Cisco
Login
Search
Platform Secure Firewall Threat Defense Virtual
Activity Manage

Identity Service Provider Instructions Integrating Duo with Security Cloud Sign On

Last updated: Jul 17, 2025

Integrating Duo with Security Cloud Sign On

This guide explains how to integrate a Duo SAML application with Security Cloud Sign On.

Before you begin

Before you begin, read the Integrating Identity Providers to understand the overall process. These instructions supplement that guide with details specific to Duo SAML integrations, specifically Step 2: Provide Security Cloud SAML metadata to your identity provider and Step 3: Provide SAML metadata from your IdP to Security Cloud.

Procedure

1

Sign in to Security Cloud Control with the organization that you want to integrate with Duo.

  1. Create a new identity provider and decide whether to opt out of Duo MFA, as explained in Step 1: Initial setup.

  2. On Step 2: Provide Security Cloud SAML metadata to your identity provider, download the Public certificate, and copy the values for Entity ID and Single Sign-On Service URL for use in the next steps.

2

Sign in to your Duo organization as an administrator in a new browser tab. Keep the Security Cloud Control tab open, because you'll return to it shortly.

  1. From the left navigation menu, click Applications > Protect an Application.

  2. On the search bar, search for Cisco Security Cloud Sign On.

  3. Click Protect next to the Generic Service Provider application and choose 2FA with SSO hosted by Duo as the type of protection.

    The configuration page for the Generic SAML Service Provider opens.

  4. In the Metadata section:

  5. Copy the value of Entity ID and save for later use.

  6. Copy the value of Single Sign-On URL and save for later use.

  7. Click Download certificate in the Downloads section for later use.

  8. In the SAML Response section, do the following:

    • For NameID format, select either urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified or urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

    • For NameID attribute, select <Email Address>.

    • In the Map Attributes section, enter the following mappings of Duo IdP user attributes to SAML response attributes:

      IdP Attribute

      SAML Response Attribute

      <Email Address>

      email

      <First Name>

      firstName

      <Last Name>

      lastName

  9. Under Settings, for the Name field, enter Security Cloud Sign On or other value.
3

Return to Security Cloud Control and click Next. You should be on Step 3: Provide SAML metadata from your IdP to Security Cloud.

  1. Select the Manual Configuration option.

  2. In the Single Sign-on Service URL (Assertion Consumer Service URL) field, enter the Single Sign-On URL value that is provided by Duo.

  3. In the Entity ID (Audience URI) field, enter the Entity ID value provided by Duo.

  4. Upload the Signing Certificate that you downloaded from Duo.

What to do next

Next, follow the instructions in Step 4: Test your SAML integration and Step 5: Activate the integration to test and activate your integration.

Previous topic Integrating Microsoft Entra ID with Security Cloud Sign On Next topic Integrating Google Identity with Security Cloud Sign On