Configure Duo SSO with LCvista
Duo SSO can be configured using SAML 2.0. This service can act as an identity provider that authenticates users or prompt for two-factor authentication before permitting access into LCvista.
While you can complete the configuration steps for both Active Directory and SAML authentication sources, only one type of authentication source may be enabled for use at a time.
Please note that per guidance from Duo Support, this SSO integration only supports static Assertion Consumer Service (ACS) URLs. *
As a result, your professionals may receive an error when attempting to access LCvista through links in notifications if the exact URL they access isn't added into the admin panel's accepted ACS URLs.
Please reference https://duo.com/docs/sso-generic for more information on their SSO documentation.
Follow these steps to successfully configure Duo SSO for your site.
1. Log in to your Duo Admin Panel as an administrator and then follow these steps:
- Select Single Sign-On in the navigation bar on the left.
-
Review the information on the Single Sign-On page. If you agree to the terms, check the box and then click Activate and Start Setup.
- On the Customize your SSO subdomain page you can specify a subdomain you'd like your users to see when they are logging in with Duo SSO.
- Your subdomain should match your LCvista site prefix. For example, if your LCvista URL is https://acme.lcvista.com then your Duo subdomain would be acme.
- Click Save and continue to use the desired subdomain.
-
On the Add Authentication Source page under SAML Identity Provider, click Add SAML Identity Provider.
- You can configure this to work with Azure and follow the instructions within Duo's documentation. Or, you can choose the Generic SAML Service Provider application.
2. On the Single Sign-On Configuration page scroll down to 1. Configure your SAML Identity Provider. This is the Duo Single Sign-On metadata information you'll need to add into LCvista once the configuration is complete.
- Configure your SAML identity provider to:
- Send a NameIDFormat of urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
- The NameID attribute should match your users' Duo and LCvista usernames.
- Send a NameIDFormat of urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
- On the Single Sign-On Configuration page scroll down to 2. Configure SAML Identity Provider's Attributes. Attribute names must be sent to Duo Single Sign-On corresponding to the "Attribute Name Sent" column below.
Bridge Attribute SAML IdP Attribute Attribute Name Sent <Email Address> Email Address Email <Username> Username Username <First Name> First Name FirstName <Last Name> Last Name LastName - Once you've set the attributes you can proceed to the next section.
- On the Single Sign-On Configuration page scroll down to 3. Configure Duo Single Sign-on and enter the following settings.
- Note that you will need to replace <site prefix> with your specific site prefix. This is typically the name of your company in lower case.
- Display Name: LCvista - SAML
- Entity ID: https://<site prefix>.LCvista.com/
-
Assertion Consumer Service (ACS) URL *: Add https://<site prefix>.LCvista.com/complete/saml/, https://<site prefix>.LCvista.com/complete/saml/?next=, and https://<site prefix>.LCvista.com/complete/saml/?next=%2F
- Single Logout URL: This can be left blank or set to https://<site prefix>.LCvista.com/logout/
- Service Provider Login URL: https://<site prefix>.LCvista.com/complete/saml/
-
Default Relay State: In order to launch LCvista directly from Duo, enter your organization slug (Example: acme or idpname used above). This slug typically matches your site prefix. Work with LCvista to get your organization slug.
3. Complete the SAML Response section as follows.
- NameID format: urn:oasis:names:tc:SAML:1.1:nameid-format:usernameAttribute.
- NameID attribute: This should match the expected username value in LCvista.
-
Signature algorithm: SHA256
-
Signing options: Check both boxes for Sign response and Sign assertion
-
Map attributes and Create attributes: You will map your desired IdP Attributes to the SAML Response Attribute.
-
It is in this section that you can customize the username to be used when connecting to LCvista. The Duo username value should correspond to the LCvista username.
- In the screenshot above you can see examples of the type of attributes. Duo provides the ability to add attributes on user profiles and reference those attributes in application claims. Please see Duo documentation for how to accomplish this per your organization.
-
Click on the + button to add as many custom claim attributes as you would like.
-
- Role attributes: Map groups and Service Provider Roles that should have access to this application.
- Scroll to the bottom of this page and click Save.
- You can also activate the Universal Prompt. Activating it for one application does not change the login experience for your other Duo applications.
- The "Universal Prompt" area of the application details page shows that this application is "New Prompt Ready", with these activation control options:
- Show traditional prompt: (Default) Your users experience Duo's traditional prompt when logging in to this application.
- Show new Universal Prompt: Your users experience the Universal Prompt when logging in to this application.
- Enable the Universal Prompt experience by selecting Show new Universal Prompt, and then scrolling to the bottom of the page to click Save.
- You will then return to the Single Sign-On Configuration page, and take the information from 1. Configure your SAML Identity Provider to get the details needed to update LCvista.
4. Update the SAML Configuration in LCvista
- Login to LCvista as an administrator with access to the Organization menu.
- Select Settings within the Organizations menu.
- Select Enable SAML login.
- Copy the following values from Duo into the LCvista SAML Config option:
- Entity ID: URL from the Identity Provider Issuer field under Metadata.
- URL: URL in the Identity Provider Single Sign-On URL field under Metadata.
- x509 Certificate: Certificate can be found under Downloads. Select the entire text between --BEGIN CERTIFICATE-- and --END CERTIFICATE-- in the X.509 Certificate field.
- In LCvista, map the Attribute Names as defined in Duo from step 2 above:
- First name attribute: firstName
- Last name attribute: lastName
- Email attribute: emailAddress
- Username attribute: Your NameID attribute value
Note: The only required mapping is Username. All other mappings are optional and can be set to “-” in LCvista. If First name, Last name and Email attributes are mapped, then these values will be updated in LCvista to the value in Duo.
- Click Save on the LCvista Organization page.
5. Authorize users in Duo
- The final step is to ensure that users in Duo have permission to the Duo application under the Role attributes section.
6. Test Authentication
- Navigate to your site's login page at https://<SITE PREFIX>.LCvista.com/<SITE PREFIX>/login/ and select Login with SAML.