Issue: How do you configure DUO SSO with proofpoint?
This document was written by one of the support techs while assisting us with a case.
It's sperated in two sections:
- Configuring DUO SSO with SAML talking to Azure
- Configuring DUO SSO with Proofpoint.
DUO SSO basically acts as the intermediary.
This document is for configuring DUO and PPE with Azure as the authentication source.
This doc should be used as a quick snapshot and not a dedicate reference point. For that
Please follow the instructions in KB article
Configure DUO SSO with SAML – Azure
- Single Sign-On
Add Source - SAML Identity Provider
The information provided in 1. Configure the SAML Identity Provider, this will be needed when we configure the SAML application in Azure
At this point it would be best to have Microsoft Entra Admin Center also open on another tab. As you will be coping and pasting information from DUO to Microsoft and vice versa
- MS Entra Enterprise Application
- All the configuration information can be found at - https://duo.com/docs/sso#saml
- click Applications → Enterprise Applications. Click + New application at the top of the screen.
- Click + Create your own application at the top of the gallery page.
- Give Application a Name
- Select - Integrate any other application you don't find in the gallery (Non-gallery)
- Create
- Click on Single sign-on, Then select SAML
- Configure Duo Single Sign-On
Copy Information from the Azure Application Step 4 – Set up testing
The only fields that are needed are:
- Display Name: Call this something you will easily remember what it is for
- Entity ID
- Single Sign-on URL
- Existing Certificate: Download this from the Azure app - Certificate (Base64)
- Save
In your Azure SSO App copy the SAML Idenditiy provider information into the section below.
Ms Only need Identifier (Entity ID) and Reply URL (this is ACS in DUO)
The main change I wish to point out here is the Attributes & Claims
Click the pencil icon next to "Attributes & Claims".
Under "Additional Claims" click ... then Delete and confirm the action next to each row and delete the four default claims.
Click + Add new claim at the top of the page. Use the information in the table below to add a total of five additional claims.
Name Namespace Source Source attribute
Email Leave Empty Attribute user.mail
Username Leave Empty Attribute user.userprincipalname
FirstName Leave Empty Attribute user.givenname
LastName Leave Empty Attribute user.surname
DisplayName Leave Empty Attribute user.displayname
- Save Settings, this is the authentication source created
Configure DUO SSO – Proofpoint
https://duo.com/docs/sso-generic
- In DUO go back to Application and protect - Generic SAML Service Provider
The following screen should load
- In Proofpoint, go to Identity providers and get the SSO information
- Copy these values into DUO
- The DUO metadata, copy from DUO into Proofpoint
- Download Certification from the SSO – Downloads section (above, step1)
Upload this info Proofpoint certification section
Save and enable
DUO can be successfully tested