SSO Authentication with Duo
To provide easy and secure access to Action1 console, Action1 enables users to log in using single sign-on (SSO) instead of maintaining Action1-specific user credentials. This explains how to configure SSO with Duo as an identity provider.
Configure Duo
- Sign in to Duo console.
- Navigate to Applications and select Protect an Application.
- Specify Generic OIDC Relying Party and select Protect.
- In the Metadata section, copy Client ID, Client Secret, and Issuer.
- In the Relying Party section, enable Allow PKCE only authentication, set Access Token Lifetime to 60 minutes, and add “https://app.action1.com/sso/login”, “https://app.eu.action1.com/sso/login” and “https://app.au.action1.com/sso/login” to Sign-In Redirect URLs.
- In the OIDC response section, configure the following claims to be included in the token:
- Enable Profile and add the following attribute-claim pairs:
- <First Name> and given_name
- <Last Name> and family_name
- Enable Email and add the following attribute-claim pairs:
- <Email Address> and email
- Enable Profile and add the following attribute-claim pairs:
- Save configuration.
Enabling SSO with Duo
When you sign up for Action1, you have to create the initial Action1 credentials (without SSO) and then invite the existing accounts from your organization’s Duo. After creating the initial Action1 credentials while signing up, follow the below steps to enable Duo SSO:
- Log in to Action1 using your initial Action1 credentials (do not click Duo during login).
- Navigate to Advanced page and select Identity Provider.
- Specify Duo as the identity provider. Keep the scope set to Enterprise. With this setting changed, all new users will use Duo.
- Enter Client ID, Client Secret, and Issuer URI of your Duo application (see the previous steps).
NOTE: We recommend keeping the initial non-SSO Action1 credentials for emergency recovery purposes, in case you lose access to Duo. Store these credentials securely, as they have Enterprise Admin access by default.
Inviting Users to SSO with Duo
Note: Make sure these users already exist in Duo. If not, proceed to Duo to create users.
- Navigate to the Users page.
- Invite users – they will receive a login link to their email.
Migrating Existing Users to Duo SSO
Note: Make sure these users already exist in Duo. If not, proceed to Duo to create users.
Important: For the next steps, do not remove your last enterprise admin account, create a secondary enterprise admin or elevate another user to the enterprise admin role. Failure to do so could lead to admin account access being lost. Next steps will delete user accounts in order to switch to Duo, users will be unable to access Action1 until their user account migration is complete.
- Navigate to the Users page.
- Find the user account you want to switch to Duo and select Delete. Alternatively, set the user’s email to non-existent such as “[email protected]”. You might be unable to remove users that have roles assigned, make sure to revoke roles first.
- Invite the user again into Action1 by sending an invite again.