Duo cloud application
You must be signed in as a super administrator for this task.
Using Security Assertion Markup Language (SAML), your users can use their Google Cloud credentials to sign in to enterprise-cloud applications.
Set up SSO via SAML for Duo®
Step 1: Get configuration information from Duo- Sign in to Duo with your Admin account.
- In the left navigation panel, click Administrators, then Admin Login Settings.
- In the Metadata for Configuring with Custom Identity Provider section, copy and save these two values:
- Entity ID or Issuer ID
- Assertion consumer service URL or single sign-on URL
Leave Duo open in the browser, you’ll return here in Step 3 to finish SAML configuration after getting information from the Google Admin console in the next step.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to Apps
SAML apps.
To see Apps on the Home page, you might have to click More controls at the bottom.
- Click Add
at the bottom right.
- Locate and click Duo in the application list.
- On the Google IDP Information page:
- Copy and save the SSO URL and Entity ID.
- Download the Certificate.
- Click Next.
The Basic information window shows the Application name and Description seen by users.
- Click Next.
- On the Service Provider Details page, replace the default Entity ID and ACS URL with the corresponding values you copied from copied from Duo in Step 1.
- Click Finish.
- Return to the browser window showing Duo Admin Login Settings.
- In the Authentication with SAML section, choose the desired authentication option for your organization.
- In SAML Identity Provider Settings, choose or enter the following information:
- Identity provider: Custom Identity Provider
- Configuration method: Manual Entry
- Entity ID or issuer ID: the Entity ID you copied from Google in Step 2 above.
- Assertion consumer service URL or single sign-on URL: the SSO URL you copied in Step 2.
- Certificate: the certificate you downloaded in Step 2.
- In Advanced SAML options, choose the following settings:
- SHA-1 signatures: leave unchecked.
- Signed elements: select Only responses must be signed.
- Click Save.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to Apps
SAML apps.
To see Apps on the Home page, you might have to click More controls at the bottom.
- Select Duo.
-
At the top right of the gray box, click Edit Service
.
-
To turn on or off a service for everyone in your organization, click On for everyone or Off for everyone, and then click Save.
-
To turn on or off a service only for users in an organizational unit:
- At the left, select the organizational unit.
- Select On or Off.
- To keep the service turned on or off even when the service is turned on or off for the parent organizational unit, click Override.
- If the organization's status is already Overridden, choose an option:
- Inherit—Reverts to the same setting as its parent.
- Save—Saves your new setting (even if the parent setting changes).
Learn more about organizational structure.
- Ensure that your Duo user account email IDs match those in your Google domain.
Note: Before you can verify SSO for Duo, you need to request your organization’s SSO login URL from the Duo Support team.
- In a new browser window, go to your organization’s Duo login URL.
- Click Single Sign On.
- Enter your sign in email address and click Continue to Identity Provider. You should be automatically redirected to the Google sign-in page.
- Enter your Google sign in credentials.
After your sign-in credentials are authenticated you're automatically redirected back to Duo.