Skip to main content
Skip table of contents

Duo SAML

Duo Access Gateway is an on-premises solution that secures access to cloud applications with your users' existing directory credentials (like Microsoft Active Directory or Google G Suite accounts) using the Security Assertion Markup Language (SAML) 2.0 authentication standard. SAML delegates authentication from a service provider to an identity provider and is used for single sign-on (SSO) solutions. Sectona PAM uses Duo SAML Authentication to allow access for their users. This section covers:

Before you begin

  • The user should admin access to the Duo developer portal.

  • To set up a Duo access gateway, the user must have a windows server with an Active Directory.

  • The requirements for the windows server are:

    • Form Factor: Physical or virtual machine

    • Processor: Two processors of 2 GHz or faster

    • Memory: 4 GB RAM or greater

    • Disk Storage: 60 GB or greater

    • Operating System: Windows Server 2012, 2012 R2, 2016, or 2019

  • Download the PHP file required, also obtain and install the SSL Certificate.

  • Suppose the Microsoft Visual C++ 2015-2019 Redistributable Package (x64) is not present on your server. In that case, the Duo Access Gateway setup wizard prompts you to install it. 

  • Duo access gateway must be installed in the server with Active Directory present in it.

  • The user must also have admin access to Sectona PAM.

Configuring Duo SAML Authentication with Sectona

To configure SAML authentication for Duo with Sectona PAM instance, follow the below-mentioned steps:

Configuring Duo Developer Account 

  • Log on to the Duo developer account with admin credentials.

  • Once logged in, go to Applications and click on Protect an Application.

  • Search for 'Generic service provider 2FA with SSO self-hosted(Duo Access Gateway)' and click protect.

  • Configure the following details:

    • Service Provider Name: Provide the URL of your PAM.

    • Entity ID: Use the URL from Duo Access Gateway

    • Assertion Consumer Service: Provide the URL of your PAM.

    • For the Signature algorithm, select SHA-1 from the drop-down list.

    • Keep the rest unchanged and click on Save Configuration.

    • Once you save the configuration, you can then download the metadata file by clicking on the 'Download your configuration file.'

Setting up Duo Access Gateway

  • Install the Duo Access Gateway in the Windows server where the Active Directory is configured as mentioned in the pre-requisites.

  • Enter the path of the PHP file (.zip) that you downloaded before installing the Duo Access gateway from the Duo website.

  • If the installer prompts you to change impersonation mode, click Yes. 

  • Select the qualified hostname from the list. Choose the one that matches the external DNS entry for your Duo Access Gateway server (yourserver.example.com).

  • Click on install to complete Duo Access Gateway installation.

  • From the Duo Access Gateway server's console, click the Configure icon in the "Duo Access Gateway" application group to log on to https://yourserver.example.com/dag.

  • Choose a new password at the initial log-on.

  • Once in the console, click on Authentication source and configure the sources.

  • Fill in the details as follows:

    • Source Type: Select Active Directory from the drop-down list

    • Server: Provide the IP of the server where you have the AD installed.

    • Transport Type: Select the CLEAR radio button.

    • Attributes: Select ‘sAMAccountName,mail’ radio button

    • Search Base: The details of the search base will be present in the AD Properties.

    • Search Attributes: Select ‘sAMAccountName’ radio button

    • Search username: Provide the Admin login of the AD server

    • Search password: Provide the password for the admin of the AD server

  • Once you fill in the details, click on Save Settings. Once the settings are saved, you should see a message 'LDAP Bind Succeeded.'

  • Go to Applications and copy the Entity ID and use it in the duo developer portal.

  • Upload the configuration file from the developer portal and download the metadata file and certificate for configuring it in PAM.

 Ensure that you provide the correct Server IP for the AD; the wrong configuration will result in a failed LDAP bind.

Configuring Sectona PAM for Duo SAML Authentication

  • Login to Sectona PAM as admin, Go to Configuration -> AD & Directory Store -> Click on add Ad & Directory Story.

  • Fill in the following details:

    • Directory Name: Provide a suitable name 

    • Authentication Type: Select 'Generic SAML' from the drop-down list

    • Directory Store Type: Select 'SAML' from the drop-down list

    • Issuer: Provide the URL where your PAM is installed

    • Logon URL: This is present under the Metadata tab on Duo Access Gateways Console. Copy the SSO URL input and paste it into this field.

    • Logout URL: Disabled for Duo SAML.

    • Logon Binding: This will be auto-filled in PAM.

    • Download the certificate file from Duo Access Gateways Console. Upload it on the Configuration page and then click Save.

  • Go to Manage → User → Assign the created directory store to the user to complete the configuration.

To show Logon with SAML option on Sectona logon screen, Go to System → System Defaults → User Logon Show SAML Option → Set the config value as 1.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.