This article describes how to enable Single-Sign On (SSO) using a SAML 2.0 connection with Duo hosted SSO.


From the Duo Applications tab, choose Protect an Application

Filter by the keywords Generic Service Provider and look for “2FA with SSO hosted by Duo (Single Sign-On)”.  Press the Protect button on the right hand side.

  • NOTE: These instructions are for the “hosted by Duo” option. If you use Duo Access Gateway, the steps are similar, but the configuration may differ.

STEP 1. You will need to send the information from the Metadata and Downloads section to your account representative at Worksphere.

The Worksphere team will use this information to set up the SAML connection within Worksphere so that it is ready for use. (Setting up the SAML connection in Worksphere is not self-service.)

  • Copy the Single Sign-On URL from Duo. 
  • Press Download certificate and then next to SAML Metadata press Download XML.

Send the URL, certificate file, and XML metadata file to your Worksphere account representative.  Also include the Entity ID and ACS URL from below in Step 2.

STEP 2.  Enter the settings below in the Service Provider section. Replace YOUR-COMPANY with your company name (only A-Z and hyphens allowed) in lowercase.  For example, “Acme Incorporated” becomes acme-incorporated

STEP 3.  Under the SAML Response section choose the following settings:

  • NameID format:

  • NameID attribute:
< Email Address >

  • Signature algorithm:

  • Signing Options:
Check both options: “Sign response” and “Sign assertion”

  • Map attributes:
    Set up the following mappings:

 The section should look like this:

  • Create attributes:
    Add the following attribute:

Name | Value

  • Role attributes can be left blank, and leave Universal Prompt set to default settings.

STEP 4: Under Settings set Name to Worksphere.  

  • The other Policy and Settings configuration options in Duo can be set however you would like for your organization.

Press Save at the bottom of the form.

Next Steps

The Worksphere team will let you know once the connection has been set up and is ready for testing.

  • It is recommended to only enable the app for accounts that will be used in testing the SAML connection.

Only after the connection has been tested end-to-end should it be enabled for other users or groups.