Rubex - How to set up SAML 2.0 SSO with Duo Follow
Rubex has the ability to integrate with DUO SSO
See https://duo.com/docs/sso#saml
Step 1
Enable Duo Single Sign-On
Role required: Owner
- Log in to the Duo Admin Panel and click Single Sign-On in the navigation bar on the left.
- Review the information on the "Single Sign-On" page. If you agree to the terms, check the box and then click Activate and Start Setup.
- On the Customize your SSO subdomain page you can specify a subdomain you'd like your users to see when they are logging in with Duo Single Sign-On. For example, you can enter acme and users would see acme.login.duosecurity.com in the URL when logging into Duo Single Sign-On.
Click Save and continue to use the desired subdomain or click Complete later to skip this step for now.
- On the Add Authentication Source page select SAML Identity Provider as your authentication source. Click the button at the bottom of the option you'd like to use to add that source type, and follow the instructions in the next section.
Configure your SAML Identity Provider
- On the "Single Sign-On Configuration" page scroll down to
- Configure your SAML Identity Provider. This is the Duo Single Sign-On metadata information you'll need to provide to your SAML identity provider to configure Duo Single Sign-On as a service provider.
- Configure your SAML identity provider to:
- Send a NameIDFormat of urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
-
Send a NameID attribute that matches your users' Duo usernames. - On the "Single Sign-On Configuration" page scroll down to 2. Configure SAML Identity Provider's Attributes. Configure your SAML identity provider to send the following required attribute values. Attribute names must be sent to Duo Single Sign-On corresponding to the "Attribute Name Sent" column below:
SAML IdP Attribute |
Attribute Name Sent |
Email Address |
|
Full Name |
DisplayName |
First Name |
FirstName |
Last Name |
LastName |
You may configure additional attributes to send in addition to the required attributes
- Once you've configured Duo Single Sign-On as a service provider within your SAML identity provider continue to the next section.
Configure Duo Single Sign-On Authentication Source
- On the Duo Admin Panel "Single Sign-On Configuration" page scroll down to 3. Configure Duo Single Sign-on.
- Fill out the fields listed below using information from your SAML identity provider:
Name |
Description |
Display Name |
A name so that you can easily identify the provider. |
Entity ID |
The global, unique name for your SAML identity provider. This is provided by your SAML identity provider and is sometimes referred to as "Issuer". |
Single Sign-On URL |
The authentication URL for your identity provider. This is sometimes referred to as "SSO URL" or "Login URL". |
Single Logout URL |
This field is optional and currently unused by Duo Single Sign-On. This field my be used in the future. The logout URL for your identity provider. This is sometimes referred to as "SLO URL" or "Logout Endpoint". |
Logout Redirect URL |
This field is optional. When this field is populated, after logging a user out of Duo Single Sign-On they will be redirected to the URL in this field. |
Certificate |
Download the signing certificate for your identity provider, and then click the Browse button to select the downloaded certificate. |
Username normalization |
Controls whether or not usernames entered for primary authentication should be altered before trying to match them to a Duo user account. When set to None, the usernames narroway, EXAMPLE\narroway, and narroway@example.com would be three separate users in Duo. When set to Simple, any domain information is stripped from the username sent to Duo, so narroway, EXAMPLE\narroway, and narroway@example.com would all resolve to a single "narroway" Duo user. Default: Simple. |
Once all the required information is filled out click Save.
Enable Rubex Single Sign-On
Create SAML
In Rubex go to the Admin menu, select Settings and then Single Sign-On Settings. Please click to Create SAML Configuration.
Identify
Give it a name to help identify the connection being used.
Issuer: in this field paste the Azure AD Identifier url. It should look something like https://sts.windows.net/########-####-####-###-############
Entity ID: use https://account.efilecabinet.net/ or you can use what your custom branding url that was configured in Rubex.
In the Signature Section select Choose File and reference the certificate that you downloaded from Azure AD.
Click the Create button.
You’ll need to go back into the SSO/SAML configuration and at the bottom of the window will be a section titled Endpoints. In that section is a Login URL which will be something like https://account.efilecabinet.net/api/saml/##. Copy the URL in the Rubex SAML settings.
Enter the SAML information into DUO and Rubex
Now that the settings in Rubex have been finished, it’s time to finalize your setup
Identifier (Entity ID): use the same url that you choose to use for the Entity ID in the Rubex configuration side. If this doesn’t match the value you used in Rubex the connection will fail.
Reply URL: this is where you put the URL that is generated at the bottom of the Rubex SSO configuration window, it’s be something along the lines of https://account.efilecabinet.net/api/saml/##
Comments
0 comments
Please sign in to leave a comment.