ComplianceScout.ai
Sign InFree Trial

Cisco Duo (Duo SSO) SSO

Sign in to ComplianceScout with Duo Single Sign-On over SAML 2.0.

SAML 2.0

Before you start

  • Complete Duo Single Sign-On setup first — Duo SSO is a front-end IdP and requires an authentication source (Active Directory, or an upstream SAML/OIDC IdP) behind it.
  • Use Duo SSO's Generic SAML Service Provider (duo.com/docs/sso-generic) — not the deprecated Duo Access Gateway.

Values to give Cisco Duo (Duo SSO)

Copy these from ComplianceScout → Settings → SSO when you create the connection. The exact, per-connection values are shown there.

SP Entity ID (Identifier / Audience)urn:guardstream:sp:<tenant_id>

Included in the SP metadata below. Most IdPs can import the metadata URL instead of typing this.

ACS URL (Reply URL / Assertion Consumer Service)https://<your-app-host>/sso/saml/callback/<connectionId>
SP metadata URLhttps://<your-app-host>/sso/saml/metadata/<connectionId>

Contains the SP entity ID, ACS URL, and SP certificate. Import this into your IdP when it supports metadata import — it is the least error-prone path.

Required NameID formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Configure your IdP to send the user's email address as the NameID. ComplianceScout rejects any other NameID format.

Configure Cisco Duo (Duo SSO)

Steps verified against the vendor documentation linked at the bottom of this page. Labels can change — that link is the source of truth.

  1. Log in to the Duo Admin Panel and go to Applications → Application Catalog.

  2. Find Generic SAML Service Provider (labeled SSO) and click Add.

  3. In the Service Provider section, set Entity ID = urn:guardstream:sp:<tenant_id> and Assertion Consumer Service (ACS) URL = the ACS URL shown in ComplianceScout. (Or use Metadata Discovery → Metadata XML URL and paste ComplianceScout's SP metadata URL.)

  4. In the SAML Response section, set NameID format = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress and NameID attribute = the email token (<Email Address>, which resolves to mail / Email).

  5. Set a Name for the application and click Save.

  6. From the Metadata section at the top of the application page, collect Entity ID (IdP Entity ID), Single Sign-On URL (IdP SSO URL), and Download certificate (IdP signing cert) — or copy the Metadata URL to import all three at once.

  7. Authorize the appropriate users via your Duo policy/groups.

Values to enter in ComplianceScout

Back in Settings → SSO, paste these into the connection and save.

IdP Entity ID<duo-entity-id>
IdP SSO URL (Single Sign-On URL)<duo-sso-url>
IdP signing certificateDownload certificate (or copy the Metadata URL)

Role mapping (optional)

In Map attributes, add a row sending your group source to an attribute named groups (or roles); or use the Role attributes section, mapping Duo Groups. Set ComplianceScout's role-mapping attribute to match.

Things to watch for

  • ComplianceScout always requires the assertion to be signed (this is not optional). You can additionally require the SAML response to be signed and/or the assertion to be encrypted to the SP certificate — toggle those per connection in Settings → SSO.
  • An authentication source (AD or upstream SAML/OIDC) is mandatory — Duo SSO will not function as an IdP without one.
  • Use the Duo SSO Generic SAML SP (duo.com/docs/sso-generic), not the deprecated Duo Access Gateway (dag-generic).

Vendor documentation

Ready to turn on Cisco Duo (Duo SSO) SSO?

Configure the connection in Settings → SSO, then test sign-in before rolling it out to your team.

Open SSO settingsAll SSO guides →