Configuring SSO with Duo
The IBM® NS1 Connect® portal supports SAML 2.0 single sign-on (SSO) with Duo for logins initiated by both the identity provider (IdP) or the service provider (SP).
- IdP-initiated login is when a user logs into the Duo platform and selects the NS1 application to log into the IBM NS1 Connect® portal.
- SP-initiated login is when a user navigates to the IBM NS1 Connect® portal login page and clicks the option to log in using SSO.
These instructions describe implementing a custom enterprise application with SAML SSO enabled for your organization, as well as setting up users with role-based access to the IBM NS1 Connect® portal.
Once Duo SAML SSO is enabled for your organization, all NS1 portal users associated with your account will be able to access the NS1 portal via Duo or by selecting the SSO option on the IBM NS1 Connect® login page. Duo uses either the Duo Access Gateway (DAG) - an on-premise server connected to an Active Directory server for user authentication - or the Duo Cloud SSO.
Step 1 - Request your SSO ID from IBM NS1 Connect®
Contact IBM support to request your organization's unique SSO ID.
Step 2 - Create an application in Duo
- Log in to the Duo portal.
- Click Applications from the left-hand sidebar.
- Click Protect an Application.
- Using the search bar, enter a search for “Generic Service Provider.”
- If multiple applications called “Generic Service Provider” appear, note the differences under the Protection Type column. If configuring the Duo Access Gateway (most common), click Protect next to 2FA with SSO self-hosted (Duo Access Gateway). You are redirected to the Application Configuration page.
Step 3 - Configure the application
- Scroll to the Service Provider section and enter the following information:
- Service Provider Name: NS1
- Entity ID: https://api.nsone.net/saml/metadata
- Assertion Consumer Service:
https://api.nsone.net/saml/sso/<sso_id>
where sso_id is the unique SSO ID provided to you by NS1.
- Service Provider Login URL: https://my.nsone.net/#/login
Step 4 - Configure user mappings
An account administrator must configure user mapping based on usernames or email addresses. First, you will need to identify the format of usernames in your account—either a basic text string (ex. jdoe33) or an email address (jdoe33@example.com). This is indicated by the left-most column in the list of NS1 account users.
- Navigate to IBM NS1 Connect®.
- Click the User Settings icon and select User & teams.
- Click the Users tab.
- In the User column, verify the username format.
- Return to the Duo portal. Back on the Application Configuration screen (from Step 3), scroll down to the SAML Response section.
- Option A - If mapping users based on a basic username format:
Next to NameID format, select
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Next to NameID attribute, type sAMAccountName
Option B - If mapping users based on a email username format: Next to NameID format, select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Next to NameID attribute, type email
- Scroll down to the Create attributes section.
- Under Name, type userid.
- Under Value, enter your organization's unique NS1 Connect customer ID. Refer to Locating your customer ID or your CMR for more information.
Step 5 - Configure encryption and assertions
- Navigate to the SAML Response section.
- In the text box to the right of Signature Algorithm type in SHA-256.
- Next to Sign Response, select (check) the box next to Cryptographically sign response for verification by your service provider.
- Next to Sign Assertion, select (check) the box next to Cryptographically sign assertion for verification by your service provider.
Step 6 - Configure the Duo Access Gateway
Duo uses either the Duo Access Gateway (DAG) which is the on-premises server which connects to the Active Directory server to authenticate users or the Duo Cloud SSO. The steps are the same for both methods. When users initiate SSO requests they are redirected to the DAG server.
- Refer to the Duo documentation for instructions on setting up the DAG server. https://duo.com/docs/dag-linux
- From the Duo portal, navigate to the NS1 application you configured in Step 3.
- Click Download your configuration file, this will be the configuration file to use for the DAG server.
- Add the configuration file to the Duo Access Gateway by navigating your Duo Access Gateway or the Duo Cloud SSO. Click the Applications tab from the sidebar, and then click Upload.
- Select the configuration file downloaded above.
Step 7 -Contact NS1 to activate SSO
- Back on the Duo Access Gateway server, navigate to the Applications tab.
- Scroll to the bottom of the page, and click Download XML metadata.
- To enable SSO globally for your organization, contact IBM supportNote: You must provide NS1 with the metadata file.