Using DUO and OKTA with Tyler ID
Can I use DUO and OKTA together for Tyler ID?
Tyler ID (TID)
DUO
OKTA
2 Factor Authentication (2FA)
Multi-Factor Authentication (MFA)
Identity Provider
Federation
Currently using DUO authentication in-house and looking to use it in conjunction with OKTA for Tyler ID
Using DUO with Tyler Identity is part of the Tyler Identity Advanced Feature which requires you to work with your Sales Representative to get a Custom Core IDP licensing estimate before the setup can occur. If you do not know who your sales representative is, please contact TSM Support
DUO Generic SAML setup
Sign up for a DUO Account
Log into the DUO Admin Panel https://admin.duosecurity.com/login?next=%2F
Navigate to Applications
Click Protect an Application
Click Protect an Application and locate Generic SAML Service Provider with a protection type of 2FA with SSO hosted by Duo (Single Sign-On) in the applications list.
Click Protect to the far right to start configuring Generic SAML Service Provider. See Protecting Applications for more information about protecting applications in Duo and additional application options. You'll need the information on the Generic SAML Service Provider page under Metadata later
The Metadata section is where you can get SAML identity provider information about Duo Single Sign-On
Name Description Entity ID The global, unique name for Duo Single Sign-On. This is sometimes referred to as Issuer Single Sign-On URL The authentication URL for Duo Single Sign-On. This is sometimes referred to as "SSO URL" or "Login URL". This URL can also be used to start IdP-initiated authentications Single Log-Out URL The logout URL for Duo Single Sign-On. This is sometimes referred to as "SLO URL" or "Logout Endpoint". This field is optional Metadata URL This URL can be used by service providers to download the XML metadata from Duo Single Sign-On SHA - 1 Fingerprint The SHA-1 fingerprint of the SAML certificate. Sometimes service providers will request a fingerprint instead of uploading a SAML certificate SHA - 256 Fingerprint The SHA-256 fingerprint of the SAML certificate. Sometimes service providers will request a fingerprint instead of uploading a SAML certificate Certificate The certificate used by the service providers to validate the signature on the SAML response sent by Duo Single Sign-On. Click the Download Certificate button to download a crt file SAML Metadata The XML SAML Metadata is used by service providers to configure the service provider with settings from Duo Single Sign-On. Click the Download XML button to download a xml file Claims required from DUO
These claims (user attributes) must be in the SAML assertions returned by Duo; claim names must match the ones below:
email
firstName
lastName
Configure Identity Provider in Admin Center
Login as an Org Admin to Admin Center and navigate to Identity Workforce e.g. https://<customeridentifier>-admin.tylerportico.com/org/admin-center/identity-workforce/identity-providers
Click Add a new provider and select Custom SAML
Fill in the information:
Name - descriptive name for the federation
Certificate - click Add certificate and load the certificate downloaded from DUO in previous steps
Idp issuer uri - e.g. https://sso-<alphanumeric1>.sso.duosecurity.com/saml2/idp/<alphanumeric2>
Idp single sign on URL - e.g. https://sso-<alphanumeric1>.sso.duosecurity.com/saml2/idp/<alphanumeric2>/sso
Click Next
Download the metadata
Click Next
Test configuration
MFA/2FA - Set up DUO Universal Prompt
Contact OKTA to update the OKTA Application to support Universal Prompt
Activate Universal Prompt Experience for users in the Admin Panel
You may need to contact Okta Support to enable the Duo Multifactor option for your account before you can complete setup
Read the Universal Prompt Update Guide for more information about the update process and the new login experience for users
Contact Tyler Systems Management Support or submit a case via the Online Support Client Portal for additional assistance.