Skip to main content

Tutorial: Configure Access Server SAML Authentication with DUO MFA and your IdP

Abstract

You can add DUO MFA to increase security for users signing in with any IdP. Follow this guide to set up SAML and insert DUO's push security.

Overview

Access Server 2.11 and newer supports authentication using SAML as an authentication method. This document explains how you can set up DUO as a proxy between your Access Server as your service provider (SP) and your identity provider (IdP) — we use JumpCloud as our example IdP here. This gives you the added security of DUO's multi-factor authentication (MFA).

You configure the following pieces:

  1. An IdP of your preference.

  2. An IdP SAML app.

  3. A DUO SAML IdP.

  4. A DUO SAML app.

  5. Access Server as the SP.

The following steps walk you through how to enable SAML authentication for users and groups using DUO as a proxy and some steps from your preferred IdP.

You need the following to get started:

  • An identity provider with your user directory. (We use JumpCloud for our example here.)

  • Duo Admin account with the Owner role to enable the feature.

  • A deployed Access Server.

Important

We recommend using all lowercase usernames when signing in with SAML.

Tip

This guide uses JumpCloud as the identity provider (IdP). Ensure you follow the equivalent steps in the SAML IdP of your preference.

Start by creating a custom SAML application with your IdP:

  1. Sign in to your JumpCloud admin portal.

  2. Under User Authentication, click SSO.

  3. Click + Add New Application to add a new SSO app.

  4. Click Custom SAML App.

  5. Provide a Display Label and optional application information and click the SSO tab.

Pause at this point in your SAML application creation in JumpCloud. Now we configure the DUO single sign-on (SSO) setup.

Configure DUO SSO with JumpCloud:

  1. Sign in to your DUO admin portal.

  2. Click Single Sign-On.

  3. Check the box to agree to the terms, and then click Activate and Start Setup.

  4. Under Customize your SSO subdomain page, create a subdomain your users see when signing in with Duo Single Sign-On. For our example, we use as-openvpn-duo, and our users see as-openvpn-duo.login.duosecurity.com.

  5. Under Add Authentication Source page, click Add SAML Identity Provider.

  6. On the Single Sign-On Configuration page, copy the "Entity ID" and "Assertion Consumer Service URL."

Now, let's go back to our SSO tab of the new JumpCloud SAML App and enter the following into the JumpCloud app:

  1. IdP Entity ID: Enter the JumpCloud URL, https://console.jumpcloud.com.

  2. SP Entity ID: Enter the Entity ID from the DUO Single Sign-On Configuration page.

  3. ACS URL: Enter the Assertion Consumer Service URL from the DUO Single Sign-On Configuration page.

  4. SAMLSubject NameID: Select email.

  5. SAMLSubject NameID Format: Select urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified.

  6. Signature Algorithm: Select RSA-SHA256.

  7. Default RelayState: Enter ‘cws’ for the Client Web UI or ‘profile’ to provide users with a downloadable profile. (For more details, refer to “How to set up IdP-initiated flow” below.)

  8. Check the box for Declare Redirect Endpoint.

  9. Enter an IDP URL. (We use https://sso.jumpcloud.com/saml2/saml2, but you may need to change it if you have another SAML integration using that URL.)

  10. Under Attributes, click Add attribute.

  11. Under Service Provider Attribute Name, type "Email".

  12. Under Jumpcloud Attribute Name, select email from the dropdown.

  13. Before clicking activate, click the User Groups tab and assign user groups to the SSO app.

  14. Click activate.

Still in the JumpCloud dashboard, download the IDP certificate:

  • From the notification, "Public Certificate has been created," click Download Certificate.

If you no longer have the notification:

  1. Click SSO and click on your new app.

  2. Under Single sign-on on the side, click IDP Certificate Valid.

  3. Click Download certificate.

Now, return to the DUO Single Sign-On Configuration page, scroll down to Configure Duo Single Sign-On, and enter the following information:

  1. Display Name: Enter the name you want for your Single Sign-On Configuration.

  2. Entity ID: Enter the JumpCloud URL, https://console.jumpcloud.com.

  3. Single Sign-On URL: Enter https://sso.jumpcloud.com/saml2/saml2.

  4. Certificate: Upload the IDP Certificate you downloaded from the JumpCloud SAML App.

  5. Click Save.

Now that you've configured JumpCloud's SAML app and JumpCloud as the SAML IdP on DUO, you can create DUO's custom SAML application.

Now that you have your SP information, you can create a new DUO SAML app and enter that information during app creation:

  1. Sign in to your DUO admin portal.

  2. Click Applications.

  3. Click Protect an Application.

  4. In the search bar, type "generic," find "Generic SAML Service Provider," and click Protect.

  5. Under the Service Provider section, enter your Access Server information:

    1. Entity ID: Enter the Access Server SP Identity.

    2. Assertion Consumer Service (ACS) URL: Enter the Access Server SP ACS.

  6. Scroll down to the very bottom and click Save.

Option 1: Download the DUO metadata file for automatic configuration

  1. With your new app, click the Applications tab.

  2. Under All applications, select your DUO SAML App.

  3. Under Downloads, click Download XML.

Option 2: Copy the DUO SAML data for manual configuration:

  1. With your new app, click the Applications tab.

  2. Under All applications, select your DUO SAML App.

  3. Copy the content in Entity IDSingle Sign-On URL, and under Downloads, click Download certificate to download the certificate in PEM format.

The simplest way to set up DUO SAML for Access Server is by providing the metadata XML file (option 1), but you can also manually configure it (option 2).

Option 1: Upload the DUO metadata file in the Admin Web UI

Provide the downloaded metadata XML file to your Access Server through the Admin Web UI to automatically configure SAML:

  1. Sign in to your Access Server Admin Web UI.

  2. Click Authentication > SAML.

  3. Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.

  4. Click Choose File to Select IdP Metadata File.

  5. Select your Duo metadata XML file, click Upload, then Update Running Server.

    • The IdP fields are now populated under Configure Identity Provider (IdP) Manually.

Option 2: Manually configure DUO SAML

  1. Sign in to your Access Server Admin Web UI.

  2. Click Authentication > SAML.

  3. Click Configure Identity Provider (IdP) Manually to expand the section.

  4. Paste the following from DUO to the Access Server fields:

    1. Paste the Duo Entity ID into Access Server’s Sign-On Endpoint.

    2. Paste the Duo Single Sign-On URL into Access Server’s IdP EntityId.

    3. Paste the Duo XXXXX.crt into Access Server’s Certificate (PEM format).

    • The IdP fields save.

Now that you're all set up, here's the process when a user signs in:

  1. The user enters the URL for Access Server's Client Web UI.

  2. On the sign-in page, they click Sign In via SAML.

  3. They enter their JumpCloud credentials.

  4. DUO verifies the user with a push notification.

  5. The user completes the MFA with the DUO mobile app.

  6. The user successfully signs in and can download profiles or bundled Connect apps.