Supported Usage:

Windows Users - open the Silo client directly when registry keys are configured as outlined in our SAML SSO for Silo Access article.

Windows and Mac Users - Click on the a8 Silo app in the Duo Access Gateway Launcher


Prerequisites:

  • A Duo Access Gateway with Launcher configured

  • Duo Access Gateway server address in Trusted Sites of client machines e.g. https://servername.domain.com/

  • File Upload and Download enabled for the Silo user you will be using to configure Duo.


A8 Admin Console

  1. Enable Portal, define a company identifier e.g. mitchmurray (fictional customer)

  2. Enable SAML

  3. Download the SP Encryption Certificate SP_cert.crt to your computer.

  4. Do not hit save, leave page open.


Duo - Add Silo as an application

  1. In Duo admin portal Click Applications > Protect an Application

  2. Type SAML - Service Provider click Protect this Application

  3. Name your app e.g. a8 Silo, click Next

  4. Copy the SP Entity ID from AC and paste it into the Duo Entity ID box

  5. Copy the SP Post Back URL into the Assertion Consumer Service box

  6. Enter 2 for Default Relay State

  7. Click Save

  8. Click Download your configuration file to save the JSON copy of your app.

  9. Scroll down to Settings > General and change the Name to your App Name, save changes


Duo - modify the JSON app to encrypt the SAML response and disable spFirst

  1. Open the SP_cert.crt file you downloaded from the Silo Admin Console in a text editor application (Notepad++ is a good option). 

  2. Delete the “---BEGIN CERTIFICATE---” and “---END CERTIFICATE---” lines.

  3. Remove all returns so your certificate text is one long string of characters.

  4. Open the JSON copy of your app you created in the “Add Silo as an application” step.

  5. Between "simplesaml.attributes": false, and  "simplesaml.nameidattribute": "mail", you'll want to add the following 2 bolded sections.


"simplesaml.attributes": false,

"assertion.encryption": true,

"certData": "CERTDATA”,

"simplesaml.nameidattribute": "mail",


  1. Copy the contents of your edited SP_cert.crt file in place of CERTDATA - ensure you leave the quotes intact and that your cert is just one long string of characters.

  2. Modify spFirst to false e.g. ""spFirst": false," (remove the outside quotes)

  3. Save your JSON app.


Duo - Adding your app to the Duo Access Gateway (dag)

  1. Sign in to the dag at https://servername.domain.com/dag

  2. Click Applications, Choose File then select your newly edited JSON app, click Upload.


A8 Admin Console

All the following Duo information is found in the Duo Access Gateway > Applications > Metadata section

Idp Issuer: DAG Entity ID

IdP Login URL: DAG SSO URL

IdP Signing Certificate: dag.crt

Be sure to click Save when done.


Troubleshooting


If something is not working you can get a good idea of the issue by enabling Verbose Logging and checking out the log.

  1. Login to the dag at https://servername.domain.com/dag

  2. Click Settings

  3. Scroll down to General, check Verbose logging, click Save Settings. 

  4. Try your authentication again, the logs will be in \\servername\c$\inetpub\wwwroot\dag\log\dag.log


If you get error "Invalid JSON file" when uploading your edited JSON file to the DAG, ensure you have a comma after every line in the JSON file and that you removed all of the hard returns in the certificate.