How to configure Single Sign-On authentication in Nodegrid using Duo.

How to configure Single Sign-On authentication in Nodegrid using Duo.

This document will guide the configuration required in Nodegrid, Duo Admin Panel, and Duo Access Gateway. 

Duo Access Gateway Setup 

1. Install Duo Access Gateway on a server in your DMZ. Follow the instructions for deploying the server, configuring DAG settings, and adding your primary authentication source. 
2. Add the attributes from the table below that correspond to the Duo attributes Username attribute in the "Attributes" field when configuring your Active Directory or OpenLDAP authentication source in the DAG admin console. For example, if Active Directory is your authentication source, enter sAMAccountName in the "Attributes" field. 
3. Click Applications on the left side of the Duo Access Gateway admin console. 
4. Scroll down the Applications page to the Metadata section. This is the information you need to provide to Nodegrid when configuring SSO. You can either Download XML metadata or Download certificate and copy the fields. 

Nodegrid Setup: Web Interface 

1. Login as admin in the Nodegrid Web Interface 
2. Click on the 'Security' icon, then 'Authentication' tab 
3. Click on 'SSO' tab 
4. If you downloaded Duo Access Gateway’s XML metadata click on the 'Import Metadata' button. If you only downloaded the certificate, click on 'Add'. 
5. Fill out all fields:
      a. Name: Name of Identity Provider 
      b. Status: Status of Identity Provider i. Only one Identity Provider can be enabled at a time 
      c. SSO URL: Copy the SSO URL from the Duo Access Gateway admin console Metadata display 
      d. Logout URL: Copy the Logout URL 
      e. Entity ID: Unique ID of Service Provider 
      f. Issuer: Copy the Entity ID from the Duo Access Gateway admin console Metadata display 
      g. x.509 Certificate: Upload dag.crt that you've downloaded from Duo Access Gateway admin console Metadata display 
      h. Icon: Choose icon that will show on login page 
6. After you've entered all the required information click Save. 

7. After you click save, you will see this. 

8. The fields ACS URL and Logout URL (if implemented) should be copied to Duo. 

Create the Nodegrid Application in Duo 

1. Log on to the Duo Admin Panel and navigate to Applications. 
2. Click Protect an Application, locate SAML – Service Provider in the applications list, and click Protect this Application. See Getting Started for help.
3. Fill out all fields:
      a. Service provider name: Nodegrid 
      b. Entity ID: Copy it from the Nodegrid’s configuration 
      c. Assertion Consumer Service: Copy it from Nodegrid’s configuration 
      d. Single Logout URL: (Optional) Copy it from Nodegrid’s configuration
      e. NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified 
      f. NameID Attribute: sAMAccountName
                  i. Nodegrid uses the Username attribute when authenticating. Map it to the authentication source you are using. Ex. SAMAccountName is for AD servers. 
      g. Send attributes: NameID
     h. Signature algorithm: SHA-256 
      i. Sign response: Checked 
      j. Sign assertion: Checked 
4. You can adjust additional settings for your new SAML application at this time 
5. Click Save Configuration to generate a downloadable configuration file. 
6. Click the Download your configuration file link to obtain the Nodegrid application settings as a JSON file. 

Add the Nodegrid Application to Duo Access Gateway 

1. In the Duo Access Gateway, go to the Applications page. 
2. Click the Choose File button in the Add Application section and locate the Nodegrid SAML application JSON file you downloaded from the Duo Admin Panel. 
3. Click Upload. 
4. The Nodegrid SAML application should be added under Applications. 

Verify SSO 

1. Go to your Nodegrid 
2. On the login page, there should be a Login with button with the IdP's chosen icon 
3. Click on the button 
4. This redirects you to the Duo Access Gateway login page 
5. Enter your primary directory logon information 
6. Approve Duo two-factor authentication 
7. Get redirected back to Nodegrid after authenticating 

    • Related Articles

    • Single Sign-On (SSO)

      What is Single Sign-on? Single Sign-on (SSO) enables users to authenticate with multiple applications using only one set of credentials. After the first authentication, users are then signed in to other applications automatically. With SSO, users ...
    • How to Configure Okta in Nodegrid

      How to configure Single Sign-On authentication in Nodegrid using Okta This document will guide the configuration required in Nodegrid, and Okta. Nodegrid currently supports SP-Initiated SSO, and IdP-Initiated SSO. Create the Nodegrid Application ...
    • How to Configure Active Directory or LDAP Authentication Provider

      Version 0.1 (08 May 2018) Overview NodeGrid supports the authentication and authorization of users through different authentication providers, like LDAP. This guide will look at the different authentication options which are available with LDAP or AD ...
    • How to Configure Nodegrid Serial Ports

      To configure the serial ports of your Nodegrid Serial Console, follow the guideline steps below.   WebUI Log in as admin to the Nodegrid Serial Console Web interface. Go to Managed Devices page. Select the serial ports you want to configure, or check ...
    • Nodegrid Manager Installation in ESXi 6

      Nodegrid Manager software is installed from an ISO file. The installation procedure is a three-stage process:  Creating a virtual machine; Booting from the ISO file in order to install the software; Restarting and booting from the newly created ...