Using DUO and OKTA with Tyler ID

Description of Issue

Can I use DUO and OKTA together for Tyler ID?

Context
  • Tyler ID (TID)

  • DUO

  • OKTA

  • 2 Factor Authentication (2FA)

  • Multi-Factor Authentication (MFA)

  • Identity Provider

  • Federation

Cause

Currently using DUO authentication in-house and looking to use it in conjunction with OKTA for Tyler ID

Resolution

Using DUO with Tyler Identity is part of the Tyler Identity Advanced Feature which requires you to work with your Sales Representative to get a Custom Core IDP licensing estimate before the setup can occur. If you do not know who your sales representative is, please contact TSM Support

DUO Generic SAML setup

  1. Sign up for a DUO Account

  2. Log into the DUO Admin Panel https://admin.duosecurity.com/login?next=%2F

    1. Navigate to Applications

    2. Click Protect an Application

      1. Click Protect an Application and locate Generic SAML Service Provider with a protection type of 2FA with SSO hosted by Duo (Single Sign-On) in the applications list.

      2. Click Protect to the far right to start configuring Generic SAML Service Provider. See Protecting Applications for more information about protecting applications in Duo and additional application options. You'll need the information on the Generic SAML Service Provider page under Metadata later

  3. The Metadata section is where you can get SAML identity provider information about Duo Single Sign-On 

  4. NameDescription
    Entity IDThe global, unique name for Duo Single Sign-On. This is sometimes referred to as Issuer
    Single Sign-On URLThe authentication URL for Duo Single Sign-On. This is sometimes referred to as "SSO URL" or "Login URL". This URL can also be used to start IdP-initiated authentications
    Single Log-Out URLThe logout URL for Duo Single Sign-On. This is sometimes referred to as "SLO URL" or "Logout Endpoint". This field is optional
    Metadata URLThis URL can be used by service providers to download the XML metadata from Duo Single Sign-On
    SHA - 1 FingerprintThe SHA-1 fingerprint of the SAML certificate. Sometimes service providers will request a fingerprint instead of uploading a SAML certificate
    SHA - 256 FingerprintThe SHA-256 fingerprint of the SAML certificate. Sometimes service providers will request a fingerprint instead of uploading a SAML certificate
    CertificateThe certificate used by the service providers to validate the signature on the SAML response sent by Duo Single Sign-On. Click the Download Certificate button to download a crt file
    SAML MetadataThe XML SAML Metadata is used by service providers to configure the service provider with settings from Duo Single Sign-On. Click the Download XML button to download a xml file
  5. Claims required from DUO

  6. These claims (user attributes) must be in the SAML assertions returned by Duo; claim names must match the ones below:

    1. email

    2. firstName

    3. lastName

Configure Identity Provider in Admin Center

  1. Login as an Org Admin to Admin Center and navigate to Identity Workforce e.g. https://<customeridentifier>-admin.tylerportico.com/org/admin-center/identity-workforce/identity-providers

  2. Click Add a new provider and select Custom SAML

  3. Fill in the information:

    1. Name - descriptive name for the federation

    2. Certificate - click Add certificate and load the certificate downloaded from DUO in previous steps

    3. Idp issuer uri - e.g. https://sso-<alphanumeric1>.sso.duosecurity.com/saml2/idp/<alphanumeric2>

    4. Idp single sign on URL - e.g. https://sso-<alphanumeric1>.sso.duosecurity.com/saml2/idp/<alphanumeric2>/sso

  4. Click Next

  5. Download the metadata

  6. Click Next 

  7. Test configuration

MFA/2FA - Set up DUO Universal Prompt

  1. Contact OKTA to update the OKTA Application to support Universal Prompt

  2. Activate Universal Prompt Experience for users in the Admin Panel

Additional Information