Duo Access Gateway Setup
1. Install Duo Access Gateway on a server in your DMZ. Follow the instructions for deploying the server, configuring DAG settings, and adding your primary authentication source.
2. Add the attributes from the table below that correspond to the Duo attributes Username attribute in the "Attributes" field when configuring your Active Directory or OpenLDAP authentication source in the DAG admin console. For example, if Active Directory is your authentication source, enter sAMAccountName in the "Attributes" field.
3. Click Applications on the left side of the Duo Access Gateway admin console.
4. Scroll down the Applications page to the Metadata section. This is the information you need to provide to Nodegrid when configuring SSO. You can either Download XML metadata or Download certificate and copy the fields.
Nodegrid Setup: Web Interface
1. Login as admin in the Nodegrid Web Interface
2. Click on the 'Security' icon, then 'Authentication' tab
3. Click on 'SSO' tab
4. If you downloaded Duo Access Gateway’s XML metadata click on the 'Import Metadata' button. If you only downloaded the certificate, click on 'Add'.
5. Fill out all fields:
a. Name: Name of Identity Provider
b. Status: Status of Identity Provider i. Only one Identity Provider can be enabled at a time
c. SSO URL: Copy the SSO URL from the Duo Access Gateway admin console Metadata display
d. Logout URL: Copy the Logout URL
e. Entity ID: Unique ID of Service Provider
f. Issuer: Copy the Entity ID from the Duo Access Gateway admin console Metadata display
g. x.509 Certificate: Upload dag.crt that you've downloaded from Duo Access Gateway admin console Metadata display
h. Icon: Choose icon that will show on login page
6. After you've entered all the required information click Save.
7. After you click save, you will see this.
8. The fields ACS URL and Logout URL (if implemented) should be copied to Duo.
Create the Nodegrid Application in Duo
1. Log on to the Duo Admin Panel and navigate to Applications.
2. Click Protect an Application, locate SAML – Service Provider in the applications list, and click Protect this Application. See Getting Started for help.
3. Fill out all fields:
a. Service provider name: Nodegrid
b. Entity ID: Copy it from the Nodegrid’s configuration
c. Assertion Consumer Service: Copy it from Nodegrid’s configuration
d. Single Logout URL: (Optional) Copy it from Nodegrid’s configuration
e. NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
f. NameID Attribute: sAMAccountName
i. Nodegrid uses the Username attribute when authenticating. Map it to the authentication source you are using. Ex. SAMAccountName is for AD servers.
g. Send attributes: NameID
h. Signature algorithm: SHA-256
i. Sign response: Checked
j. Sign assertion: Checked
4. You can adjust additional settings for your new SAML application at this time
5. Click Save Configuration to generate a downloadable configuration file.
6. Click the Download your configuration file link to obtain the Nodegrid application settings as a JSON file.
Add the Nodegrid Application to Duo Access Gateway
1. In the Duo Access Gateway, go to the Applications page.
2. Click the Choose File button in the Add Application section and locate the Nodegrid SAML application JSON file you downloaded from the Duo Admin Panel.
3. Click Upload.
4. The Nodegrid SAML application should be added under Applications.
Verify SSO
1. Go to your Nodegrid
2. On the login page, there should be a Login with button with the IdP's chosen icon
3. Click on the button
4. This redirects you to the Duo Access Gateway login page
5. Enter your primary directory logon information
6. Approve Duo two-factor authentication
7. Get redirected back to Nodegrid after authenticating