Duo SSO
Files.com supports Single Sign-On (SSO) integration with Cisco Duo via the SAML protocol. Users log in with their Duo identity through a Service Provider (SP)-initiated SSO flow, without separate Files.com usernames or passwords. Duo acts as the Identity Provider (IdP), so identity management and login policy stay in one place.
Adding Files.com in Duo
After logging in to your Duo account as an administrator, click on Add Application from within your application management screen or navigate to Applications -> Application Catalog, and search for Generic SAML Service Provider. Click Add to configure Files.com as a custom SAML application.
In the Generic SAML Service Provider - Single Sign-On form, configure the application using the SAML configuration settings below, leaving the remaining fields at their default values.
SAML SSO Details for Duo
| Field | Value |
|---|---|
| Entity ID | https://app.files.com/saml/metadata |
| Assertion Consumer Service (ACS) URL | https://app.files.com/saml/consume |
| Service Provider Login URL | https://[SUBDOMAIN].files.com |
| Default Relay State | [SUBDOMAIN].files.com |
| Name ID format | urn:oasis:names:tc:SAML:1.1.:nameid-format:emailAddress |
| NameID attribute | <Email Address> |
Replace [SUBDOMAIN] with your specific Files.com subdomain.
Adding Duo in Files.com
Create a new SSO Provider and select Duo as the provider type.
Provide a Display Name for your new provider. This name is shown during login so users can choose the correct SSO Provider.
There are three ways to connect to your SAML provider. The Metadata URL is the simplest option because it automatically handles updates like certificate renewals or changes to service provider URLs. If you don't need automatic updates, you can connect by authenticating with Metadata XML. Certificate Fingerprint gives you more control over updates but takes more effort to manage long-term.
Using Metadata URL
Using Metadata URL to connect is the most straightforward option. Put the Metadata Url you copied from Duo into the Metadata URL field.
Using Metadata XML file
To use a metadata XML file to connect to Duo, first download the XML from your Duo install. Log in as a Duo administrator, then click Download XML from the Downloads section in the application configuration screen in Duo.
Use the file you exported from Duo in the Metadata XML file option of your SSO Provider record.
Using Certificate Fingerprint
To use Certificate Fingerprint to connect to Duo, click Download certificate from the Downloads sections in the application configuration screen in Duo. Once the Certificate is downloaded on your local machine, run the following command using terminal to obtain the Certificate's Fingerprint.
openssl x509 -in [your_cert_file] -noout -sha256 -fingerprint
In Files.com, provide the fingerprint from the command above as the Certificate Fingerprint for your SSO Provider, along with the IDP URL you copied from Duo. You can use the same URL for the SLO endpoint and SSO endpoint.
Assigning Users
Once the SSO Provider is configured, the Duo Single Sign-On method becomes available when assigning an authentication method for a user in Files.com, and the Sign in with Duo button appears on your site's login page.
Assign at least one Site Administrator the Password authentication method rather than assigning every administrator to use SSO. This prevents locking out all administrators if there is a problem with your identity provider or SSO service.
Provisioning Users Automatically
Files.com supports two methods of automatically provisioning users via Duo: SCIM provisioning and just-in-time (JIT) provisioning. SCIM provisioning creates, updates, and deactivates users in Files.com based on changes made in Duo. JIT Provisioning creates the user in Files.com when they first log in and does not sync further changes from Duo.
To set up SCIM provisioning, configure the SCIM connector in Duo with Files.com’s SCIM endpoint and authentication details. Detailed instructions are available in Files.com’s SCIM provisioning documentation.
SCIM Provisioning
Enabling SCIM Provisioning means that your users and groups in Files.com will be automatically managed to match your settings in Duo.
In your Files.com site, set your Provisioning Method for the SSO Provider to Use SCIM Provisioning. Duo SSO always uses the Secret Token authentication method.
Set your options for enabling user or group provisioning or de-provisioning. You can fine-tune the rules for how users and groups are provisioned.
When you save the SSO Provider record, your SCIM Secret Token is displayed.
Within the Duo site, update your application configuration:
- Click on Provisioning at the top of the application configuration form.
- Under the Authentication section, select Bearer Token from the drop-down menu.
- Copy the Base URL and Secret Token values from your Files.com configuration, then click Connect to Application. A "Successfully connected to the Application" message below the form confirms that your SSO Provider is configured.
SCIM Provisioning Details for Duo
| Field | Value |
|---|---|
| Authentication Mode | Bearer Token |
| Base URL | https://app.files.com/api/scim |
| Token | Enter the token generated from Files.com |
Token Management
The SCIM authentication token expires a year from the date you generated it. Site Administrators receive an alert email from Files.com before your SCIM token expires. You can extend the expiry date of the SCIM provisioning Secret Token in Files.com. Edit your Duo provider's settings, enter a new date in the Token Expiration text box or pick a new date from the date picker UI, and click Save.
To revoke the current token and get a new one, edit your Duo provider's settings and choose the Reset Token option. Save your provider configuration, and a new token is generated and available for you to copy from the Secret Token text box.
Just-In-Time (JIT) Provisioning
JIT Provisioning creates user records in Files.com on a user's first successful login. It is simpler than SCIM, but it can only provision users — it cannot delete or disable them. Files.com automatically uses Just-In-Time (JIT) Provisioning if you don't set up SCIM.