# Duo SSO ## Overview Panther supports integrating with [Duo](https://duo.com/) as a SAML provider to enable logging in to the Panther Console via SSO. For more information on features, terminology, and limitations of SSO integrations with the Panther Console, see [Identity & Access Integrations](https://docs.panther.com/system-configuration/saml). ## How to configure SAML SSO to the Panther Console with Duo ### Step 1: Obtain the Duo SSO parameters from Panther 1. Log in to the Panther Console. 2. In the upper-right corner, click the gear icon, and then click **General**. 3. Navigate to the **Identity & Access** tab. 4. Next to **Enable SAML (Security Assertion Markup Language)**, set the toggle to `ON`. 5. If using [IdP-initiated login](https://docs.panther.com/system-configuration/saml/..#idp-initiated-vs.-sp-initiated-login), set the **Use IdP-Initiated Single Sign On (SSO)** toggle to `ON`. 6. Copy the the **Audience** and **ACS Consumer URL** values and store them in a secure location. You will need them in the following steps. * If using IdP-initiated login, also copy the **Relay State** value. {% hint style="info" %} It's recommended to use [SP-initiated login](https://docs.panther.com/system-configuration/saml/..#sp-initiated-login-recommended), as it is generally considered more secure than IdP-initiated login. {% endhint %}

In the Settings section of the Panther Console, within the Identity & Access tab, various fields like "Enable SAML", "Audience" and "ACS Consumer URL" are shown

### Step 2: Create the Duo app 1. Log into the [Duo Admin Panel](https://admin.duosecurity.com/). 2. In the left-hand navigation bar, navigate to **Applications** → **Application Catalog**. 3. Search for **Generic SAML Service Provider**. Click **+Add**.

Application Catalog in the Duo Admin Panel showing the "Generic SAML Service Provider" application

4. In the **Service Provider** section, configure the following: * **Entity ID**: Paste the **Audience** value you obtained in the Panther Console in Step 1. * **Assertion Consumer Service (ACS) URL**: Paste the **ACS Consumer URL** value you obtained in the Panther Console in Step 1. * **Default Relay State:** If using IdP-initiated login, paste the **Relay State** value you copied from the Panther Console in Step 1. If using SP-initiated login, leave this value blank.

5. In the Duo Admin Panel, scroll to the bottom of the page, and click **Save**. Keep this Duo Admin Panel browser window open, as you will need the **Metadata URL** value in the next steps. ### Step 3: Configure Duo SAML in Panther 1. Navigate back to the **Identity & Access** section in the Panther Console from Step 1. In the **Default Role** field, choose the Panther role that your new users will be assigned by default when they first log in via SSO. {% hint style="warning" %} Panther highly recommends not setting this value to `Admin`. {% endhint %} 2. Return to the Duo Admin Panel. Copy the **Metadata URL** value and paste it into the **Identity Provider URL** field in the Panther Console. 3. Click **Save Changes**. To test your setup, go to your Panther sign-in page and click **Login with SSO**.