Duo Single Sign-On for Salesforce

Overview

As business applications move from on-premises to cloud hosted solutions, users experience password fatigue due to disparate logons for different applications. Single sign-on (SSO) technologies seek to unify identities across systems and reduce the number of different credentials a user has to remember or input to gain access to resources.

While SSO is convenient for users, it presents new security challenges. If a user's primary password is compromised, attackers may be able to gain access to multiple resources. In addition, as sensitive information makes its way to cloud-hosted services it is even more important to secure access by implementing two-factor authentication and zero-trust policies.

About Duo Single Sign-On

Duo Single Sign-On is our cloud-hosted SSO product which layers Duo's strong authentication and flexible policy engine on top of Salesforce logins. Duo Single Sign-On acts as an identity provider (IdP), authenticating your users using existing on-premises Active Directory (AD) or another SSO IdP. Duo SSO prompts users for two-factor authentication and performs endpoint assessment and verification before permitting access to Salesforce.

Duo Single Sign-On is available in Duo Premier, Duo Advantage, and Duo Essentials plans, which also include the ability to define policies that enforce unique controls for each individual SSO application. For example, you can require that Salesforce users complete two-factor authentication at every login, but only once every seven days when accessing Salesforce. Duo checks the user, device, and network against an application's policy before allowing access to the application.

Configure Single Sign-On

Before configuring Salesforce with Duo SSO using Security Assertion Markup Language (SAML) 2.0 authentication you'll first need to configure a working authentication source.

Once you have your SSO authentication source working, continue to the next step of creating the Salesforce application in Duo.

Create the Salesforce Application in Duo

1. Log in to the Duo Admin Panel and navigate to Applications → Application Catalog.

2. Locate the entry for Salesforce with the "SSO" label in the catalog. Click the + Add button to start configuring Salesforce. See Protecting Applications for more information about protecting applications with Duo and additional application options. You'll need the information on the Salesforce page later to complete your setup.

3. No active Duo users can log in to new applications until you grant access. Update the User access setting to grant access to this application to users in selected Duo groups, or to all users. Learn more about user access to applications. If you do not change this setting now, be sure to update it so that your test user has access before you test your setup.

   This setting only applies to users who exist in Duo with "Active" status. This does not affect application access for existing users with "Bypass" status, existing users for whom the effective Authentication Policy for the application specifies "Bypass 2FA" or "Skip MFA", or users who do not exist in Duo when the effective New User Policy for the application allows access to users unknown to Duo without MFA.

Duo Universal Prompt

The Duo Universal Prompt provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.

Universal Prompt	Traditional Prompt

We've already updated the Duo Salesforce application hosted in Duo's service to support the Universal Prompt, so there's no action required on your part to update the application itself. If you created your Salesforce application before March 2024, you can activate the Universal Prompt experience for users from the Duo Admin Panel. Salesforce applications created after March 2024 have the Universal Prompt activated by default.

If you created your Salesforce application before March 2024, it's a good idea to read the Universal Prompt Update Guide for more information, about the update process and the new login experience for users, before you activate the Universal Prompt for your application.

Activate Universal Prompt

Activation of the Universal Prompt is a per-application change. Activating it for one application does not change the login experience for your other Duo applications.

The "Universal Prompt" area of the application details page shows that this application is "Ready to activate", with these activation control options:

• Show traditional prompt: Your users experience Duo's traditional prompt via redirect when logging in to this application.
• Show new Universal Prompt: (Default) Your users experience the Universal Prompt via redirect when logging in to this application.

The application's Universal Prompt status shows "Activation complete" here and on the Universal Prompt Update Progress report.

Should you ever want to roll back to the traditional prompt, you can return to this setting and change it back to Show traditional prompt. However, this will still deliver the Duo prompt via redirect, not in an iframe. Keep in mind that support for the traditional Duo prompt ended for the majority of applications in March 2024.

Universal Update Progress

Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications. You can also activate the new prompt experience for multiple supported applications from the report page instead of visiting the individual details pages for each application.

Salesforce Custom Domain Requirement

Salesforce SSO requires a custom domain. If you don't already have a domain for your organization, create one.

1. Log on to your Salesforce site as an administrator.

2. If you're using the Salesforce Classic UI, navigate to Domain Management → My Domain. If you're using the Salesforce Lightning Experience UI, navigate to Setup → Settings → Company Settings → My Domain.

3. Enter a subdomain name, check for availability, and click Register Domain.

4. When your domain name becomes available, log out and back in as an administrator using your new domain. Navigate back to the "My Domain" page and click the Deploy to Users button.

For more information about creating a custom domain see Salesforce's My Domain help articles.

Enable SSO in Salesforce

Add Duo Single Sign-On as a new single sign-on provider in Salesforce.

1. Log on to your Salesforce site as an administrator.

2. In the Salesforce Classic UI, navigate to Security Controls → Single Sign-On Settings. In the Salesforce Lightning Experience UI, navigate to Setup → Settings → Identity → Single Sign-On Settings.

3. Click the Edit button. Select the SAML Enabled option and the Make Federation ID case-insensitive option. Click Save.

4. Click the New SAML Single Sign-on Settings button.

5. Enter a descriptive Name for the SSO configuration. Salesforce uses the name you enter here to populate the API Name.

6. Copy the Issuer from the Duo Admin Panel Metadata section and paste it into the Salesforce SSO Issuer field.

   Example: https://sso-abc1def2.sso.duosecurity.com/saml2/sp/DIABC123678901234567/metadata

7. Enter your Salesforce organization's custom domain (e.g. https://yourorg.my.salesforce.com) into the Entity ID field. Duo also needs the Salesforce domain URL to configure your Salesforce application later.

8. Click Download certificate next to "Identity Provider Certificate" on the Salesforce application's page in the Duo Admin Panel under Downloads to download the Duo Single Sign-On signing certificate. Upload the certificate to the Identity Provider Certificate section in Salesforce.

9. Leave the "Request Signing Certificate", "Request Signature Method", "Assertion Decryption Certificate", "SAML Identity Type", and "SAML Identity Location" settings at their default values for now.

10. Copy the Identity Provider Login URL from the Duo Admin Panel Metadata section and paste it into the Salesforce SSO Identity Provider Login URL field.

    Example: https://sso-abc1def2.sso.duosecurity.com/saml2/sp/DIABC123678901234567/sso

11. Copy the Identity Provider Logout URL from the Duo Admin Panel Metadata section and paste it into the Salesforce SSO Identity Provider Logout URL field.

    Example: https://sso-abc1def2.sso.duosecurity.com/saml2/sp/DIABC123678901234567/slo

12. After you've entered all the required information click the Save button.

    

Review the SSO details for correctness. Make note of the Entity ID and Login URL as you'll need to provide that information to Duo.

Update Salesforce Domain for SSO

Add your new Duo Single Sign-On provider to your Saleforce login page.

1. While logged in to the Salesforce admin site as an administrator navigate to Domain Management → My Domain (Salesforce Classic UI) or Setup → Settings → Company Settings → My Domain (Salesforce Lightning Experience UI).

2. Scroll down to the "Authentication Configuration" section of the "My Domain" page and click Edit.

3. Check the box for your Duo Single Sign-On SSO configuration in the Authentication Service setting. Click Save.

   

Update the Salesforce Application in Duo

1. Return to the Duo Admin Panel with the Salesforce application open. Find the Service Provider section.

2. Copy the Entity ID from the Salesforce SAML Single Sign-On Setting Detail page and enter it into the Entity ID field in the Duo Admin Panel.

3. Copy the Login URL from the Salesforce SAML Single Sign-On Setting Detail page and enter it into the Login URL field in the Duo Admin Panel.

4. Salesforce uses the Mail attribute when authenticating. We've mapped the <Email Address> attribute to external authentication source attributes as follows:

   Default Attribute	Active Directory	SAML IdP
   <Email Address>	mail	Email

   If you are using a non-standard email attribute for your authentication source, check the Custom attributes box and enter the name of the attribute you wish to use instead.

   

5. You can adjust additional settings for your new SAML application at this time — like changing the application's name from the default value, enabling self-service, or assigning a group policy.

6. Scroll to the bottom of the page and click the Save button.

Verify SSO

Navigate to your Salesforce custom domain. The login page for your domain now shows a button for Duo Single Sign-On authentication underneath the traditional username and password entry fields.

Clicking the SSO button redirects you to Duo Single Sign-On to begin authentication.

Active Directory Login

With Active Directory as the Duo SSO authentication source, enter the primary username (email address) on the Duo SSO login page and click or tap Next.

Enter the AD primary password and click or tap Log in to continue.

Enable Duo Passwordless to log in to Duo SSO backed by Active Directory authentication without entering a password in the future.

SAML Login

The SAML login experience depends on your Duo SSO routing rules configuration.

With another SAML identity provider as the only enabled Duo SSO authentication source and the default routing rule in place, Duo SSO immediately redirects the login attempt to that SAML IdP for primary authentication. Users do not see the Duo SSO primary login screen.

If you have multiple enabled SAML authentication sources or custom routing rules in place, then users enter their primary username (email address) on the Duo SSO login page and then will be redirected to the correct external SAML identity provider.

Duo Authentication

Successful verification of your primary credentials by Active Directory or a SAML IdP redirects back to Duo. Complete Duo two-factor authentication when prompted and then you'll return to Salesforce to complete the login process.

* Universal Prompt experience shown.

To log in using the Salesforce mobile app, tap Use Custom Domain. Type your Salesforce custom domain URL https://yourorg.my.salesforce.com), and tap Continue. The app shows the Salesforce login page for your domain, including the button for Duo Single Sign-On authentication underneath the traditional username and password entry fields. Tap the SSO button redirects you to the Duo Single Sign-On login page. Complete primary and Duo authentication as you would in the browser to complete login on the Salesforce app.

You can also log into Salesforce using Duo Central, our cloud-hosted portal which allows users to access all of their applications in one spot. Link to Salesforce in Duo Central by adding it as an application tile. Once the tile has been added, log into Duo Central and click the tile for IdP-initiated authentication to Salesforce.

Congratulations! Your Salesforce users now authenticate using Duo Single Sign-On.

See the full user login experience, including expired password reset (available for Active Directory authentication sources) in the Duo End User Guide for SSO.

Grant Access to Users

If you did not already grant user access to the Duo users you want to use this application be sure to do that before inviting or requiring them to log in with Duo.

Next Steps

If you want all users logging in to Salesforce only via Duo Single Sign-On, edit the "Authentication Configuration" for your Salesforce domain and uncheck the Login Page authentication service option. You should also edit "My Domain Settings" and enable the "Prevent login from https://login.salesforce.com" option.

You can also log into Salesforce using Duo Central, our cloud-hosted portal which allows users to access all of their applications in one spot. Link to Salesforce in Duo Central by adding it as an application tile. Once the tile has been added, log into Duo Central and click the tile for IdP-initiated authentication to Salesforce.

Enable Remembered Devices

To minimize additional Duo two-factor prompts when switching between Salesforce and your other Duo Single Sign-On SAML applications, be sure to apply a shared "Remembered Devices" policy to your SAML applications.

Add Ownership and Risk Information

Go to the "Ownership and Risk" section of the application's page in the Duo Admin Panel to assign application owners and classify the application's risk level. Cisco Identity Intelligence automatically imports this information to populate relevant fields for Duo Advantage and Premier customers. Duo Essentials plans exclude Cisco Identity Intelligence features.

You may set any of the following:

• Technical Owner: Search for and assign Duo users responsible for technical configuration and maintenance of this application.
• Business Owner: Search for and assign Duo users responsible for business decisions and access approvals related to this application.
• Application Sensitivity: Select this application's risk level from the drop-down list. Default: Not Set.
• Compliance Requirements: Select any applicable regulatory frameworks for this application (SOX (Sarbanes-Oxley), HIPAA, PCI-DSS, etc.) from the list.

Scroll to the bottom of the page and click Save to apply your changes.

Automated Provisioning

Salesforce provisioning is a Beta feature.

Prerequisites

• Required: A Salesforce Professional, Enterprise, Performance, Unlimited, or Developer edition org with support for External Client App.

• Required: A Salesforce admin account granted these permissions:

  • Create, edit, and delete External Client Apps: Needed to create and configure external client apps.
  • Customize Application: Needed to enable Salesforce as an Identity Provider.

• Recommended: A Salesforce user account with the "API Only User" permission for executing the client credentials flow.

Provisioning Limitations

• Only the "Client Credential" authentication type is supported.

• Disabled users do not appear as members of any groups in Salesforce.

• Users can only be deactivated when deprovisioned. They cannot be deleted.

• Users' userName attribute must have an email address for a value.

• Salesforce limits the nickName value to 40 characters.

  • If you map nickName to a Duo user attribute, ensure that Duo attribute's values do not exceed 40 characters. If you map the nickName but the user has no value for it, Salesforce generates a new nickname each time. To avoid unexpected behavior, we recommend not mapping this attribute unless it is populated for all users.

  • If nickName is not mapped to a Duo attribute, Salesforce derives the nickName value from the userName attribute. Provisioning fails with an error if the userName attribute value exceeds 40 characters.

• Salesforce also limits group names to 40 characters. Provisioning fails if a Duo group name exceeds that limit.

• The following attributes are currently not supported:

  • preferredLanguage
  • locale
  • timezone
  • emailEncodingKey

• Duo only provisions one phone per user and sends it as the work type. If a user has a phone of the mobile type in Salesforce, it remains unchanged.

• When you update an email address, Salesforce sends a verification email to the new address. The email address does not change until you complete the verification process. Each update made before verification sends another verification email.

• Carefully choose profile assignments for your user base. After a profile is assigned to a user, it cannot be changed to a profile associated with a different license. In addition, some profiles do not allow users to be assigned to groups.

Configure Provisioning

To enable automated provisioning of Duo users into Salesforce:

Create an External Client App and Configure Basic Information

External client apps are Salesforce's current method for OAuth-based integrations, including SCIM provisioning.

1. Log into Salesforce. In the upper right corner of the home page, click the gear icon and select Setup (Setup for current app).

2. Go to Apps → External Client Apps → External App Manager.

   Note: As of the Spring '26 release, you can no longer create a connected app. Attempting to use a connected application results in authentication errors.

3. Click New External Client App and fill in the required fields in the "Basic Information" section. The External Client App Name and API name can be any values you want. Leave the Distribution State as Local.

   

Note: If the basic information, OAuth, and identity provider settings are already configured in your Salesforce account, you can skip these steps.

Configure OAuth Settings

1. In the "API (Enable OAuth Settings)" section, select Enable OAuth.

2. In the "App Settings" area, configure the following:

   • Callback URL is typically the one that a user’s browser is redirected to after successful authorization. You may enter any URL, such as https://www.example.com.

   • Select the necessary "OAuth Scopes" by adding:

     • Manage user data via APIs (api) - required for SCIM access.

     • Perform requests at any time (refresh_token, offline_access) - required for token refresh.

3. In the "Flow Enablement" section, check Enable Client Credentials Flow.

4. Click Create. After saving, you are redirected to the newly created app details page.

Assign an Execution User

For the client credentials flow to work, you must assign an execution user:

1. On the app detail page, go to the new client's "Policies" tab, click Edit.

2. Go to OAuth Policies → OAuth Flows and External Client App Enhancements.

3. Check the Enable Client Credentials Flow box, and then enter the email address of the Salesforce user you want to use for the connection into the Run As (Username) field:

   • You can use your Salesforce admin email address. If you are unsure which email address to use, go to Users → Users and see your account in the table there.

   • For non-development environment, Salesforce recommends that you select an user who has the "API Only User" permission.

   

4. Click Save.

Note: Without an execution user, the client credentials flow fails with authentication errors.

Get OAuth Credentials

1. On the app detail page, go to the "Settings" tab.

2. In the "OAuth Settings" section, click Consumer Key and Secret. This redirects you to a new page and prompts you to enter a verification code sent to your email.

3. Keep the new page open. You will need this information later to connect to the application.

Configure Identity Provider

1. Go to Company Settings → My domain and keep the "My domain" tab open. You will need this information later to connect to the application.

2. Go to Identity → Identity Provider.

3. Click Enable Identity Provider and click Save to use the default self-signed certificate.

Connect to the Application

1. Log into the Duo Admin Panel.

2. Navigate to Applications → Applications.

3. Open an existing "Salesforce - Single Sign-On" application configuration page.

   Note: You may have given your application a different name when you created it, but the "Application Type" will always be shown as "Salesforce - Single Sign-On" in your applications list.

4. In the "Salesforce - Single Sign-On" application configuration page, click the Provisioning tab.

5. Return to the "My domain" page in Salesforce and copy the Current My Domain URL value. It should end with salesforce.com.

6. Return to the Duo Admin Panel. In the "Authentication" section, enter https://{Current My Domain URL value}/services/scim/v2 into the Base URL field. Then enter https://{Current My Domain URL value}/services/oauth2/token into the Token URL field.

7. Return to the Salesforce "Consumer Details" page. Copy and paste the Consumer Key and Consumer Secret into the corresponding Client ID and Client Secret fields in the Duo Admin Panel.

   

8. Click Connect to application.

Attribute Mapping

1. In the Duo Admin Panel, scroll down to "Attribute mapping". The default application attributes are pre-populated and cannot be changed.

   

2. If you want to add additional attributes, click Edit mappings. The "Edit mappings" window opens.

3. Under "Optional attributes", click the attributes you want to map and click Save mapping. The "Edit mappings" window closes and the selected attributes are listed in the "Application attribute" column.

   

4. In the "Duo user attribute" column, click the drop-down menu next to each of your optional attributes and select the respective Duo user attribute.

5. Continue configuring provisioning to select groups.

Groups

1. Scroll down to "Groups".

2. Click the Groups drop-down menu and select which Duo groups you would like to provision into Salesforce.

   If you have already set up Duo SSO with this application and want the same user groups you selected in the "Enable only for permitted groups" user access setting provisioned into the target application, select Use groups with SSO access. Note that if you choose this option and your user access setting for the application is "Enable for all users", then Duo only provisions users into the target application that are members of at least one Duo group. Duo will not provision users who have no group memberships into the target application.

3. Select the Exclude group information checkbox if you do not want to send group information.

Users

The default deprovisioning behavior for users is to deactivate them in Salesforce.

Roles and Entitlements

When provisioning users into Salesforce, administrators must configure Governance rules that assign Salesforce Roles and Entitlements (profiles and, optionally, permissions sets) to your users when they are sent to Salesforce. Rules determine which roles and entitlements are assigned to users based on their Duo group membership.

There are two types of rules:

• A baseline rule applies to all provisioned users who are not covered by a group rule. A baseline rule is required for Salesforce, because every Salesforce user must have a profile configured.

• Group rules apply to users in specific Duo groups. Group rules override the baseline rule for users in those groups. If a user belongs to multiple groups with different group rules, the highest-priority group rule applies.

Configure a Baseline Rule

1. Scroll down to "Governance Rules".

   

2. In the "Baseline rule" section, click Configure baseline rule.

   

   A baseline rule is required because all provisioned Salesforce users must have at least a profile assigned.

3. In the "Entitlements" area, click the Value drop-down menu. Under "Profile (exactly one required), select one of the available Salesforce profiles to assign to users.

   Optionally, under "Permission Set", you may also select one or more Salesforce permission sets to assign to users. There is no limit on the number of permission sets.

4. Optionally, in the "Roles" area, select a single Salesforce role to assign to users.

5. Click Save. The baseline rule appears in the "Baseline rule" table showing the assigned profile, role, and permission sets.

Note: The baseline rule applies to all provisioned users who do not match any group rule. Since Salesforce requires a baseline rule, all users are guaranteed to receive at least a profile assignment.

Configure Group Rules

To optionally override the baseline rule for specific groups of users:

1. In the "Group rules" section, click Add group rule.

   

2. In the "Apply to groups" area, select one or more Duo groups. Groups that are already assigned to another group rule are disabled and cannot be selected.

   

3. In the "Entitlements" area, click the Value drop-down menu. Under "Profile (exactly one required), select one of the available Salesforce profiles to assign to users. A profile is required for every rule.

   Optionally, under "Permission Set", you may also select one or more Salesforce permission sets to assign to users. There is no limit on the number of permission sets.

4. Optionally, in the "Roles" area, select a single Salesforce role to assign to users.

5. Click Save. The group rule appears in the "Group rules" table.

6. Repeat these steps to add additional group rules for other groups.

Start Provisioning

After entering your provisioning configuration information, click Save at the bottom of the page.

Once enabled, Duo will begin provisioning your users and groups into Salesforce. You can return to the "Provisioning" tab of this application to change the provisioning settings or review recent provisioning logs, or visit the Activity Log to review logged events for all applications configured for automated provisioning.

Troubleshooting

Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.

Here are some suggestions for SCIM provisioning troubleshooting.