This document outlines the identity provider specific steps required to configure an Duo SSO Application for the Cirrus Enterprise Bridge. For the full process, visit Getting Started with Cirrus Bridge. You will follow each of these steps for each new application that you add.
To complete these steps, you will need the information for at least the default profile that you created from the Authentication Profiles for Cirrus Bridge page.
Additionally, each unique authentication profile requires its own Duo application. An authentication profile includes the NameID format and value, set of attributes, and set of signing and encryption settings. A typical implementation will include the default profile(s) for each protocol, and then one or more additional profiles if required by the service providers. Your Cirrus Implementation Lead will work with you to develop these additional profiles and provide support for configuration. While the default application can support multiple Entity IDs, Duo only allows a single Entity ID or Entity category per application for additional applications.
In the Duo SSO Admin interface, you will create a new application of type ‘Generic SAML Service Provider - Single Sign-On’.
Now that the application is created, you will enter the configuration information in subsequent steps.
First name your application with a name that is meaningful for you that indicates its function. Then determine if you want to enable access for all users or limit to a specific group. Generally, we recommend to enable for all users, unless your institution has a security policy that limits sign-on for specific groups.
For Duo, the Cirrus Bridge is considered a Service Provider. Since it sits in between Duo and the applications, it acts as a service provider to Duo and an identity provider to downstream applications. In this step, you will add the Service Provider configuration. Metadata Discovery should be set to ‘None (manual input)’ and then you will enter the values provided by Cirrus for Entity ID, Assertion Consumer Service (ACS) URL, and Single Logout URL. The additional field should be left blank.
Here you will set the NameID format, Signature Algorithm, Signing Options, and Map Attributes. Please refer to the list you created from the Authentication Profiles for Cirrus Bridge page to configure these attributes.
For the REFEDS MFA context, your institution can assert that MFA is required for all users by sending a custom attribute. The attribute name is ‘cirrus.rule.authnContext’ and the value is ’https://refeds.org/profile/mfa’.
The Policy, Global Policy, and Settings sections may be filled out per your institution’s security and compliance policies. They affect the user experience when logging into Duo and are up to customers to implement as they see fit.
Scroll all the way to the bottom of the screen to find the ‘Save’ button and press it to save your application.
Now that your Enterprise Bridge is configured within Duo SSO, please return to the Testing section of the Getting Started documentation to test your Bridge.