Integrating Cisco Duo SAML with Edge Delta

Integrate Cisco Duo SAML with Edge Delta for single sign-on with multi-factor authentication, supporting both IDP and SP initiated workflows.

  6 minute read  

Overview

You can set up a Cisco Duo SAML integration with Edge Delta. Cisco Duo provides multi-factor authentication (MFA) as part of the single sign-on process, adding an additional layer of security to your Edge Delta access.

To use this document, you must have administrative access to your Cisco Duo account and Edge Delta account.

Edge Delta supports both identity provider (IDP) and service provider (SP) initiated login workflows. The IDP workflow logs in a user from the Duo Central portal, whereas the SP workflow logs a user in from the Edge Delta login page.

1. Create a Cisco Duo SAML Integration

  1. In the Cisco Duo Admin Panel, navigate to Applications in the left sidebar.
  2. Search for Generic SAML Service Provider in the Application Catalog and click Add.

Service Provider Configuration

  1. For Metadata Discovery, select Metadata XML file.
  2. Download the metadata XML file from https://api.edgedelta.com/saml/metadata.
  3. Click Choose File and upload the downloaded metadata.xml file.

Once uploaded, the system will automatically populate the following fields:

  • Entity ID
  • Assertion Consumer Service (ACS) URL
  • Assertion encryption certificate
  1. For Default Relay State, manually enter: https://app.edgedelta.com/saml

This field is required for IDP-initiated connections and will not be auto-populated.

SAML Response Configuration

  1. Verify the following settings are configured:
  • NameID format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • NameID attribute: <Email Address> (or the appropriate user identifier)
  1. Click Save to create the application.

2. Assign Users to the Application

  1. Navigate to the Users tab in the Duo Admin Panel.
  2. Create or select the users who need access to Edge Delta.
  3. Assign these users to the Generic SAML Service Provider application you just created.

3. Configure Duo Central (Optional)

If you want users to access Edge Delta through an IDP-initiated login:

  1. Navigate to ApplicationsDuo Central.
  2. Click Add tile.
  3. Search for and select your Generic SAML Service Provider application.
  4. This will make the application available in your Duo Central portal for IDP-initiated login.

4. Obtain Metadata URL

  1. Return to your Generic SAML Service Provider application settings.
  2. Scroll to the Metadata section.
  3. Locate and copy the Metadata URL.
  • You will need this information in the next step.

5. Configure SAML in Edge Delta

  1. Log on to the Edge Delta App with an administrator account.
  2. Click Admin and select the My Organization tab.
  1. In the Organization section, click Edit.
  1. In the Approved Domains field, enter the domains of the email addresses authorized to join the organization. You specify a domain and press Enter before entering the next domain.
  2. Click Save.
  3. In the SAML Settings section, click Edit.
  1. If you are using a Service Provider Initiated login workflow, you must enter the domain of the email addresses of authorized users from step 4. You can enter a comma separated list of different domains.
  2. Select Metadata URL, and then paste the IDP Metadata URL you copied earlier.
  3. For Metadata URL Verification, select Enabled.
  4. Optionally, select Enforcement - Require Authentication Via SAML To Access This Organization. This disables the ability to log in to Edge Delta with a user name and password for normal users. They must use the IDP to log in. However, Edge Delta admin account holders can still log in with their username and password on the Edge Delta login page.
  5. Optionally, select JIT Provisioning - Enable JIT User Provisioning And Dynamic Group Membership For This Organization. Enter a Group Attribute Mapping Field and a Default Group. The field name is groups by default but it is configurable. It should match the SAML attribute name sent by IDP.
  6. Click Save.

Just in Time (JIT) provisioning determines the group configured for the user in the IDP based on the Group Attribute Mapping Field and it assigns users to an existing Edge Delta permissions group with the same name.

<saml:Attribute 
   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
   Name="groups">
   <saml:AttributeValue
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:type="xs:string">custom_admin
   </saml:AttributeValue>
   <saml:AttributeValue
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:type="xs:string">custom_super_admin
   </saml:AttributeValue>
</saml:Attribute>

In this example of an IDP’s SAML group assertion, the groups values are custom_admin and super_custom_admin. The user will be added to an Edge Delta group called custom_admin if it exists in Edge Delta and it will also be added to the super_custom_admin group if it exists. When there is more than one group, the user will have the most permissive permissions of the groups they belong to.

If no IDP group is detected, or if the asserted group does not match an existing Edge Delta group, the user is added to the default group. When the user logs out, they are removed from the Edge Delta group.

Authentication Methods

Once the integration is complete, users can authenticate using either of the following methods:

Service Provider (SP) Initiated Login

  1. Visit https://app.edgedelta.com/auth/login-saml.
  2. Enter your email address associated with your Duo account.
  3. You will be redirected to Duo for authentication.
  4. Complete the Duo authentication (password + 2FA).
  5. Upon successful authentication, you will be redirected back to the Edge Delta application.

Identity Provider (IDP) Initiated Login

  1. Log in to your Duo Central portal.
  2. Click on the Edge Delta application tile.
  3. You will be authenticated and redirected directly to the Edge Delta application.

Security Considerations

  • Replay Attack Prevention: Edge Delta uses a 90-second time window to prevent replay attacks. If authentication is not completed within this timeframe, a 403 Forbidden response will be returned, and you will need to restart the authentication flow.
  • Encryption: The SAML response is encrypted using the certificate provided in the metadata file.
  • Multi-Factor Authentication: Duo’s multi-factor authentication adds an additional layer of security to your Edge Delta access.

Troubleshooting

If users experience issues logging in, verify that:

  • The user is assigned to the application in Duo
  • The metadata URL is correctly configured in Edge Delta
  • The Default Relay State is set to https://app.edgedelta.com/saml
  • The user’s email address matches between Duo and Edge Delta

Important: If you need to update your SAML settings in Edge Delta, you must delete the existing SAML configuration and recreate it. In-place updates to SAML settings are not supported and may cause authentication issues.

Removing Admin Permissions

To remove regular permissions from a user when JIT is enabled, simply remove them from the permissions group in your IDP. However, to remove admin permissions from a user, you must remove them using the IDP and also remove them from the Admin group in Edge Delta. This helps prevent accidental account lockout. To remove an admin user:

  1. Remove admin permissions from the user in the IDP (if JIT is enabled.)
  2. In the Edge Delta app, click Admin - My Organization.
  3. Click Groups.
  4. Click the Actions column button in the Admin row and select Edit User Group.
  5. Click Group Members.
  6. Click the Delete button on the user you want to remove from the Admin group.