Integration of Entra ID as an Authentication Provider for Duo Single Sign-On
In part 1 of the 4 part series, we’ll walk through setting up Microsoft Azure Entra ID as an authentication source for Duo Single Sign-On. In this configuration, we’ll set up the Fortigate as an Enterprise Application in Duo. This will allow for the Push providing MFA with Duo acting as the hub of the transaction.
Option 1:
Duo SSO taking the lead, “proxying” u/p to Entra via API for the First Factor
My Environment:
- DUO Premier Trial Account
- Fortinet Fully Featured Demo Keys
- Windows 11 Client Computer with FortiClient
- Microsoft Azure Entra ID licensed with E3
References:
How to Use Duo Single Sign-On (SSO) | Duo Security
Initializing Duo Single Sign-On and Creating the Entra ID Enterprise Application
- Log Onto Cisco Duo portal as an admin user and click through to initialize the DUO SSO services
2. Skip the “Customize your SSO subdomain” bits unless you would like to set it up. It is out of scope for this walkthrough.
3. As opposed to using on-prem AD and any current Authentication Proxies you might have, we’ll use modern SAML as provided by Entra ID
4. Clicking on “Add SAML Identity Provider” you will be presented with some information required to use to configure Entra ID. Keep it close by.
5. Log into the Entra ID Admin Center: https://entra.microsoft.com/ and click on the Enterprise Applications link under the Applications section on the left-hand menu system. Choose “+ New Application” from the body.
6. In this Application Creation section, choose “+ Create your own application” from the top left of the main pane.
This will pop out a form to fill in basic info about the DUO app we’re adding, name it “DUO SSO” or whatever you’d like making sure “Integrate any other application…”
7. Once through the initial creation, you will be popped into the configuration for this new Enterprise App. The first thing to do is to assign users to the application, which should be any user that might use DVP. Then we’ll edit the Single Sign On Properties of the application by clickon on Single sign on on the left.
8. Under the Single sign-on settings, choose to Edit the “Basic SAML Configuration” by clicking the 3 dots and selecting Edit.
9. While on the “Basic SAML Configuration” page copy the Entity ID from the Duo Admin Panel. In the Entra ID admin center click Add identifier under “Identifier (Entity ID)” and paste the URL you copied from Duo in the field that appears. This is referenced in Step 4.
10. Return to the Duo Admin Panel’s “Basic SAML Configuration” page and copy the Assertion Consumer Service URL. In Entra ID click Add reply URL under “Reply URL (Assertion Consumer Service URL)” and paste the URL you copied from Duo in the field that appears. This is also referenced in Step 4.
Leave all other fields empty.
Click Save and close the “Basic SAML Configuration” editor.
11. Now we’ll configure the claims, which will define the attributes we care about. Under “Attributes and Claims” find the 3 dots, click to edit.
12. Delete all the existing claims and add new ones exactly like the screenshot below. Then close out the Attributes & Claims section.
13. Now we need to download the certificate from Microsoft and import it into DUO SSO. This is again found on the Single sign-on section in the Entra Admin console. Click the “Download” link on under “SAML Certificates” that corresponds to the Base64 certificate and save it to your local computer for Later Use in the DUO Console.
.
15. We also need to note the metadata info for Later Use in the DUO Console. You can find that under on the Single sign-on page as well.
16. Head back to the DUO Single Sign-On console. Under section 3 named “Configure Duo Single Sign-On” fill in the following:
Name – Eg. Entra ID Enterprise Application
Single Sign-On URL – The “Login URL” from the the Entra ID settings page
Entity ID – The “Azure AD Identifier” url from the Entra ID settings page
Leave the Single Logout URL and Logout Redirect URL blank for testing
Certificate – Upload the certificate you downloaded from Entra ID above
Username Normalization – Set to Simple for testing
Keep Assertion encryption unchecked
16. Click Save
17. Download the DUO certificate to upload to the Azure Entra portal for Token Encryption by going to the Entra ID Enterprise App Configuration you just added to the DUO console and clicking the “Download” link at the bottom of the configuration screen. Save the certificate to your local computer.
18. Once you save the file, rename the file extension from .crt to .cer to allow upload to the Azure portal.
19. Go back to the Azure Entra ID portal, under the Enterprise Application we just created and click on the Token Encryption menu item on the left. Here you will upload the certificate you just downloaded from the DUO Portal to allow for secure tokens. Click “Import Certificate” and browse to the file you saved and then renamed. Upload it to Azure. Once uploaded, Activate the certificate via the 3-dot menu on the right side of the token you just uploaded to the portal.
Leave a Reply