Duo SAML 2.0 integration questions

Im trying to get our Dev instance up and running with SAML … Our environment uses Duo for 2FA and I have gotten a way in following the Saml Integration documentation and info from out Middleware team…
They have given me the entry point, and the signing certificate and now they need to register the service with Duo …
As it stands at the moment, if I try and use saml, I get redirected as I would expent and then I get errors that indicate the service needs to be registed…

The middleware dept is asking me for

  1. Entity ID (should be an https URI)
    I assume this is the url of the webui:port in fqdn

  2. AssertionConsumerService URL

  3. SAML encryption certificate

I would like to know where to get this other information to complete the process

Any help would be appreciated… Docs seem a tad sparce

1 Like

Bump.

Pete, Did anyone help you on this? We are looking at doing the same thing and also use DUO.

thanks
Stacy

1 Like

What have you tried? What documentation did you consult?

Is this the duo method being used? : https://duo.com/docs/dag-generic

Related:

So I just stumbled across the “Duo Network Gateway” which seems like yet another option to secure a web app with Duo Security 2FA.

This option seems to be one of the more complicated options, plus it requires a higher tier of Duo pricing, but it has the advantage that it allows you to secure access to any internal web app of any kind without having to do anything to the web app itself. I think it also has the advantage of not requiring a direct mapping between users in Duo and users in the web app.

In some cases, you might actually use the “Duo Network Gateway” only for remote users, but it also seems like you could use it in addition to other Duo integration even for the same app if you really wanted to be cautious, but potentially only require the 2FA through the Gateway something like once a day, while other Duo 2FA options might be configured for every login.

This option seems to make the most sense if you are planning to deploy this solution already for other existing applications, at which point BigFix WebUI Console, WebReports, Inventory, and any others could all be behind this auth mechanism.

This option shouldn’t be needed if the BigFix / Duo SAML integration is configured, but it might be a bit more flexible in some cases.

I still hope that BigFix <-> Duo SAML integration can be documented since it seems like the better option in most cases.


There is also this 3rd option that is specific to the WebUI only: Duo Security Integrated with WebUI

If this moves forward and ends up being released, it would only secure the WebUI itself, but in a more native way that could have a different set of advantages. It should also be easier to configure.


I currently use DUO 2FA for BigFix Console logins indirectly by only allowing console access from Terminal Servers which require DUO 2FA for RDP.