The below instructions outline how to setup a generic SAML 2.0 Web Application in DUO to work with the Opus 2 Platform. These should be used as a reference guide, but you should also refer to the official documentation from DUO, available here.
Create the Application with SAML
- Log on to the Duo Admin Panel and navigate to Applications.
- Click Protect an Application and locate the entry for the Generic SAML Service Provider with a protection type of “2FA with SSO hosted by Duo (Single Sign-On)” in the applications list. Click Protect to the far-right to start configuring Generic SAML Service Provider.
- The Metadata section is where you can get SAML Identity Provider Information which you will need to provide to Opus 2 later in this document.
The following instructions configure this enterprise application so that it can be integrated with Opus 2 Platform. These instructions will be split into three sections: “Basic Configuration”, “Attributes & Claims” and “Setup”.
Basic Configuration
For the enterprise application to authenticate with Opus 2 Platform, we need to provide it with only two configuration values, the Entity ID and the Assertion Consumer Service (ACS) URL.
- Return to the application page in your Duo Admin Panel.
- Navigate to the Service Provider section.
- Set Entity ID (also known as the Identifier) as per the value provided by Opus 2.
- Set ACS (also referred to as the Reply URL) as per the value as provided by Opus 2.
- Save these changes.
Configure User Attributes and Claims
When a user authenticates with Opus 2 Platform, Duo issues the application a SAML token which corresponds with information (or claims) about the user that uniquely identifies them. By default, this information includes the user's Username, Email, Display Name, First Name and Last Name.
Navigate to the SAML Response Section.
Ensure NameID Format is set to the following.
Claim Name | Value |
---|---|
NameID Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
Ensure the NameID attribute is set to the following.
Claim Name | Value |
---|---|
NameID Attribute | <Email Address> |
Ensure Map Attributes matches the following.
IdP Attribute | SAML Response Attribute |
---|---|
<First Name> | firstName |
<Last Name> | lastName |
<Email Address> |
Provide Identity Provider Metadata URL
Return to the application page in the Duo Admin Portal. Browse to the Metadata Section. Please provide Opus 2 with a copy of the Metadata URL. Configuration for Opus 2 is then complete.