Prerequisites
A Duo Access Gateway with Launcher configured
Duo Access Gateway server address in Trusted Sites of local machines (e.g. https://servername.domain.com/)
File Upload and Download policies enabled for Certificate Management
Silo Admin Console
Configure Vanity URL value
Enable SAML SSO
Download the SP Encryption Certificate SP_cert.crt to your local machine
Do not click Save — leave page open
Duo — Add Silo as an Application
In the Duo Admin Portal, click Applications > Protect an Application
Type in SAML - Service Provider > click Protect this Application
Label your app (e.g., Silo for Safe Access) > click Next
Copy the SP Entity ID from the Silo Admin Console and paste into the Duo Entity ID field
Copy the SP Post Back URL from the Silo Admin Console and paste into the Assertion Consumer Service field
Enter 2 (Installed Client) —or— 4 (Web Client) for the Default Relay State value
Click Save
Click Download your configuration file to save a JSON copy of the app
Navigate to Settings > General > change the Name to your App Name > Save changes
Duo — Encrypt SAML response and Disable spFirst
Open the SP_cert.crt file downloaded from the Silo Admin Console in a text editor application (e.g., Notepad++, TextWrangler)
Delete the ---BEGIN CERTIFICATE--- and ---END CERTIFICATE--- separators
Remove all return lines (space) so the certificate text is one long string of characters
Open the JSON copy of the app in the Add Silo as an application step
Between "simplesaml.attributes": false, and "simplesaml.nameidattribute": "mail", you'll want to add the following 2 bolded sections.
"assertion.encryption": true,
"certData": "CERTDATA”,
"simplesaml.nameidattribute": "mail",
Copy the contents of the edited SP_cert.crt file in place of CERTDATA — ensure you leave the quotes intact and the certificate text is just one long string of characters
Modify spFirst to False — e.g, "spFirst": false,
Save changes to the JSON app
Duo — Provision Silo App to the Duo Access Gateway (DAG)
Sign in to DAG at https://servername.domain.com/dag
Click Applications > File > select JSON app > click Upload
Silo Admin Console
All the following Duo information is found in the Duo Access Gateway > Applications > Metadata section
Idp Issuer: DAG Entity ID
IdP Login URL: DAG SSO URL
IdP Signing Certificate: dag.crt
Click Save
Troubleshooting
• Verbose Logging can be enabled for troubleshooting purposes
Login to DAG at https://servername.domain.com/dag
Click Settings
Scroll down to General > check Verbose logging > click Save Settings
- Re-try SAML SSO authentication — the verbose logs will be available in \\servername\c$\inetpub\wwwroot\dag\log\dag.log
• For the error message: Invalid JSON file when uploading a modified JSON file into the DAG, ensure you have a comma after every line, and all of the hard returns have been removed in the certificate text
Please contact Support for any additional questions