Configure Cisco DUO SSO with Proofpoint

Created by Yves Lacombe, Modified on Mon, 26 May at 3:31 PM by Yves Lacombe

Issue: How do you configure DUO SSO with proofpoint?


This document was written by one of the support techs while assisting us with a case.   


It's sperated in two sections:  

  1. Configuring DUO SSO with SAML talking to Azure
  2. Configuring DUO SSO with Proofpoint.


DUO SSO basically acts as the intermediary.


This document is for configuring DUO and PPE with Azure as the authentication source.

This doc should be used as a quick snapshot and not a dedicate reference point. For that

Please follow the instructions in KB article 



Configure DUO SSO with SAML – Azure



  1. Single Sign-On

 

A screenshot of a web page

AI-generated content may be incorrect.

 

Add Source - SAML Identity Provider
 

The information provided in 1. Configure the SAML Identity Provider, this will be needed when we configure the SAML application in Azure

 

At this point it would be best to have Microsoft Entra Admin Center also open on another tab. As you will be coping and pasting information from DUO to Microsoft and vice versa

 

  1. MS Entra Enterprise Application
  • All the configuration information can be found at - https://duo.com/docs/sso#saml
  •  click Applications → Enterprise Applications. Click + New application at the top of the screen.
  • Click + Create your own application at the top of the gallery page.
  • Give Application a Name
  • Select - Integrate any other application you don't find in the gallery (Non-gallery)
  • Create
  •  Click on Single sign-on, Then select SAML

  1. Configure Duo Single Sign-On

    A screenshot of a computer


 

Copy Information from the Azure Application Step 4 – Set up testing

The only fields that are needed are:

 

  • Display Name: Call this something you will easily remember what it is for
  • Entity ID
  • Single Sign-on URL
  • Existing Certificate: Download this from the Azure app - Certificate (Base64)
  •  Save

  

 

In your Azure SSO App copy the SAML Idenditiy provider information into the section below.

 Ms Only need Identifier (Entity ID) and Reply URL (this is ACS in DUO)

 

A screenshot of a computer

Description automatically generated

 

The main change I wish to point out here is the Attributes & Claims

 

Click the pencil icon next to "Attributes & Claims".

 

Under "Additional Claims" click ... then Delete and confirm the action next to each row and delete the four default claims.

 

Click + Add new claim at the top of the page. Use the information in the table below to add a total of five additional claims.

 

Name   Namespace      Source Source attribute

Email    Leave Empty     Attribute             user.mail

Username          Leave Empty     Attribute             user.userprincipalname

FirstName         Leave Empty     Attribute             user.givenname

LastName         Leave Empty     Attribute             user.surname

DisplayName   Leave Empty     Attribute             user.displayname


 

  1. Save Settings, this is the authentication source created





Configure DUO SSO – Proofpoint


https://duo.com/docs/sso-generic

  1. In DUO go back to Application and protect - Generic SAML Service Provider
     The following screen should load


A close-up of a screen

AI-generated content may be incorrect. 

  1. In Proofpoint, go to Identity providers and get the SSO information

  2. Copy these values into DUO

    A screenshot of a computer

Description automatically generated 
  3. The DUO metadata, copy from DUO into Proofpoint

    A screenshot of a computer

Description automatically generated
  4. Download Certification from the SSO – Downloads section (above, step1)
     Upload this info Proofpoint certification section


Save and enable

DUO can be successfully tested