Im trying to get our Dev instance up and running with SAML … Our environment uses Duo for 2FA and I have gotten a way in following the Saml Integration documentation and info from out Middleware team…
They have given me the entry point, and the signing certificate and now they need to register the service with Duo …
As it stands at the moment, if I try and use saml, I get redirected as I would expent and then I get errors that indicate the service needs to be registed…
The middleware dept is asking me for
Entity ID (should be an https URI)
I assume this is the url of the webui:port in fqdn
AssertionConsumerService URL
SAML encryption certificate
I would like to know where to get this other information to complete the process
Any help would be appreciated… Docs seem a tad sparce
So I just stumbled across the “Duo Network Gateway” which seems like yet another option to secure a web app with Duo Security 2FA.
This option seems to be one of the more complicated options, plus it requires a higher tier of Duo pricing, but it has the advantage that it allows you to secure access to any internal web app of any kind without having to do anything to the web app itself. I think it also has the advantage of not requiring a direct mapping between users in Duo and users in the web app.
In some cases, you might actually use the “Duo Network Gateway” only for remote users, but it also seems like you could use it in addition to other Duo integration even for the same app if you really wanted to be cautious, but potentially only require the 2FA through the Gateway something like once a day, while other Duo 2FA options might be configured for every login.
This option seems to make the most sense if you are planning to deploy this solution already for other existing applications, at which point BigFix WebUI Console, WebReports, Inventory, and any others could all be behind this auth mechanism.
If this moves forward and ends up being released, it would only secure the WebUI itself, but in a more native way that could have a different set of advantages. It should also be easier to configure.
I currently use DUO 2FA for BigFix Console logins indirectly by only allowing console access from Terminal Servers which require DUO 2FA for RDP.