# Duo SSO

## Overview

Panther supports integrating with [Duo](https://duo.com/) as a SAML provider to enable logging in to the Panther Console via SSO. 

For more information on features, terminology, and limitations of SSO integrations with the Panther Console, see [Identity & Access Integrations](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/system-configuration/saml).

## How to configure SAML SSO to the Panther Console with Duo

### Prerequisites

As is [outlined in Duo's documentation](https://duo.com/docs/sso-panther#configure-single-sign-on), before configuring SSO with Duo, you'll need to:

* [Enable Single Sign-On for your Duo account](https://duo.com/docs/sso#enable-duo-single-sign-on#enable-duo-single-sign-on) 
* [Configure a working authentication source in Duo](https://duo.com/docs/sso#configure-your-authentication-source)

### Obtain the Duo SSO parameters from Panther

1. Log in to the Panther Console.
2. Click the gear icon in the upper right. In the dropdown menu, click **General**.
3. Click the **Identity & Access** tab.

Keep this browser window open, as you will need the **Audience** and **ACS URL** values in the next steps.

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FHnI9usRzdr41TwMmqfwe%2FScreenshot%202023-06-16%20at%202.47.34%20PM.png?alt=media&#x26;token=c70a418d-b38a-43f5-901b-c642e82f29c2" alt="In the General settings page in the Panther Console, the Identity &#x26; Access tab is shown. Various fields are visible, such as Enable SAML, Enforce Single Sign On, Default Role, Identity provider URL, Audience and ACS Consumer URL."><figcaption></figcaption></figure>

### Create the Duo app

1. Follow [these Duo instructions to create your Panther application in Duo](https://duo.com/docs/sso-panther#create-the-panther-application-in-duo).
2. In the **Service Provider** section of the application configuration in Duo, enter the **Audience** and **ACS URL** values you surfaced in Panther in the [previous section](#obtain-the-duo-sso-parameters-from-panther).\
   ![Duo's Admin Panel shows a Service Provider section, with text fields for Audience and ACS Consumer URL. There is a checkbox for Custom attributes.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FLF7qx8gdZbVoFP1bFstU%2Fimage.png?alt=media\&token=3558516f-ab0b-4609-8ea3-51f4f2e76bdf)
3. Still in the Duo Admin Panel, scroll to the bottom of the page, and click **Save**.

Keep this Duo Admin Panel browser window open, as you will need the **Identity provider URL** value in the next steps.

### Configure Duo SAML in Panther

1. Navigate back to the [SAML configuration](#obtain-the-duo-sso-parameters-from-panther) you started earlier in this documentation.
2. Next to **Enable SAML**, set the toggle to **ON**.&#x20;
3. In the **Default Role** field, choose the Panther role that your new users will be assigned by default when they first log in via SSO.
4. Return to the Duo Admin Panel. Copy the **Identity provider URL** value and paste it into the **Identity Provider URL** field in the Panther Console.
5. Click **Save Changes**.

To test your setup, go to your Panther sign-in page and click **Login with SSO**.

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FOxd6LjLxfTf69OjjqWDS%2Fimage.png?alt=media&#x26;token=9e1890f4-61ae-405f-8fa0-5e93c9b69b75" alt="The Panther login page displays a &#x22;Login with SSO&#x22; button at the bottom."><figcaption></figcaption></figure>