Safeguard.sh Documentation Center
SSO AuthenticationSAML 2.0

Duo Security

Configure Duo Single Sign-On as a SAML 2.0 identity provider for Safeguard.

Duo Security

  1. In the Duo Admin Panel, go to Applications → Protect an Application, and protect Generic SAML Service Provider (via Duo Single Sign-On).
  2. Under SAML Response, set Entity ID to the SP Entity ID Safeguard shows after Save, and Assertion Consumer Service (ACS) URL to the ACS URL Safeguard shows after Save.
  3. Set NameID format to Email Address and NameID value to Email address.
  4. Under SAML Response → Attributes, add an attribute named email mapped to Email address — separate from the NameID setting above.
  5. Copy the Single Sign-On URL, Entity ID, and Certificate from the Metadata section.
  6. In Safeguard, click Add Provider → SAML 2.0 → Duo Security, and enter those three values.
  7. Confirm an Authentication Source (your upstream directory — AD, Azure, Google, etc.) is linked to this Duo SSO application.
  8. Click Test in Safeguard to confirm.

Common errors: an "AuthSource error" at Duo means the Duo SSO Authentication Source isn't linked to this application yet — link it under the application's settings before testing.

On this page