7.3.2. Duo Configuration

7.3.2.1. Prerequisites

Duo SSO authentication source configuration

This guide assumes the your SSO authentication source has already been configured.

Duo Permissions

You will need the appropriate Duo permissions to create the application and groups for mapping recorder permissions.

TLS Certificate

A valid TLS certificate must be installed and enabled on the recorder.

Entity ID

The entity ID is a unique identifier for the service provider (SP) and the identity provider (IdP). The entity ID for the SP must be provided, and the entity ID for the IdP is programmatically pulled from its metadata file.

Metadata File

The metadata file is an XML document that contains information about the IdP. It includes the IdP’s entity ID, public key, and other relevant information. The metadata file is used to configure the SP to trust the IdP. This can be obtained from Duo when configuring the application.

User Groups

User groups must be correctly set up on the recorder and Duo. The groups in the recorder must align with those in Duo to ensure proper group mapping for SAML authentication. Ensure groups in Duo have been created and users assigned.

Configuration Manager

Access to Configuration Manager is required to configure the SAML authentication provider on the recorder. The Configuration Manager login icon will not be available in the lower righthand corner when accessing Configuration Manager. You will need to log in by going to <host>/admin.

MediaWorks Replay

After successfully configuring Duo, log in to MediaWorks by navigating to the recorder and logging in.

7.3.2.1.1. Configuration Steps

From Duo’s admin console, select Applications → Protect an Application:

Select "Protect an Application"

Fig. 7.19 Select “Protect an Application”

In the search bar type Generic SAML and select Configure for the application named Generic SAML Service Provider:

Adding a SAML application

Fig. 7.20 Add a SAML application

On the next page, click Download XML for the SAML Metadata option. This will be used when configuring the recorder for SAML.

Adding a SAML application

Fig. 7.21 Download Duo metadata

In the Service Provider section, enter the required values as shown in the below screenshot.

Entity ID - This can be any value as long as it is unique within your Duo tenant. Standard practice is to make this a URL, though the URL does not have to point to anything, nor does it need to resolve. It’s simply used as a unique identifier. For this document, we will use the value, https://sp.nexlog.host/relyingidentifier. Make note of this value, as it will be used later to configure the recorder side of SAML.

Assertion Consumer Service (ACS) URL - This will be https://<RECORDER_FQDN>/auth.sso/SAML2/POST – in the case of this example https://sp.nexlog.host/auth.sso/SAML2/POST.

If you elected to limit config access to port 8443 (On the recorder Users and Security → Encryption and TLS → Connection Settings), you can add an additional ACS URL by clicking Add an ACS URL. This will be the same value as above but specifying port 8443 (e.g. https://sp.nexlog.host:8443/auth.sso/SAML2/POST).

SAML Settings

Fig. 7.22 Duo SP settings

Leave the defaults and scroll down until you reach the Map attributes section. Configure the attributes as shown below and creating the mapping of Duo groups (required prerequisite) to recorder permissions:

SAML Settings

Fig. 7.23 Duo attributes and groups

The default SAML attribute mapping used by recorders utilize UPN for the username, stripping everything after the @ symbol. Since we are using email in the above configuration, adding groups and additonal attributes as well, the attribute mapping will need to be updated by logging into Configuration Manager, navigating to System → Configuration Files → SAML attribute map and clicking View / Edit at the bottom of the page.

Below is a mapping that could be used with this example configuration:

<Attribute name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" id="remote_user"/>
<Attribute name="groups" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="attr_group"/>
<Attribute name="FirstName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="attr_firstname"/>
<Attribute name="LastName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="attr_lastname"/>
<Attribute name="Email" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="attr_email"/>

Scroll down until you reach Name and Permitted Groups. Give the application an appropriate name. You can also restrict users who can authenticate via groups. If you didn’t configure this, users could try to log in and their account would be created but login would fail since they wouldn’t be assigned any permissions:

Duo applicaiton name and group restriction

Fig. 7.24 Duo applicaiton name and group restriction

Click Save.

This completes the Duo side of the configuration and you can now move on to Recorder SAML Configuration.