Configuring a Duo SAML v2.0 identity provider on Keycloak

Last Updated : Jun 08, 2026 |

About this task

To use Duo SSO capabilities and authenticate users, you must configure a SAML v2.0 identity provider on Keycloak.

Before you begin

  • Add your SAML application to DAG.

  • Obtain a configuration metadata file in XML format.

Procedure

  1. Log in to the Keycloak web administration interface.
  2. Navigate to Solution Realm > Identity Providers.
  3. Click Add provider and then select SAML v2.0.
  4. In Alias, type the name that you used when configuring a SAML application on Duo Admin Panel.

    For example, samlDuo. For more information, see step 6.b.

  5. Navigate to the Import External IDP Config section.
  6. Click Select file, navigate to the Duo configuration XML file that is stored on your computer, and then click Import.

    Keycloak imports the configuration data and populates the Single Sign-On Service URL field.

  7. From NameID Policy Format, select Email.
  8. Click Save.