Skip to content

Signing up with Cisco Duo (OIDC)

Cisco Duo SSO can act as a generic OpenID Connect (OIDC) identity provider for XplicitTrust. This page describes how to create the OIDC application in Duo, expose the XplicitTrust Administrators and XplicitTrust Users groups through a claim, and sign up.

Prerequisites

  • A Cisco Duo SSO instance with administrator access.
  • An Active Directory authentication source synced to Duo SSO (required so group membership is available in the token).
  • Two directory groups: XplicitTrust Administrators and XplicitTrust Users. Assign your users accordingly.

Configure Cisco Duo

Step 1: Create a Generic OIDC Relying Party

In the Duo Admin Panel, go to Applications and add a Generic OIDC Relying Party (cloud application).

On the General tab configure:

  • Sign-In Redirect URLs: 
    https://api.xplicittrust.com:443/v1.0/auth/callback/oidc
  • Grant Types: enable Authorization Code.
  • PKCE: leave optional (not required).

Step 2: Note the Metadata

Open the Metadata tab and keep the following at hand for the signup step:

  • Client ID
  • Client Secret
  • Issuer — for example https://sso-abc1def2.sso.duosecurity.com/oidc/DIABC123678901234567. This is the OIDC Base URL; its discovery document is at <Issuer>/.well-known/openid-configuration.

Step 3: Map the Groups Claim

XplicitTrust reads roles and group membership from the groups claim of the ID token. On the Scopes tab, map your Active Directory groups attribute to a custom claim named groups.

Use a claim transformation to reduce the LDAP group names to the XplicitTrust groups. Either of the following works, depending on which attribute your directory exposes:

use "groups" | format_ad_groups | filter="XplicitTrust"

use "memberOf" | format_ad_groups | filter="XplicitTrust"
  • format_ad_groups strips each group's LDAP distinguished name down to its bare group name (the CN value).
  • filter="XplicitTrust" keeps only the groups whose name contains XplicitTrust, so the claim carries XplicitTrust Administrators and/or XplicitTrust Users.

Group name matching

XplicitTrust matches the group names exactly: membership in XplicitTrust Administrators grants the admin role and XplicitTrust Users grants the user role. If you omit format_ad_groups, Duo sends the full distinguished name (CN=XplicitTrust Administrators,OU=...,DC=...); XplicitTrust still matches on the CN value, but using format_ad_groups keeps the claim clean. See OpenID Connect for the supported group claim formats.

Sign Up

  1. Visit the OIDC signup page: https://console.xplicittrust.com/#/signup/oidc
  2. Fill in the Client ID, Client Secret, and Issuer (Base URL) from the Duo Metadata tab.
  3. Click Signup and follow the Cisco Duo login process.
  4. You are now signed in to the XplicitTrust Admin Console: https://console.xplicittrust.com/