Skip to main content



Cisco Defense Orchestrator

Signing in to CDO

To log in to Cisco Defense Orchestrator (CDO), a customer needs an account with a SAML 2.0-compliant identity provider (IdP), a multi-factor authentication provider, and a user record in CDO. The IdP account contains the user's credentials and the IdP authenticates the user based on those credentials. Mutli-factor authentication provides and added layer of identity security. The CDO user record primarily contains the username, the CDO tenant with which they are associated, and the user's role. When a user logs in, CDO tries to map the IdP's user ID to an existing user record on a tenant in CDO. When CDO finds a match, the user is logged in to that tenant. 

Unless your enterprise has its own single sign-on identity provider, your identity provider is Cisco Secure Sign-on. Cisco Secure Sign-On uses Duo for mutli-factor authentication. Customers can integrate their own IdP with CDO if they choose. 

To log into Cisco Defense Orchestrator (CDO), you must rst create an account in Cisco Secure Sign-On and configure multi-factor authentication (MFA) using Duo Security and have your tenant Super Admin create a CDO record.

On October 14, 2019, CDO converted all previously-existing tenants to use Cisco Secure Sign-On as their identity provider and Duo for MFA.  


  • If you sign in to CDO using your own single sign-on identity provider, the transition to Cisco Secure Sign-On and Duo did not affect you. You continue to use your own sign-on solution.
  • If you are in the middle of a free trial of CDO, this transition did affect you.  

If your CDO tenant was created on or after October 14, 2019, see Initial Login to Your New CDO Tenant.

If your CDO tenant existed before October 14, 2019, see Migrating to Cisco Secure Sign-On Identity Provider.