Prerequisites

  • A Duo Access Gateway with Launcher configured

  • Duo Access Gateway server address in Trusted Sites of local machines (e.g. https://servername.domain.com/)

  • File Upload and Download policies enabled for Certificate Management


Silo Admin Console

  1. Configure Vanity URL value

  2. Enable SAML SSO

  3. Download the SP Encryption Certificate SP_cert.crt to your local machine

  4. Do not click Save —  leave page open


Duo — Add Silo as an Application

  1. In the Duo Admin Portal, click Applications > Protect an Application

  2. Type in SAML - Service Provider > click Protect this Application

  3. Label your app (e.g., Silo for Safe Access) > click Next

  4. Copy the SP Entity ID from the Silo Admin Console and paste into the Duo Entity ID field

  5. Copy the SP Post Back URL from the Silo Admin Console and paste into the Assertion Consumer Service field

  6. Enter 2 (Installed Client) —or— 4 (Web Client) for the Default Relay State value

  7. Click Save

  8. Click Download your configuration file to save a JSON copy of the app

  9. Navigate to Settings > General > change the Name to your App Name > Save changes


Duo — Encrypt SAML response and Disable spFirst

  1. Open the SP_cert.crt file downloaded from the Silo Admin Console in a text editor application (e.g., Notepad++, TextWrangler) 

  2. Delete the ---BEGIN CERTIFICATE--- and ---END CERTIFICATE--- separators

  3. Remove all return lines (space) so the certificate text is one long string of characters

  4. Open the JSON copy of the app in the Add Silo as an application step

  5. Between "simplesaml.attributes": false, and  "simplesaml.nameidattribute": "mail", you'll want to add the following 2 bolded sections.


"simplesaml.attributes": false,

"assertion.encryption": true,

"certData": "CERTDATA”,

"simplesaml.nameidattribute": "mail",


  1. Copy the contents of the edited SP_cert.crt file in place of CERTDATA — ensure you leave the quotes intact and the certificate text is just one long string of characters

  2. Modify spFirst to False — e.g, "spFirst": false,

  3. Save changes to the JSON app


Duo — Provision Silo App to the Duo Access Gateway (DAG)

  1. Sign in to DAG at https://servername.domain.com/dag

  2. Click Applications > File > select JSON app > click Upload


Silo Admin Console

All the following Duo information is found in the Duo Access Gateway > Applications > Metadata section


Idp Issuer: DAG Entity ID

IdP Login URL: DAG SSO URL

IdP Signing Certificate: dag.crt

Click Save



Troubleshooting
Verbose Logging can be enabled for troubleshooting purposes

  1. Login to DAG at https://servername.domain.com/dag

  2. Click Settings

  3. Scroll down to General > check Verbose logging > click Save Settings

  4. Re-try SAML SSO authentication  the verbose logs will be available in \\servername\c$\inetpub\wwwroot\dag\log\dag.log


For the error message: Invalid JSON file when uploading a modified JSON file into the DAG, ensure you have a comma after every line, and all of the hard returns have been removed in the certificate text



Please contact Support for any additional questions