🐧
Linux Control Center
EN
EN
  • Introduction - User Manual
  • Requirements
    • Server Requirements
    • Client Requirements
  • Setup and Installation
  • Worker
  • Dashboard
  • Discover
    • Linux Control Center Discover
    • BeyondTrust Password Safe
  • Host Actions
    • Get Info Action
    • Package Check Update
    • Package Update
    • Package Install
    • Account Add
    • Account Del
    • Account Expire
    • Account Lock
    • Account Unlock
    • File Add
    • File Del
  • Custom Scripts
    • BeyondTrust Password Safe Secrets
  • Integrations
    • BeyondTrust
    • VMWare
    • Nutanix
  • User Management
    • Providers
      • SAML
        • Cisco Duo
Powered by GitBook
On this page
  • Requirements
  • Overview
  • Objective
  • Application Configuration in Cisco Duo
  • Service Provider
  • SAML Response
  • Map attributes
  • User Permissions in LCC
  • Cisco Duo Configuration in LCC
  • Attribute Map
  • Endpoint Registration in IDP
  • Provider Permission
  • Access with Identity Provider
  1. User Management
  2. Providers
  3. SAML

Cisco Duo

PreviousSAML

Last updated 17 days ago

Requirements

Linux Control Center = 2.12.X or Higher Pre-configured Single Sign-On (SSO) Provider (Cisco Duo)

Overview

The Linux Control Center allows you to configure a single sign-on (SSO) provider for the Console, providing secure and convenient access. LCC offers authentication to the Console via LDAP and SAML.

  • See the image representing the authentication flow.

Objective

The objective of this document is to present the step-by-step process to configure a Console access provider for LCC using a SAML provider.

Application Configuration in Cisco Duo

  1. Access your environment's Cisco Duo structure and create an Application with the following configurations:

  • Application Type = Generic SAML Service Provider - Single Sign-On

Service Provider

  1. The Assertion Consumer Service (ACS) URL field must be filled with the endpoint from the URL Assertion Consumer Service field. This URL is generated after creating the SAML item in the Linux Control Center. This is the URL where Cisco Duo will perform the authentication.

  • Example: https://10.17.76.2/api/v2/authentication/saml2/acs/19

SAML Response

  1. Configure the NameID format and NameID attribute fields.

Map attributes

  1. The attribute mapping IdP Attribute, SAML Response Attribute, and Attribute Name can be configured according to your environment's needs.

Example;

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress - email

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname - userid

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name - username

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name - name

User Permissions in LCC

  • When using Cisco Duo login to access the Linux Control Center (LCC), the user will be automatically created in the LCC console, but without any assigned permissions. To ensure proper access to resources, it is necessary to create a Group in the LCC Console with the desired access rules and associate this group in the Cisco Duo integration configuration. In this way, authenticated users will receive permissions as defined in the linked group.

  1. Click Config in the left sidebar menu.

  2. Click User Group.

  3. Click Create.

  4. Enter a name for the Group in the Name field.

  5. Click Configure Permissions and choose the permissions you want to enable for the group's users.

  6. Click Save to create the group.

  7. The group will be listed on the User Groups screen.

Cisco Duo Configuration in LCC

  1. Click Config in the left sidebar menu of the LCC.

  2. Click Provider.

  3. Click SAML.

  4. Click Create.

  5. Access your environment's Cisco Duo and enter the Application data in the fields as instructed below:

    • Name: This field will be the name of the button on the Login screen with the Cisco Duo logo.

    • Entity ID: Enter the Entity ID of the Application configured in Cisco Duo.

    • IDP Metadata URL: Enter the metadata URL of your Identity Provider.

    • Certificate: Enter the certificate of the Application configured in Cisco Duo.

    • LCC Groups: Choose the Permission Group that will be assigned to users who access the Console through this integration with Cisco Duo.

  6. Click the Select an Icon button and select the Cisco Duo icon to define the Login button on the LCC Console.

Attribute Map

  1. Click Next to access the Attribute Map settings.

  2. Fill in the User Identifier Attribute field. This field defines the Identity Provider user who will be responsible for validating the authentication. It is possible to define a key to validate the IDP response.

  3. Click Next again and check the options as needed.

  4. Click Save to create the provider in the LCC Console.

Endpoint Registration in IDP

This step is crucial in the configuration of an identity provider; it is necessary to register the LCC Endpoint in your Identity Provider so that LCC has permission to perform the queries.

  1. Click on the created Identity Provider and copy the values from the URL Assertion Consumer Service and URL Single Logout Service fields and register them in your Identity Provider.

Provider Permission

  1. Click Config in the left sidebar menu.

  2. Click Authentication.

  3. Click on the Providers tab, select the provider, and move it to the table on the right side.

  4. Click Save to set the Cisco Duo Provider as a valid authentication method.

Access with Identity Provider

  1. Log out with the current user and click on the created Identity Provider button, and LCC will query and read the SAML response to validate access to the Console.

Example: NameID attribute

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress