Use this procedure to configure a new application for SSO on Duo using the Duo administration portal.
When configuring the application, you obtain an identity provider alias and configuration file. You need this data later when configuring an Duo SAML v2.0 identity provider on Keycloak.
Before you begin
Deploy the Duo Access Gateway (DAG).
Configure the authentication source on DAG.
For information, see the Duo documentation.
Procedure
Log in to the Duo Admin Panel as an administrator.
In the left navigation pane, click Applications and then click Protect an Application.
Click Protect an Application again.
In the application list, navigate to the Generic Service Provider entry that has the 2FA with SSO self-hosted (Duo Access Gateway) protection type.
On the right side of the entry, click Protect.
In the Service Provider section, complete the following fields:
In Service Provider Name, type a name of your choice for your SAML 2.0 application.
In Assertion Consumer Service, type https://<AADS_FQDN>/auth/realms/SolutionRealm/broker/<IDP_ALIAS>/endpoint.
<AADS_FQDN> is the Avaya Aura® Device Services front-end FQDN. <IDP_ALIAS> is an identity provider alias of your choice. For example, samlDuo.
In Entity ID, type https://<AADS_FQDN>/auth/realms/SolutionRealm.
Leave default values for all other fields.
Remember the identity provider alias that you used in the previous step.
You use this alias later when creating a Ping Identity SAML v2.0 provider on Keycloak.
In the SAML Response section, complete the following fields:
In NameID format, select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
In NameID attribute, select mail.
In Send attributes, select NameID.
In Signature algorithm, select SHA-256.
Leave default values for all other fields.
Click Save Configuration.
In the Configure SAML Service Provider area, click Download your configuration file to download the configuration file in JSON format and save the file on your computer.
