Configuring DUO SSO

This article explains how to configure Cisco DUO as the Single Sign-On (SSO) provider for users.

SSO relies on an encrypted token from Cato and your IdP to validate that the user is authenticated and allowed to connect to the network. For more details, see SSO Authentication for Users with Cato.

Note

Note: Please contact feature-releases@catonetworks.com for more information about enabling and using this feature.

Overview

Configuring DUO as the SSO provider simplifies authentication and enhances user experience. When you enable SSO for the account, users can log in to the Client by authenticating with their SSO credentials and do not need a different set of dedicated credentials.

Configuring DUO as an SSO Provider

Follow these steps to configure DUO as an SSO provider:

Create an OIDC application in the DUO Admin Panel
Configure the details in the Cato Management Application (CMA)
Configure how DUO is used in your account

Step 1: Creating an Application in the DUO Admin Panel

In the DUO Admin Panel, create an application and identify the following values to enter into the CMA:

OIDC Discovery URL
Client ID
Client Secret

To create an application:

Log into your Duo Admin Panel.
Navigate to Applications > Applications.
Click Add application.
Add a name for the application and configure these details:
- Application Type - OAuth 2.1 / OIDC - Single Sign-On
- User access - Choose Enable for all users
- Grant Type - Check the Authorization Code check box
- Sign-in Redirect URLs - Add these URLs:
- Scopes & Claims > email - Add a claim with an IdP Attribute <Email Address> and a Claim email
- Scopes & Claims > Scope Authorization - Add these scopes:
  - openid
  - profile
  - email
- Public Client Registration - Add these scopes:
  - openid
  - profile
  - email
Click Save.
In the Metadata section, copy and save the OIDC Discovery URL so it can be entered into the CMA.
In the Static Client Registration section, copy and save the Client ID and Client Secret so they can be entered into the CMA.

Step 2: Configure DUO as an SSO Provider

In the CMA, enter the details for the DUO application you created in the previous step:

OIDC Discovery Endpoint is the Well-Known URL
Client ID
Client secret

To configure DUO as an SSO provider:

In the CMA, from the navigation menu, click Access > Single Sign On.
Click New.
From the Identity Provider drop-down menu, select Duo.
Enter a Name to identify this integration.
(Optional) To configure DUO as your default SSO provider, enable the Default toggle. If you are configuring multiple Single Sign-On providers, see Configuring Multiple Identity Providers.
Enter the Well-Known URL and Client ID you created in Step 1.
Click Edit Client Secret and enter the value you created in Step 1.
Click Apply.

Step 3: Configure How DUO is Used in your Account

You can choose to allow users, Cato Management Application admins, or both to authenticate with SSO using DUO.

You can also configure how long the Cato authentication token is valid for. The Token validity settings define in Days or Hours the amount of time that users remain authenticated. Users that are logged in must re-authenticate when the duration you define in Days or Hours (since they last logged in) has been reached.

The Always Prompt options means that users must always authenticate to the Client.

To configure how DUO is used in your account:

On the Access > Single Sign On page, define which users can authenticate with SSO and if necessary, define the Token validity, Cookie type, and Duration settings.
Click Save