Files.com supports Single Sign-On (SSO) integration with Duo via the SAML protocol, enabling users to log in with their Duo identity without separate usernames or passwords through a secure Service Provider (SP)-initiated SSO flow. Duo acts as the Identity Provider (IdP), centralizing identity management, simplifying access for administrators, and enhancing security with consistent login policies.

Adding Files.com in Duo

After logging in to your Duo account as an administrator, click on Add Application from within your application management screen or navigate to Applications -> Application Catalog, and search for Generic SAML Service Provider. Click Add to configure Files.com as a custom SAML application.

In the Generic SAML Service Provider - Single Sign-On form, configure the application using the SAML configuration settings below, leaving the remaining fields at their default values.

SAML SSO Details for Duo

Replace [SUBDOMAIN] with your specific Files.com subdomain.

Adding Duo in Files.com

Create a new SSO Provider and select Duo as the provider type.

You must provide a Display Name for your new provider. This is shown during login so users can choose the correct SSO Provider.

There are 3 ways to connect to your SAML provider. The Metadata URL is the simplest option because it automatically handles updates like certificate renewals or changes to service provider URLs. If you don't need automatic updates, you can connect to your provider by authenticating with Metadata XML. We also support using a Certificate Fingerprint, which gives more control over updates but requires more effort to manage in the long-term.

Using Metadata URL

Using Metadata URL to connect is the most straightforward option. Put the Metadata Url you copied from Duo into the Metadata URL field.

Using Metadata XML file

To use a metadata XML file to connect to Duo, first download the XML from your Duo install. Log in as a Duo administrator, click Download XML from the Downloads section in the application configuration screen in Duo.

Use the file you exported from Duo in the Metadata XML file option of your SSO Provider record.

Using Certificate Fingerprint

To use Certificate Fingerprint to connect to Duo, click Download certificate from the Downloads sections in the application configuration screen in Duo. Once the Certificate is downloaded on your local machine, run the following command using terminal to obtain the Certificate's Fingerprint.

openssl x509 -in [your_cert_file] -noout -sha256 -fingerprint

In Files.com, provide the fingerprint from the command above as the Certificate Fingerprint for your SSO Provider along with the IDP URL you copied from Duo. You can also use the same URL for the SLO endpoint and SSO endpoint.

Assigning Users

Once the SSO Provider is configured, the Duo Single Sign-On method will be available when assigning an authentication method for a user in Files.com, and the Sign in with Duo button will be displayed on your site's login page.

It is strongly recommended to assign at least 1 Site Administrator the Password authentication method, rather than assigning all administrators to use SSO. This prevents locking out all administrators if there is a problem with your identity provider or SSO service.

Provisioning Users Automatically

Files.com supports two methods of automatically provisioning users via Duo: SCIM provisioning and just-in-time (JIT) provisioning. SCIM provisioning automates user management by creating, updating, and deactivating users in Files.com based on changes made in Duo. In contrast, JIT Provisioning only creates the user in Files.com when they first log in and does not sync further changes from Duo.

To set up SCIM provisioning, configure the SCIM connector in Duo with Files.com’s SCIM endpoint and authentication details. Detailed instructions are available in Files.com’s SCIM provisioning documentation.

SCIM Provisioning

Enabling SCIM Provisioning means that your users and groups in Files.com will be automatically managed to match your settings in Duo.

In your Files.com site, set your Provisioning Method for the SSO Provider to Use SCIM Provisioning. Duo SSO always uses the Secret Token authentication method.

Set your options for enabling user or group provisioning or de-provisioning. You can fine-tune rules for how users and groups are provisioned.

When you save the SSO Provider record, your SCIM Secret Token will be displayed.

Within the Duo site, update your application configuration:

1. Click on Provisioning at the top of the application configuration form.
2. Under the Authentication section, select Bearer Token from the drop-down menu.
3. Copy the Base URL and Secret Token values from your Files.com configuration, and click Connect to Application. When you see a “Successfully connected to the Application” message below the form, your SSO Provider is successfully configured.

SCIM Provisioning Details for Duo

Token Management

The SCIM authentication token will expire a year from the date you generated it. Site Administrators will receive an alert email from Files.com before your SCIM token expires. You can always extend the expiry date of the SCIM provisioning Secret Token in Files.com. Edit your Duo provider's settings and enter a new date in the Token Expiration text box or pick a new date from date picker UI and click Save.

To revoke the current token and get a new one, edit your Duo provider's settings and choose the Reset Token option. Save your provider configuration and a new token will be generated and available for you to copy from the Secret Token text box.

Just-In-Time (JIT) Provisioning

JIT Provisioning operates by generating user records on Files.com upon their initial successful login. While this method is simpler than SCIM, it does have limitations. For instance, JIT can provision users but lacks the ability to delete or disable them. Files.com will automatically use Just-In-Time (JIT) Provisioning if you don't set up SCIM.