Skip to content

Duo SSO

Follow the steps documented below to integrate access to your Rafay Console with Duo for Single Sign On (SSO).

Important

Only users with "Organization Admin" privileges can configure SSO in the Rafay Console.


Step 1: Create IdP in Rafay

  • Login into the Rafay Console as an Organization Admin.
  • Click on System -> Identity Providers
  • Click on "New Identity Provider"
  • Provide a name, select "Custom" from the "IdP Type" drop down
  • Enter the "Domain" for which you would like to enable SSO
  • Optionally, toggle "Encryption" if you wish to send/receive encrypted SAML assertions from your IdP
  • Provide a name for the "Group Attribute Name"
  • Click on Save & Continue

Create IdP

Important

Encrypting SAML assertions is optional because privacy is already provided at the transport layer using HTTPS. Encrypted assertions provide an additional layer of security on top ensuring that only the SP (Rafay Org) can decrypt the SAML assertion.


Step 2: View SP Details

The Rafay IdP configuration wizard will display critical information that you need to copy/paste into your Duo SSO Console. Provide the following information to your Duo administrator.

  • Assertion Consumer Service (ACS) URL
  • SP Entity ID
  • Name ID Format
  • Group Attribute Name

View SP Details


Step 3: Create Rafay App in Duo

  • Login into your Duo Admin Portal as an Administrator
  • Select Applications > Protect an Application
  • Search for Generic Service Provider
  • Select "Protect" for the Generic Service Provider with Protection Type "2FA with SSO hosted by Duo" to create a new application

Create App Integration


Step 4: Configure SAML Settings For Rafay App in Duo

In the "Generic Service Provider - Single Sign-On" page, go to "Service Provider" section and:

  • Enter name like "Rafay Systems" for the "Service provider name"
  • Copy/Paste the Entity ID from Step 2 to "Entity ID"
  • Copy/Paste the Rafay ACS URL from Step 2 into the "Assertion Consumer Service"
  • Copy/Paste the Rafay ACS URL from Step 2 into the "Service Provider Login URL"

Configure SAML

  • Go to "SAML Response" section
  • Keep the "NameID format" as emailAddress
  • Keep the "NameID attribute" as EmailAddress

Configure SAML

  • Go to Policy to configure the defines the policy for users to access Rafay Application
  • Go to Settings > Name and enter the name for e.g. "Rafay Systems" to display in Duo push notification for users when accessing Rafay app.

Configure SAML

  • Go to Settings > Permitted Groups to assign users in certain groups to access Rafay Application or allow all users

Configure SAML


Step 5: Configure Group Attribute to Send to Rafay

The "Group" configuration step is critical because it will ensure that Duo will send the groups/roles the user belongs to as part of the SSO process. Rafay uses the group information to transparently map users to the correct group/role.

Option 1 Users and groups synced from Active Directory (AD) for your Duo Authentication Source. Follow Step 5.1 below to configuration the Role Attributes

Option 2 Your Duo Authentication Source is from SAML Identity Provider. Follow Step 5.2 to map IdP Attribute for Group Attribute in SAML Response to send to Rafay.


Step 5.1: Map Duo Group Synced from AD to Role Attributes

  • Go to SAML Response > Role attributes section
  • Provide the name for the "Attribute Name" to the same group attribute name that configured in Rafay Step 1 for e.g. "RafayRoles"
  • Enter the "Service Provider's Role" as how the Group Name configured in Rafay and select the "Duo Groups" that you would like the users belong to have this Rafay Role (refer to the section below for Groups Configuration in Rafay Console)
  • Configure multiple Role and Group mappings as required
  • Then SAVE the settings for this application in Duo Admin Portal

In the illustrative example below, we are using "RafayRoles" as the name of the attribute.

Configure SAML


Groups Configuration In Rafay Console

  • Identical named groups with the "Service Provider's Role" names need to be created on Rafay. Ensure that these groups are mapped to the appropriate Projects with the correct privileges. In the example below, the Rafay Group "OrgAdmin" is configured as an "Organization Admin" with access to all Projects.

Assign Groups

  • It is important to emphasize that because of SSO via Duo, user lifecycle management can be completely offloaded to the IdP. In the example below, note that there are no users managed in the "OrgAdmin" group because they are all managed in the attached Duo tenant.

Users in Group


Step 5.2: Map IdP Attribute to Group Attribute to Send to Rafay

  • Go to SAML Response > Map attributes section
  • Provide the name for the "IdP Attribute" that contains the group/role information sent from IdP
  • And enter the name of the SAML Response Attribute that configured in Rafay Step 1 for e.g. "RafayRoles"
  • Then SAVE the settings for this application in Duo Admin Portal

In the illustrative example below, we are using the attribute name "UserRoles" from IdP source and send to Rafay in the SAML Response attribute name "RafayRoles".

Configure SAML


Groups Configuration In Rafay Console

  • Identical named groups with the group/role information sent from the configured IdP Attribute need to be created on Rafay. Ensure that these groups are mapped to the appropriate Projects with the correct privileges. In the example below, the Rafay Group "OrgAdmin" is configured as an "Organization Admin" with access to all Projects.

Assign Groups

  • It is important to emphasize that because of SSO via Duo, user lifecycle management can be completely offloaded to the IdP. In the example below, note that there are no users managed in the "OrgAdmin" group because they are all managed in the attached Duo tenant.

Users in Group


Step 6: Specify IdP Metadata

  • Go back to Duo Admin Portal > Applications > Rafay_App configuration page.
  • Copy the "Metadata URL" from the Metadata > Metadata URL section

IdP Metadata

  • Navigate back to the Rafay Console's IdP configuration wizard
  • Paste the Metadata Url from Duo to the Identity Provider Metadata URL
  • Complete IdP Registration

Create App Integration

  • Once this process is complete, you can view details about the IdP configuration on the Identity Provider page.
  • You can also edit and update the configuration if required.

Completed IdP