# Cisco Duo

## Requirements

Linux Control Center = 2.12.X or Higher\
Pre-configured Single Sign-On (SSO) Provider (Cisco Duo)

## Overview

The Linux Control Center allows you to configure a single sign-on (SSO) provider for the Console, providing secure and convenient access. LCC offers authentication to the Console via LDAP and SAML.

* See the image representing the authentication flow.

  ![](/files/lbH6Yu9dBlM5C4mWL39f)

## Objective

The objective of this document is to present the step-by-step process to configure a Console access provider for LCC using a SAML provider.

## Application Configuration in Cisco Duo

1. Access your environment's Cisco Duo structure and create an Application with the following configurations:

* *Application Type* = Generic SAML Service Provider - Single Sign-On

  ![](/files/qltbgH1UWJS9dgyZlryK)

### Service Provider

1. The *Assertion Consumer Service (ACS) URL* field must be filled with the endpoint from the **URL Assertion Consumer Service** field. This URL is generated after creating the SAML item in the Linux Control Center. This is the URL where Cisco Duo will perform the authentication.

* Example: <https://10.17.76.2/api/v2/authentication/saml2/acs/19>

  ![](/files/4NWa3hB51fRoBX8lkX41)

### SAML Response

1. Configure the **NameID format** and **NameID attribute** fields.

* Example: NameID attribute <http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress>

  ![](/files/R7KPiuL5R6FrNz0uKEfZ)

### Map attributes

1. The attribute mapping *IdP Attribute*, *SAML Response Attribute*, and *Attribute Name* can be configured according to your environment's needs.

Example;

* *<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress>* - email
* *<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname>* - userid
* *<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name>* - username
* *<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name>* - name

  ![](/files/nGhQkmZ68XZQsv65d62x)

## User Permissions in LCC

* When using Cisco Duo login to access the Linux Control Center (LCC), the user will be automatically created in the LCC console, but without any assigned permissions. To ensure proper access to resources, it is necessary to create a Group in the LCC Console with the desired access rules and associate this group in the Cisco Duo integration configuration. In this way, authenticated users will receive permissions as defined in the linked group.

1. Click **Config** in the left sidebar menu.

   ![](/files/hrHlEv8SGbfrVGOKVHrt)
2. Click **User Group**.

   ![](/files/TDat4LhFYTfU88X5Q0Cy)
3. Click **Create**.

   ![](/files/Rh7SwXRICr94kFIjUQjD)
4. Enter a name for the Group in the **Name** field.

   ![](/files/m6OCK68y6z1YXl0J4CF5)
5. Click **Configure Permissions** and choose the permissions you want to enable for the group's users.

   ![](/files/RpJh9uopbvJ4kDnB0YZR)
6. Click **Save** to create the group.

   ![](/files/GYFoNUEGx3BSK4QuEIDR)
7. The group will be listed on the **User Groups** screen.

   ![](/files/S3X8B4gFcO0SDOtDYYkH)

## Cisco Duo Configuration in LCC

1. Click **Config** in the left sidebar menu of the LCC.

   ![](/files/hrHlEv8SGbfrVGOKVHrt)
2. Click **Provider**.

   ![](/files/lZasAPaUhrDeBLcuqbRJ)
3. Click **SAML**.

   ![](/files/6jd11MBdH3JDKwJlPeHU)
4. Click **Create**.

   ![](/files/ncg8HOSkKOhLObm0Ln0R)
5. Access your environment's Cisco Duo and enter the *Application* data in the fields as instructed below:

   * **Name:** This field will be the name of the button on the Login screen with the Cisco Duo logo.
   * **Entity ID:** Enter the Entity ID of the *Application* configured in Cisco Duo.
   * **IDP Metadata URL:** Enter the metadata URL of your Identity Provider.
   * **Certificate:** Enter the certificate of the Application configured in Cisco Duo.
   * **LCC Groups:** Choose the *Permission Group* that will be assigned to users who access the Console through this integration with Cisco Duo.

   ![](/files/GmQjDEqUYhDqwy8cUw1h)
6. Click the **Select an Icon** button and select the *Cisco Duo* icon to define the Login button on the LCC Console.

   ![](/files/JGntS91SH75KhTNnstU6)

### Attribute Map

1. Click **Next** to access the Attribute Map settings.

   ![](/files/hz5ZLOPqvMPJqYS6YC5L)
2. Fill in the *User Identifier Attribute* field. This field defines the Identity Provider user who will be responsible for validating the authentication. It is possible to define a key to validate the IDP response.

   ![](/files/qeGpGbCrCq7ECqtToQKx)
3. Click **Next** again and check the options as needed.

   ![](/files/6lNMZqEYZkCWWpjvAgRZ)
4. Click **Save** to create the provider in the LCC Console.

   ![](/files/74iBrCioh0DgNg9uLSs4)

### Endpoint Registration in IDP

{% hint style="warning" %}
This step is crucial in the configuration of an identity provider; it is necessary to register the LCC Endpoint in your *Identity Provider* so that LCC has permission to perform the queries.
{% endhint %}

1. Click on the created Identity Provider and copy the values from the *URL Assertion Consumer Service* and *URL Single Logout Service* fields and register them in your Identity Provider.

   ![](/files/U5mW3GlMPaM5AZw6avjY)

### Provider Permission

1. Click **Config** in the left sidebar menu.

   ![](/files/bWMYrerx1CqWTmFzEKne)
2. Click **Authentication**.

   ![](/files/XaKz5QKsXMMehzXGD3D3)
3. Click on the **Providers** tab, select the provider, and move it to the table on the right side.

   ![](/files/bL8wtRd76oYoyUTv5KQi)
4. Click **Save** to set the Cisco Duo Provider as a valid authentication method.

   ![](/files/AjDd23DxLGuyOfGrUZBS)

## Access with Identity Provider

1. Log out with the current user and click on the created Identity Provider button, and LCC will query and read the SAML response to validate access to the Console.

   ![](/files/ZMI36dhmjwuoApGL2CVY)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.linuxcontrolcenter.com.br/en/configs-integrations/user-management/providers/saml/cisco_duo.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.