SSO with Duo

Introduction

This guide will take you through the steps required to perform BMS integration with Duo.

Creating BMS application in Duo

  1. Log into Duo.
  2. Click Applications on the left panel. The Applications page will open, and you will see Protect an Application button on the top right.
    Duo_BMS_Int1.PNG
  3. Click Protect an Application.
  4. In the Search field, enter generic service provider.
  5. From the search results, click Protect to select 2FA SSO Hosted by Duo.
    Duo_BMS_Int2.PNG
  6. Enter the following default settings in the respective fields for BMS/Vorex.
  7. Entity ID: Enter <server name>.
  8. Assertion Consumer Service (ACS) URL: This is the BMS URL. The format is <server name>/SAML/Connect.aspx.
    Duo_BMS_Int3.PNG
  9. After the DUO SAML application is created, copy the highlighted URL (Single Sign-on) from Duo and paste it in BMS by navigating to Admin > My Company > Auth & Provision > SAML Login Endpoit URL.
    duo_BMS_int12.png
    duo_BMS_int14.png

Duo SAML settings, attributes, and security certificate

  1. Go back to Duo now. In the SAML Response section, enter the following:
    • Name ID format: Select urn:oasis:names:tc:SAML 2.0:nameid-format:persistent from the dropdown.
    • Name ID attribute: Select <Email Address>. This should appear within a box.
    • Signature algorithm: Select SHA256 from the dropdown.
    • Signing options: Select both the checkboxes - Sign response and Sign assertion.
      Duo_BMS_Int4.PNG
  2. Download the certificate. 
    duo_BMS_int13.png

  3. IMPORTANT  Go to Downloads folder. Right-click and rename the file with .cer file extension if it shows some other file extension. If you are unable to do this, double-click the file and open it. Windows will flash a warning message with two options - Open and Cancel.

  4. Click Open. The certificate opens with three tabs - General, Details and Certification Path.
  5. Go to Details tab.
  6. Click Copy to File open. An export wizard appears.
  7. Click Next.
  8. By default, DER encoded binary X.509 (.CER) is selected under Select the format you want to use. Select Base-64 encoded X.509 (.CER).
  9. Click Next.
  10. Click Browse.
  11. Select a location and provide a new filename.
  12. Click Save.
  13. Click Next.
  14. Click Finish. You will see a message which says, "The export was successful." If you right-click the newly named certificate file and go to its Properties, you will see Security Certificate (.Cer) next to the label Type of file. Upload this new security certificate in BMS.
  15. Go to BMS > Admin > My Company > Auth & Provision > Upload Certificate.
  16. Click Save.
  17. Add the following attributes:
    • Map attributes section
      IdP AttributeSAML Response Attribute
      <Email Address>email
      <First Name>firstname
      <Last Name>lastname
      <Username>username
      Duo_BMS_Int5.PNG
    • Create attributes section

      NOTE   You should create a custom attribute in Duo as it is not provided by default in the application.

      • Name: Enter CompanyName.
      • Value: Enter BMS Company Name. You can find the company name by navigating to Login > Your profile name > My Settings. You will find the company name just below your profile picture.

        duo-BMS_int5b.png
        Duo_BMS_Int5a.PNG
  18. In the Settings section, do the following:
    • Name: Enter Kaseya BMS.
    • Voice greeting: Enter Welcome to Duo.
  19. Click Save.
    Duo_BMS_Int6.png

Sign sign-on 

  1. Once the application is created, it should be added to the Duo Home screen. Go to Duo > Single Sign-on > Duo Central > Add tile.
    Duo_BMS_Int7.PNG
  2. Next, click Add application tile. You will see a list of applications.
    Duo_BMS_Int8.PNG
  3. Click Kaseya BMS. It is now added to the Duo Home screen.
    Duo_BMS_Int9.PNG
    Duo_BMS_Int10.PNG

Duo authentication

Click Kaseya BMS application. It will push the Duo authentication. 
Duo_BMS_Int11.PNG