Secure Mobile Access 12.4 Administration Guide

Integrating with Duo Access Gateway Serverusing SAML

This section explains the procedure to configure on-premise Duo Access Server (DAG) as Authentication server for SMA1000 using SAML Protocol.

  1. To create a SAML Authentication server on SMA AMC portal, go to Authentication servers > New >SAML 2.0 Identity Provider > Continue.

    1. In the Name field, type a friendly name. For example, Duo Acess Gateway Server.

    2. In the Appliance ID option provide an appliance URL. For example, https://sma.company.com/. (This can be of any value, but an URL is recommended).

    3. Clear the Sign AuthnRequest message using this certificate option.

    4. For Endpoint FQDN option, select a Workplace site FQDN from drop-down menu.

      This will act as the endpoint for all communications with Duo Access Gateway server. (This is not necessarily be same as Appliance ID value)

      The value for Assertion Consumer Service (ACS) URL is formed automatically based on Endpoint FQDN value.

  2. On Duo admin portal, select Applications > Protect an Application.

    1. On the search filter under Protect an Application, search for Generic Service Provider and select the application with protection type as 2FA with SSO self-hosted (Duo Access Gateway).

    2. Under Configure SAML Service Provider > Service Provider section, provide a friendly name.

    3. On Duo admin portal, under Service Provider section, for Entity ID option, use the Appliance ID value from SMA configuration. For example https://sma.company.com/.

  3. For Assertion Consumer Service (ACS) URL, use the Assertion Consumer Service (ACS) URL value from SMA configuration. Example: https://workplace.company.com/saml2ssoconsumer.

  4. Leave all the other options at their default values.

  5. Under SAML Response section, do the following:

    1. Select the NameID format as emailAddress.

    2. Select the NameID attribute as mail.

      • NameID format and NameID attribute values might differ base on authentication source.
      • In case of LDAP authentication source, make sure this NameID attribute is actually configured to be retrieved.

    3. Select the Signature algorithm as SHA256.

    4. For Signing options, select both Sign response and Sign assertion checkboxes.

    5. Leave the other options under this section with their default values.

  6. Click Save Configuration.

  7. Go to Policy section and change the values as needed and click Save.

  8. Click Download your configuration file link to download the configuration file that will be uploaded to on-premise Duo Access Gateway server

  9. On Duo Access Gateway admin console, select Applications>Add Application > Choose File and browse to select the downloaded configuration file.

  10. Click Upload.

  11. In Metadata section click Download XML metadata link to download Duo SAML metadata file.

  12. In AMC, under Identity Provider Configuration section, under Metadata XML file option, click browse and select the Duo metadata file downloaded earlier.

    1. Click Import to upload the metadata.

    2. Options Server ID, Authentication service URL and Trust the following certificate should be automatically filled based on uploaded file.

    3. Clear Logout service URL textbox if needed.

    4. Click Save button and assign this authentication server to any realm.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

  • Hidden
  • Hidden

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.
  • Hidden
  • Hidden