To enable Single Sign-On (SSO) with Cisco DUO you will need to configure Crewmojo using the generic OpenID Connect integration and Cisco DUO with the "Generic OIDC Relying Party - Single Sign-On"

This guide assumes you already have a configured Cisco DUO account with an Authentication Source for Single Sign-On and users to test with.

The users from Cisco DUO must have accounts in Crewmojo. This is usually synced from your HRIS or Payroll system. Please ensure this is set up before turning on SSO.

Cisco DUO Set Up

In the admin portal for DUO. Navigate to Applications > Protect an Application. Find "Generic OIDC Relying Party" from the list and click "Protect".

The Metadata section is generated by DUO. You will need this later for the Crewmojo side of the set up.

Relying Party settings

Relying Party is set up as follows:

Sign-In Redirect URLs

For Sign-In Redirect URLs, specify the following:

• https://api.crewmojo.com/v1/sso/oidc

• https://api.test.crewmojo.com/v1/sso/oidc

OIDC Response settings

You need to edit the scopes of the OIDC response as follows

Settings section

Set the Name as 'Crewmojo'

Don't forget to Save your changes

Crewmojo Set Up

Back in the Crewmojo application. Ensure you have Admin permissions and navigate to the Company Settings > Integrations tab

Under the OpenID section, fill in the data from the Metadata provided in the Cisco DUO settings as per the above section. You will need to supply:

• Client ID

• Client Secret

• Issuer URL

• Authorization URL

• Token URL

• JWKS URL

After you have supplied all the fields click 'Enable OIDC'

Once this step is completed, you need to set the SSO method at the top of the page to OpenID Connect