Configure Duo Security for SAML
Cisco Secure Access uses Security Assertion Markup Language (SAML) to authenticate and authorize web requests from user devices on networks and network tunnels with Web security enabled, and requests to private resources from user devices with Zero Trust Access (ZTA) enabled. To support SAML authentication and authorization, you must configure the integration of an SAML identity provider (IdP) in Secure Access.
Configure the Duo Security SAML IdP with Secure Access by uploading the Duo Security XML metadata file to Secure Access, or alternatively add the Duo Security metadata in Secure Access manually.
Table of Contents
- Prerequisites
- Procedure
- Test the Identity Provider Integration
- View the SAML Certificates in Secure Access
Prerequisites
- For information on prerequisites that apply to all SAML IdPs, see Prerequisites for SAML Authentication.
Procedure
- Step 1 – Choose an Authentication Method
- Step 2 – Add an Identity Provider
- Step 3 – Add the Identity Provider's SAML Metadata to Secure Access
Step 1 – Choose an Authentication Method
- For more information, see Add User Authentication Integrations.
Step 2 – Add an Identity Provider
- For Identity Provider, choose Duo Security. Secure Access supports various IdPs.
- (Optional) Enable an organization-specific entity ID.
- Organization-specific Entity ID—Choose this option when you have multiple Secure Access Orgs and need to configure SAML authentication for Secure Access Internet Security and Zero Trust (ZT) for these Orgs against the same IdP. The Secure Access SAML default common
EntityID
is saml.fg.id.sse.cisco.com. Secure Access allows you to override the default Secure Access SAML EntityID on a per-Org basis.
- Organization-specific Entity ID—Choose this option when you have multiple Secure Access Orgs and need to configure SAML authentication for Secure Access Internet Security and Zero Trust (ZT) for these Orgs against the same IdP. The Secure Access SAML default common
- For Entity ID URL, click Copy URL to make a local copy of the Secure Access Entity ID URL. The Secure Access SAML default common
EntityID
is saml.fg.id.sse.cisco.com.
- Choose a time interval when a user must authenticate with Secure Access, or select Never.
The time intervals are: Daily, Weekly, or Monthly.
- Click Next.
Step 3 – Add the Identity Provider's SAML Metadata to Secure Access
Download the Secure Access Metadata XML file and use the service provider file to configure your instance of Duo Security.
The Secure Access service provider metadata includes the service provider Issuer ID, the assertion consumer endpoint URL, and the SAML request signing certificate from Secure Access. The Secure Access metadata is required when configuring your IdP.
Your IdP must send the Cisco Secure Access User principal name in the NameID attribute in the SAML assertion.
- Step 3a – Download the Secure Access Service Provider files
- Step 3b – Add the Secure Access Service Provider Metadata to Duo Security
- Step 3c – Add the Duo Security SAML Metadata to Secure Access
Step 3a – Download the Secure Access Service Provider files
Note: Encrypted SAML assertions are a compliance standard in many industries and mitigate the risk of intercepted SAML assertions. For more information, see Prerequisites for SAML Authentication.
- Check SAML Metadata XML Configuration or Manual Configuration.
- Choose between unencrypted or encrypted SAML assertions:
- Click Download Service Provider XML file for the metadata XML file with the Secure Access root certificate that supports unencrypted SAML assertions.
- Click Download Zip file for the metadata XML file and signing and encryption certificate files required for encrypted SAML assertions. This metadata XML file includes the root certificate metadata for both the signing and the encryption certificates.
- Open the Cisco_SSE_SP_Metadata XML file.
- Copy the certificates from the Cisco_SSE_SP_Metadata XML file to a new file and save. Use the certificate file in the next step when you create the app integration in Duo Security.
Step 3b – Add Secure Access Service Provider Metadata to Duo Security
Configure Secure Access as a generic SAML 2.0 service provider application for Duo Single Sign-On. Add the Secure Access service provider metadata to Duo, then download the IdP metadata file from Duo to finish configuring Secure Access in the next step.
Contact Duo Security for assistance. For more information on configuring your IdP, exporting your IdP metadata, obtaining your IdP details, or downloading your IdP's signing certificate, refer to Duo Security documentation.
To automatically configure the generic SAML Duo Single Sign-On application, use the Metadata Discovery option in Update Your Cloud Application in Duo. Upload the Secure Access service provider metadata file Cisco_SSE_SP_Metadata to the Duo Single Sign-On app.
To manually configure the generic SAML Duo Single Sign-On application, extract the EntityID and AssertionConsumerService URLs from the Secure Access metadata and add these to the applicable fields in Duo Security:
- Sign in to the Duo admin portal and navigate to Applications > Protect an Application.
- Search for Generic Service Provider and select 2FA with SSO hosted by Duo.
- For Entity ID, enter saml.fg.id.sse.cisco.com and for Assertion Consumer Service (ACS) URL, enter fg.id.sse.cisco.com/gw/auth/acs/response.
- Enter an email address in the NameID attribute field.
- For Map attributes, configure the IdP attributes.
- Display name—Enter the name you want to display.
- Email Address—Enter an email address.
- First Name—Enter the first name.
- Last Name—Enter the last name.
- Username—Enter the user name.
- Click Save.
- Click Download certificate to download the certificate, and then click Download XML to download the SAML Metadata file.
Step 3c – Add the Duo Security SAML Metadata to Secure Access
If you used SAML Metadata XML Configuration in step 3a above, upload your configured Duo Security SAML Metadata XML file to Secure Access, then click Done.
If you used Manual Configuration in Step 3a above, enter your Duo Security SAML metadata for the following Secure Access settings:
- Entity ID—A globally unique name for an identity provider.
- Endpoint—The URL used to communicate with your identity provider.
- Signing Keys—Your identity provider’s x.509 certificate that is used to sign the authentication request.
- Signed Authentication Request (optional)—Choose whether to sign the authentication request for the IdP.
Test the Identity Provider Integration
To complete the integration of the SAML IdP with Secure Access, evaluate the single sign-on authentication through the IdP. For more information, see Test SAML Identity Provider Integration.
View the SAML Certificates in Secure Access
Once you have completed the integration of an SAML IdP in Secure Access, you can manage the root certificates used in SAML authentication for Secure Access (service provider) and the SAML IdP. For more information, see Manage Certificates.
Configure AD FS for SAML < Configure Duo Security for SAML > Configure PingID for SAML
Updated 2 months ago