Duo Access Gateway is an on-premises solution that secures access to cloud applications with your users' existing directory credentials (like Microsoft Active Directory or Google G Suite accounts) using the Security Assertion Markup Language (SAML) 2.0 authentication standard. SAML delegates authentication from a service provider to an identity provider and is used for single sign-on (SSO) solutions. Sectona PAM uses Duo SAML Authentication to allow access for their users. This section covers:
Before you begin
The user should admin access to the Duo developer portal.
To set up a Duo access gateway, the user must have a windows server with an Active Directory.
The requirements for the windows server are:
Form Factor: Physical or virtual machine
Processor: Two processors of 2 GHz or faster
Memory: 4 GB RAM or greater
Disk Storage: 60 GB or greater
Operating System: Windows Server 2012, 2012 R2, 2016, or 2019
Download the PHP file required, also obtain and install the SSL Certificate.
Suppose the Microsoft Visual C++ 2015-2019 Redistributable Package (x64) is not present on your server. In that case, the Duo Access Gateway setup wizard prompts you to install it.
Duo access gateway must be installed in the server with Active Directory present in it.
The user must also have admin access to Sectona PAM.
Configuring Duo SAML Authentication with Sectona
To configure SAML authentication for Duo with Sectona PAM instance, follow the below-mentioned steps:
Configuring Duo Developer Account
Log on to the Duo developer account with admin credentials.
Once logged in, go to Applications and click on Protect an Application.
Search for 'Generic service provider 2FA with SSO self-hosted(Duo Access Gateway)' and click protect.
Configure the following details:
Service Provider Name: Provide the URL of your PAM.
Entity ID: Use the URL from Duo Access Gateway
Assertion Consumer Service: Provide the URL of your PAM.
For the Signature algorithm, select SHA-1 from the drop-down list.
Keep the rest unchanged and click on Save Configuration.
Once you save the configuration, you can then download the metadata file by clicking on the 'Download your configuration file.'
Setting up Duo Access Gateway
Install the Duo Access Gateway in the Windows server where the Active Directory is configured as mentioned in the pre-requisites.
Enter the path of the PHP file (.zip) that you downloaded before installing the Duo Access gateway from the Duo website.
If the installer prompts you to change impersonation mode, click Yes.
Select the qualified hostname from the list. Choose the one that matches the external DNS entry for your Duo Access Gateway server (yourserver.example.com).
Click on install to complete Duo Access Gateway installation.
From the Duo Access Gateway server's console, click the Configure icon in the "Duo Access Gateway" application group to log on to https://yourserver.example.com/dag.
Choose a new password at the initial log-on.
Once in the console, click on Authentication source and configure the sources.
Fill in the details as follows:
Source Type: Select Active Directory from the drop-down list
Server: Provide the IP of the server where you have the AD installed.
Transport Type: Select the CLEAR radio button.
Attributes: Select ‘sAMAccountName,mail’ radio button
Search Base: The details of the search base will be present in the AD Properties.
Search Attributes: Select ‘sAMAccountName’ radio button
Search username: Provide the Admin login of the AD server
Search password: Provide the password for the admin of the AD server
Once you fill in the details, click on Save Settings. Once the settings are saved, you should see a message 'LDAP Bind Succeeded.'
Go to Applications and copy the Entity ID and use it in the duo developer portal.
Upload the configuration file from the developer portal and download the metadata file and certificate for configuring it in PAM.
Ensure that you provide the correct Server IP for the AD; the wrong configuration will result in a failed LDAP bind.
Configuring Sectona PAM for Duo SAML Authentication
Login to Sectona PAM as admin, Go to Configuration -> AD & Directory Store -> Click on add Ad & Directory Story.
Fill in the following details:
Directory Name: Provide a suitable name
Authentication Type: Select 'Generic SAML' from the drop-down list
Directory Store Type: Select 'SAML' from the drop-down list
Issuer: Provide the URL where your PAM is installed
Logon URL: This is present under the Metadata tab on Duo Access Gateways Console. Copy the SSO URL input and paste it into this field.
Logon Binding: This will be auto-filled in PAM.
Download the certificate file from Duo Access Gateways Console. Upload it on the Configuration page and then click Save.
Go to Manage → User → Assign the created directory store to the user to complete the configuration.
To show Logon with SAML option on Sectona logon screen, Go to System → System Defaults → User Logon Show SAML Option → Set the config value as 1.