# Cisco Duo

{% hint style="info" %}
This feature is available in the **Premium plan and higher**.
{% endhint %}

{% hint style="danger" %}
**Remember to grant your users access permissions to GoodAccess. Users without them won't be able to log in.**
{% endhint %}

## Prerequisites

* Enabled [**Duo Single Sign-On**](https://duo.com/docs/sso#enable-duo-single-sign-on)
* Configured [**Authentication Source**](https://duo.com/docs/sso#configure-your-authentication-source)

## Step 1 - Adding a new identity provider

[Log in to the GoodAccess **Control Panel**, and go to **Settings** > **SSO & Identity**.](https://app.goodaccess.com/sso-and-identity/)

Click **+ Add provider**, enter the **Provider name**, choose your **Identity Provider**, and click **Continue**.

## Step 2 - Setting up Single Sign-On with SAML

Log in to the [Duo Admin Panel](https://admin.duosecurity.com/), and go to **Applications** > **Protect an Application**.

Search for **Generic SAML Service Provider**, and click **Protect**.

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FCaECCTGh5ANCfAGGNAwc%2FFeatures_SSO_Duo_01.png?alt=media&#x26;token=b889acda-f2be-4b9d-b233-7e372551da26" alt="Duo Admin Panel with key steps to protecting a new application."><figcaption><p>Protecting a new application</p></figcaption></figure>

### 1. Metadata

Click **Download certificate**, and open the file in a text editor (e.g. Notepad).

Copy the details to GoodAccess - **(3) Identity Provider links**.

* **Sign in URL** - Single Sign-On URL
* **Entity ID** - Entity ID
* **X509** **signing certificate** - Copy the certificate from the text editor

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2Finuni5m5Z3aXMVncrp6s%2FFeatures_SSO_Duo_02.png?alt=media&#x26;token=909b04aa-0ff2-4f13-93d3-daad2cec761d" alt="Duo Admin Panel with key steps to setting up the Identity Provider details."><figcaption><p>Setting up the Identity Provider details</p></figcaption></figure>

### 2. Service Provider

Copy the details from GoodAccess - **(2) GoodAccess links**.

* **Metadata Discovery** - None (manual input)
* **Entity ID** - Entity ID
* **ACS URL** - Assertion Consumer Service URL
* **Service Provider Login URL** - Login URL
* **Default Relay State** - Relay State

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2Fe62yfIsqJJKLXZbLDTfp%2FFeatures_SSO_Duo_03.png?alt=media&#x26;token=e001f613-53f2-4e32-adfe-475ffa23ff75" alt="Duo Admin Panel with key steps to setting up the Service Provider details."><figcaption><p>Setting up the Service Provider details</p></figcaption></figure>

### 3. SAML Response

* **NameID format** - urn:oasis:names:tc:**SAML:2.0**:nameid-format:**persistent**
* **NameID attribute** - \<Email Address>
* **Signature algorithm** - SHA256
* **Signing options** - Sign response

#### Map atttibutes

| IdP Attribute    | SAML Response Attribute |
| ---------------- | ----------------------- |
| \<Email Address> | email                   |
| \<Username>      | name                    |

Scroll down to the bottom of the page and click **Save**.

Return to GoodAccess, skip the next step, and click **Submit**.

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2F8Q2uiiBU4QYPc5anjInF%2FFeatures_SSO_Duo_04.png?alt=media&#x26;token=2c7010a1-a1ab-4c0e-90fb-51d8f7207337" alt="Duo Admin Panel with key steps to setting up the SAML Response details."><figcaption><p>Setting up the SAML Response details</p></figcaption></figure>

You have now successfully set up your Cisco Duo SSO with GoodAccess.