Windows Users - open the Silo client directly when registry keys are configured as outlined in our SAML SSO for Silo Access article.
Windows and Mac Users - Click on the a8 Silo app in the Duo Access Gateway Launcher
A Duo Access Gateway with Launcher configured
Duo Access Gateway server address in Trusted Sites of client machines e.g. https://servername.domain.com/
File Upload and Download enabled for the Silo user you will be using to configure Duo.
A8 Admin Console
Enable Portal, define a company identifier e.g. mitchmurray (fictional customer)
Download the SP Encryption Certificate SP_cert.crt to your computer.
Do not hit save, leave page open.
Duo - Add Silo as an application
In Duo admin portal Click Applications > Protect an Application
Type SAML - Service Provider click Protect this Application
Name your app e.g. a8 Silo, click Next
Copy the SP Entity ID from AC and paste it into the Duo Entity ID box
Copy the SP Post Back URL into the Assertion Consumer Service box
Enter 2 for Default Relay State
Click Download your configuration file to save the JSON copy of your app.
Scroll down to Settings > General and change the Name to your App Name, save changes
Duo - modify the JSON app to encrypt the SAML response and disable spFirst
Open the SP_cert.crt file you downloaded from the Silo Admin Console in a text editor application (Notepad++ is a good option).
Delete the “---BEGIN CERTIFICATE---” and “---END CERTIFICATE---” lines.
Remove all returns so your certificate text is one long string of characters.
Open the JSON copy of your app you created in the “Add Silo as an application” step.
Between "simplesaml.attributes": false, and "simplesaml.nameidattribute": "mail", you'll want to add the following 2 bolded sections.
Copy the contents of your edited SP_cert.crt file in place of CERTDATA - ensure you leave the quotes intact and that your cert is just one long string of characters.
Modify spFirst to false e.g. ""spFirst": false," (remove the outside quotes)
Save your JSON app.
Duo - Adding your app to the Duo Access Gateway (dag)
Sign in to the dag at https://servername.domain.com/dag
Click Applications, Choose File then select your newly edited JSON app, click Upload.
A8 Admin Console
All the following Duo information is found in the Duo Access Gateway > Applications > Metadata section
Idp Issuer: DAG Entity ID
IdP Login URL: DAG SSO URL
IdP Signing Certificate: dag.crt
Be sure to click Save when done.
If something is not working you can get a good idea of the issue by enabling Verbose Logging and checking out the log.
Login to the dag at https://servername.domain.com/dag
Scroll down to General, check Verbose logging, click Save Settings.
Try your authentication again, the logs will be in \\servername\c$\inetpub\wwwroot\dag\log\dag.log
If you get error "Invalid JSON file" when uploading your edited JSON file to the DAG, ensure you have a comma after every line in the JSON file and that you removed all of the hard returns in the certificate.