How to configure Duo SAML SSO

Duo SAML SSO features

  • Identity Provider Initiated Login

  • Service Provider Initiated Login

NOTE: Just-in-Time (JIT) user creation is not supported. You can provision users via SCIM on Calendly’s Enterprise plan.

Before you begin

Note

If you are on our Teams plan and would like to add single sign-on (SSO) features to your Calendly account, you can do so from your billing page. The SSO add-on costs $3 per user, per month. 

  • SSO is included on a Calendly enterprise plan.
  • To configure SAML SSO, you must be a Calendly owner or admin.

  • You must use the same email address in Calendly and Duo.

  • During setup, you’ll switch between Calendly and Duo. It’s best to keep each platform open in a separate browser window.

How to configure Duo SAML SSO

Step 1 - Go to the Calendly single sign-on configuration page

  1. In Calendly, go to Account, Organization Settings, then Single sign-on.

 

Step 2 - Add Duo details to Calendly

  1. In a separate window, open Duo and go to Applications.

  2. Select Protect an Application.

  3. Search for Generic Service Provider. For the row that has Single Sign-On in the Protection Type, select Protect.

  4. In Duo, copy Entity ID. Paste it into Entity ID in Calendly under Step 1: Enter your identity provider information.

  5. In Duo, copy Single Sign-On URL and paste into Identity provider's SAML HTTP Request URL in Calendly.

  6. In Duo, select Download certificate. In Calendly, upload the downloaded certificate by selecting Upload certificate.

  7. In Calendly, set Session duration to the appropriate value for your organization’s security policies.

  8. In Calendly, select Save & continue.

Duo Calendly
Entity ID     Entity ID
Single Sign-On URL   → Identity provider's SAML HTTP Request URL
Download certificate    Upload certificate


Step 3 - Add Calendly details to Duo

  1. In Calendly under Step 2: Enable SSO for yourself, copy Audience URL and paste into Entity ID in Duo.

  2. In Calendly, copy ACS URL and paste into Assertion Consumer Service in Duo.

  3. In Calendly, copy Default Relay State into Default Relay State in Duo.

Calendly Duo
Audience URL   

Entity ID

ACS URL    Assertion Consumer Service
Default Relay State    Default Relay State

 

Step 4 - Update attributes and settings in Duo

  1. In Duo, ensure NameID format is set to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

  2. Ensure NameID attribute is set to <Email Address>.

  3. Ensure Signature algorithm is set to SHA256.

  4. For Signing options, ensure both Sign response and Sign assertion are checked.

  5. Under Map attributes, configure the following:

    1. <Email Address>email

    2. <First Name>firstName

    3. <Last Name> lastName da0e2014-036f-47a6-aa70-79aa15343f56.png

  6. Under Settings, update Name to Calendly.

  7. In Permitted groups, select the group you wish to have access to Calendly. You can also return here after testing the SAML connection.

  8. Select Save.

Step 5 - Test the SAML connection

In Calendly under Step 2: Enable SSO for yourself, select Test connection. You will be redirected to the Identity Provider and then back to Calendly.

Screenshot 2023-10-11 at 10.13.52 AM.png

  • If successful, you’ll receive a success notification at the top of the page in Calendly.

  • If unsuccessful, you will land on an error page in Okta or receive an error notification in Calendly. Check your SAML setup, then try test the connection again.

Step 6 - Enforce Duo SSO for your organization

When you enforce SAML SSO, all users will be logged out of their accounts. When they next log in to Calendly, they will be required to use Duo. 

  1. In Duo, assign all Calendly users the app.

  2. In Calendly, select Enforce SAML SSO for my organization, then Apply.

    Screenshot 2023-10-11 at 10.14.09 AM.png

Once SSO is enforced, all users will be logged out and need to use SAML SSO to log into Calendly. Only the organization owner can log in using their fallback (original) login method by selecting Log in using another method on the login page.