Cisco Duo
Last updated
Last updated
Linux Control Center = 2.12.X or Higher Pre-configured Single Sign-On (SSO) Provider (Cisco Duo)
The Linux Control Center allows you to configure a single sign-on (SSO) provider for the Console, providing secure and convenient access. LCC offers authentication to the Console via LDAP and SAML.
See the image representing the authentication flow.
The objective of this document is to present the step-by-step process to configure a Console access provider for LCC using a SAML provider.
Access your environment's Cisco Duo structure and create an Application with the following configurations:
Application Type = Generic SAML Service Provider - Single Sign-On
The Assertion Consumer Service (ACS) URL field must be filled with the endpoint from the URL Assertion Consumer Service field. This URL is generated after creating the SAML item in the Linux Control Center. This is the URL where Cisco Duo will perform the authentication.
Example: https://10.17.76.2/api/v2/authentication/saml2/acs/19
Configure the NameID format and NameID attribute fields.
The attribute mapping IdP Attribute, SAML Response Attribute, and Attribute Name can be configured according to your environment's needs.
Example;
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress - email
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname - userid
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name - username
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name - name
When using Cisco Duo login to access the Linux Control Center (LCC), the user will be automatically created in the LCC console, but without any assigned permissions. To ensure proper access to resources, it is necessary to create a Group in the LCC Console with the desired access rules and associate this group in the Cisco Duo integration configuration. In this way, authenticated users will receive permissions as defined in the linked group.
Click Config in the left sidebar menu.
Click User Group.
Click Create.
Enter a name for the Group in the Name field.
Click Configure Permissions and choose the permissions you want to enable for the group's users.
Click Save to create the group.
The group will be listed on the User Groups screen.
Click Config in the left sidebar menu of the LCC.
Click Provider.
Click SAML.
Click Create.
Access your environment's Cisco Duo and enter the Application data in the fields as instructed below:
Name: This field will be the name of the button on the Login screen with the Cisco Duo logo.
Entity ID: Enter the Entity ID of the Application configured in Cisco Duo.
IDP Metadata URL: Enter the metadata URL of your Identity Provider.
Certificate: Enter the certificate of the Application configured in Cisco Duo.
LCC Groups: Choose the Permission Group that will be assigned to users who access the Console through this integration with Cisco Duo.
Click the Select an Icon button and select the Cisco Duo icon to define the Login button on the LCC Console.
Click Next to access the Attribute Map settings.
Fill in the User Identifier Attribute field. This field defines the Identity Provider user who will be responsible for validating the authentication. It is possible to define a key to validate the IDP response.
Click Next again and check the options as needed.
Click Save to create the provider in the LCC Console.
This step is crucial in the configuration of an identity provider; it is necessary to register the LCC Endpoint in your Identity Provider so that LCC has permission to perform the queries.
Click on the created Identity Provider and copy the values from the URL Assertion Consumer Service and URL Single Logout Service fields and register them in your Identity Provider.
Click Config in the left sidebar menu.
Click Authentication.
Click on the Providers tab, select the provider, and move it to the table on the right side.
Click Save to set the Cisco Duo Provider as a valid authentication method.
Log out with the current user and click on the created Identity Provider button, and LCC will query and read the SAML response to validate access to the Console.
Example: NameID attribute