchActiveIdentityProvider
Content-type: application/json
Authorization: * * * * * *

{
  "idpId": "my-idp-config"
}

Keep your client open. You will need it for the next section.

Just-In-Time Provisioning API

Just-In-Time (JIT) provisioning is optional. You will make a POST request when you create a JIT provisioning API.

Return to your client.
Make an API request to POST https://yourhostname.com/api/v1/entities/organizationSettings.
Parse the appropriate Content-type and Authorization headers with the personal access token that you copied and saved earlier.
Go to the JIT Provisioning Configuration section of the GoodData "Set Up Authentication Using OpenID Connect Identity Provider" article.

Copy the "Example Configuration" text and paste it in your client below the headings you created earlier. See the code block below for an example of the intitial setup.

POST https://https://yourhostname.com/api/v1/entities/identityProviders
Content-type: application/vnd.gooddata.api+json
Authorization: * * * * * *

{
  "data": {
      "attributes": {
          "content": {
              "enabled": true,
              "userGroupsScopeEnabled": true,
              "userGroupsScopeName": "gd_user_groups_scope",
              "userGroupsClaimName": "gd_user_groups_claim",
              "userGroupsDefaults": ["defaultUserGroup"]
          },
          "type": "JIT_PROVISIONING"
      },
      "id": "id1",
      "type": "organizationSetting"
  }
}

On the "userGroupsDefaults" line, replace defaultUserGroup with the group you want to use for JIT. In the code block example below, the default group adminGroup is used.

Note: If the user groups claim includes user groups that don't exist in your organization, these groups will be automatically created. Creating groups in this way can lead to a security issue.

POST https://https://yourhostname.com/api/v1/entities/identityProviders
Content-type: application/vnd.gooddata.api+json
Authorization: * * * * * *

{
  "data": {
      "attributes": {
          "content": {
              "enabled": true,
              "userGroupsScopeEnabled": true,
              "userGroupsScopeName": "gd_user_groups_scope",
              "userGroupsClaimName": "gd_user_groups_claim",
              "userGroupsDefaults": ["adminGroup"]
          },
          "type": "JIT_PROVISIONING"
      },
      "id": "id1",
      "type": "organizationSetting"
  }
}

Learn more about GoodData SSO at GoodData Learn.

Using SSO

You can log on to GoodData SSO by navigating to your GoodData SSO page using the hostname you noted earlier *e.g., https://yourhostname.com. You will be automatically redirected to Duo Single Sign-On to begin authentication.

Active Directory Login

With Active Directory as the Duo SSO authentication source, enter the primary username (email address) on the Duo SSO login page and click or tap Next.

Enter the AD primary password and click or tap Log in to continue.

Enable Duo Passwordless to log in to Duo SSO backed by Active Directory authentication without entering a password in the future.

SAML Login

With another SAML identity provider as the Duo SSO authentication source, Duo SSO immediately redirects the login attempt to that SAML IdP for primary authentication. Users do not see the Duo SSO primary login screen.

Duo Authentication

Successful verification of your primary credentials by Active Directory or a SAML IdP redirects back to Duo. Complete Duo two-factor authentication when prompted and then you'll return to GoodData to complete the login process.

* Universal Prompt experience shown.

GoodData supports SP-initiated authentication only, meaning that you must start your SSO login from that application's sign-in page. You won't be able to add as an application tile in Duo Central for IdP-initiated logins.

Congratulations! Your GoodData users now authenticate using Duo Single Sign-On.

See the full user login experience, including expired password reset (available for Active Directory authentication sources) in the Duo End User Guide for SSO.

Grant Access to Users

If you did not already grant user access to the Duo users you want to use this application be sure to do that before inviting or requiring them to log in with Duo.

Enable Remembered Devices

To minimize additional Duo two-factor prompts when switching between and your other Duo Single Sign-On SAML applications, be sure to apply a shared "Remembered Devices" policy to your SAML applications.

Automated Provisioning

You may be able to create, manage, and delete users and groups in this application automatically from Duo using SCIM 2.0 provisioning. See Automated Provisioning to learn how.

Troubleshooting

Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.