How Do I Configure SSO/SAML with Duo?

The below steps will allow you to configure single sign-on with Duo SSO. This will enable your users to automatically sign-in to KnowBe4 for their security awareness training.

You'll need a Duo subscription to follow the steps below. For additional assistance, review Duo's documentation.

1. From the Duo Admin Panel, navigate to Applications > Protect an Application.
2. Search for SAML – Service Provider.
3. Select Protect this Application.
4. Enter the following information in the Service Provider section:
   
   

   Service provider name	Enter the name you want to be associated with this login
   Entity ID	KnowBe4 Or, if a unique entity ID was generated for your KnowBe4 account, use the ID shown in your Account Settings.
   Assertion Customer Service	Enter the Callback URL
   Single Logout URL (Optional)	Enter the Sign out URL
   Service Provider Login URL (Optional)	Enter the Sign in URL

   Note:

   The Callback URL, Sign in URL, and Sign out URL can be found under the SAML section of your Account Settings page. Navigate to this area by clicking your email address in the top-right, then click Account Settings.

5. In the SAML Response Fields, select the following options:
   
   

   NameID format	urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
   NameID attribute	mail
   Send attributes	NameID
   Sign response	Make sure the "Cryptographically sign response for verification by your service provider" box is checked.

   Leave all other fields at their default settings. 

6. Click Save Configuration to save your changes.
7. Click Download your configuration file to export the configuration via .json file to your Duo Access Gateway Admin server.
8. Next, you will need to upload the configuration file. You can do this from the Duo Access Gateway server's console. Click the Configure icon.
9. Select the .json file you exported. Then, click Upload.
10. To finish configuring SAML to your KnowBe4 account, please follow the instructions listed in this article.