Cisco Defense Orchestrator (CDO) uses Cisco Secure Sign-On as its SAML single sign-on identity provider (IdP) and Duo Security for multi-factor authentication (MFA). This is CDO's preferred authentication method.
If, however, customers want to integrate their own SAML single sign-on IdP solution with CDO, they can as long as their IdP supports SAML 2.0 and identity provider-initiated workflow.
Based on how you accesses CDO, CDO needs to provide you with several pieces of information.
If you access CDO at https://defenseorchestrator.com, you need this information:
- The Assertion Consumer Service (ACS) URL: https://www.defenseorchestrator.com/saml/login
- CDO's entity ID: https://www.defenseorchestrator.com/saml/login
- The audienceURL: www.defenseorchestrator.com
If you access CDO at https://defenseorchestrator.eu, you need this information:
You must meet these requirements and provide this information:
- Your SAML SSO identity provider service must support SAML 2.0.
- Your SAML SSO identity provider service must support identity provider-initiated flow.
- Provide CDO with your signing public certificate. This can be provided in IdP Metadata XML file.
- Provide CDO with your issuer URL. This can be provided in IdP Metadata.XML file.
- The SAML NameID in the assertion should be mapped to the user's email address.
Integrate Customer SAML SSO with CDO
Contact Cisco Defense Orchestrator Support and provide the information in the prerequisites above. CDO support will work with you to verify the information you provided and test the SAML SSO login.
Note: Customers using their own SAML SSO solution with CDO will only be able to access CDO using their own SSO application portal. They will no longer be able to access CDO by navigating to https://www.defenseorchestrator.com.