How Do I Configure SSO/SAML with Duo?
The below steps will allow you to configure single sign-on with Duo SSO. This will enable your users to automatically sign-in to KnowBe4 for their security awareness training.
You'll need a Duo subscription to follow the steps below. For additional assistance, review Duo's documentation.
- From the Duo Admin Panel, navigate to Applications > Protect an Application.
- Search for SAML – Service Provider.
- Select Protect this Application.
- Enter the following information in the Service Provider section:
Service provider name Enter the name you want to be associated with this login Entity ID KnowBe4 Assertion Customer Service
Enter the Callback URL
Single Logout URL (Optional)
Enter the Sign in URL
Service Provider Login URL (Optional)
Enter the Sign out URL
The Callback URL, Sign in URL, and Sign out URL can be found under the SAML section of your Account Settings page. Navigate to this area by clicking your email address in the top-right, then click Account Settings.
- In the SAML Response Fields, select the following options:
NameID format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress NameID attribute Send attributes NameID
Leave all other fields at their default settings.
- Click Save Configuration to save your changes.
- Click Download your configuration file to export the configuration via .json file to your Duo Access Gateway Admin server.
- Next, you will need to upload the configuration file. You can do this from the Duo Access Gateway server's console. Click the Configure icon.
- Select the .json file you exported. Then, click Upload.
- Contact KnowBe4 support to complete the configuration. You will need to provide them with your Duo Access Gateway SHA1 Fingerprint and the target URL. To retrieve the SHA1 Fingerprint and target URL:
- Log in to your Duo Access Gateway administrative page and select Applications. Under the Metadata section, you'll find the SHA-1 Fingerprint and the SSO URL (this is the target URL).