Can I use DUO and OKTA together for Tyler ID?
- Tyler ID (TID)
- DUO
- OKTA
- 2 Factor Authentication (2FA)
- Multi-Factor Authentication (MFA)
- Identity Provider
- Federation
Currently using DUO authentication in-house and looking to use it in conjunction with OKTA for Tyler ID
Using DUO with Tyler Identity is part of the Tyler Identity Advanced Feature which requires you to work with your Sales Representative to get a Custom Core IDP licensing estimate before the setup can occur. If you do not know who your sales representative is, please contact TSM Support
DUO Generic SAML setup
- Sign up for a DUO Account
- Log into the DUO Admin Panel https://admin.duosecurity.com/login?next=%2F
- Navigate to Applications
- Click Protect an Application
Click Protect an Application and locate Generic SAML Service Provider with a protection type of 2FA with SSO hosted by Duo (Single Sign-On) in the applications list.
Click Protect to the far right to start configuring Generic SAML Service Provider. See Protecting Applications for more information about protecting applications in Duo and additional application options. You'll need the information on the Generic SAML Service Provider page under Metadata later
The Metadata section is where you can get SAML identity provider information about Duo Single Sign-On
Name Description Entity ID The global, unique name for Duo Single Sign-On. This is sometimes referred to as Issuer Single Sign-On URL The authentication URL for Duo Single Sign-On. This is sometimes referred to as "SSO URL" or "Login URL". This URL can also be used to start IdP-initiated authentications Single Log-Out URL The logout URL for Duo Single Sign-On. This is sometimes referred to as "SLO URL" or "Logout Endpoint". This field is optional Metadata URL This URL can be used by service providers to download the XML metadata from Duo Single Sign-On SHA - 1 Fingerprint The SHA-1 fingerprint of the SAML certificate. Sometimes service providers will request a fingerprint instead of uploading a SAML certificate SHA - 256 Fingerprint The SHA-256 fingerprint of the SAML certificate. Sometimes service providers will request a fingerprint instead of uploading a SAML certificate Certificate The certificate used by the service providers to validate the signature on the SAML response sent by Duo Single Sign-On. Click the Download Certificate button to download a crt file SAML Metadata The XML SAML Metadata is used by service providers to configure the service provider with settings from Duo Single Sign-On. Click the Download XML button to download a xml file - Claims required from DUO
- These claims (user attributes) must be in the SAML assertions returned by Duo; claim names must match the ones below:
- firstName
- lastName
Configure Identity Provider in Admin Center
- Login as an Org Admin to Admin Center and navigate to Identity Workforce e.g. https://<customeridentifier>-admin.tylerportico.com/org/admin-center/identity-workforce/identity-providers
- Click Add a new provider and select Custom SAML
- Fill in the information:
- Name - descriptive name for the federation
- Certificate - click Add certificate and load the certificate downloaded from DUO in previous steps
- Idp issuer uri - e.g. https://sso-<alphanumeric1>.sso.duosecurity.com/saml2/idp/<alphanumeric2>
- Idp single sign on URL - e.g. https://sso-<alphanumeric1>.sso.duosecurity.com/saml2/idp/<alphanumeric2>/sso
- Click Next
- Download the metadata
- Click Next
- Test configuration
MFA/2FA - Set up DUO Universal Prompt
- Contact OKTA to update the OKTA Application to support Universal Prompt
- Activate Universal Prompt Experience for users in the Admin Panel
- You may need to contact Okta Support to enable the Duo Multifactor option for your account before you can complete setup
- Read the Universal Prompt Update Guide for more information about the update process and the new login experience for users
- Duo Single Sign-On for Generic SAML Service Providers
- Contact Tyler Systems Management Support or submit a case via the Online Support Client Portal for additional assistance.
Add Comment