About Migrating to Cisco Secure Sign-On and Duo Multi-Factor Authentication
On October 14, 2019, Cisco Defense Orchestrator (CDO) converted all tenants to Cisco Secure Sign-On as their identity provider and Duo for multi-factor authentication (MFA). To log into CDO, you must rst activate your account in Cisco Secure Sign-On and configure MFA using Duo.
CDO requires MFA which provides an added layer of security in protecting your user identity. Two-factor authentication, a type of MFA, requires two components, or factors, to ensure the identity of the user logging into CDO. The rst factor is a username and password, and the second is a one-time password (OTP), which is generated on demand.
- If you sign in to CDO using your own single sign-on identity provider, this transition to Cisco Secure Sign-On and Duo does not affect you. You continue to use your own sign-on solution.
- If you are in the middle of a free trial of CDO, this transition does apply to you.
- If your CDO tenant was created on or after October 14, 2019, see Initial Login to Your New CDO Tenant for log in instructions instead of this article.
Before you Migrate
Install DUO Security. We recommend installing the Duo Security app on a mobile phone. Review Duo Guide to Two Factor Authentication: Enrollment Guide if you have questions about installing Duo.
Time Synchronization. You are going to use your mobile device to generate a one-time password. It is important that your device clock is synchronized with real time as the OTP is time-based. Make sure your device clock set automatically or manually set it to the correct time.
Create a New Cisco Secure Sign-On Account and Configure Duo Multi-factor Authentication
The initial sign-on workow is a four-step process. You need to complete all four steps.
- Sign Up for a New Cisco Secure Sign-On Account
- Browse to https://sign-on.security.cisco.com.
- Your old username and password won't work. At the bottom of the Sign In screen, click Sign up.
- Fill in the fields of the Create Account dialog and click Register.
Here are some tips:
- Email-Enter the email address that you will eventually use to log in to CDO.
- Organization-Add a name to represent your company.
- After you click Register, Cisco sends you a verification email to the address you registered with. Open the email and click Activate Account.
2. Set up Multi-factor Authentication Using Duo
- In the Set up multi-factor authentication screen, click Configure.
- Click Start setup and follow the prompts to choose a device and verify the pairing of that device with your account.
For more information, see Duo Guide to Two Factor Authentication: Enrollment Guide. If you already have the Duo app on your device, you'll receive an activation code for this account. Duo supports multiple accounts on one device.
- At the end of the wizard click Continue to Login.
- Log in to Cisco Secure Sign-On with the two-factor authentication.
3. (Optional) Setup Google Authenticator as a an additional authenticator.
- Choose the mobile device you are pairing with Google Authenticator and click Next.
- Follow the prompts in the setup wizard to setup Google Authenticator.
4. Configure Account Recovery Options for your Cisco Secure Sign-On Account
- Choose a "forgot password" question and answer.
- Choose a recovery phone number for resetting your account using SMS.
- Choose a security image.
- Click Create My Account. You now see the Cisco Security Sign-On dashboard with the CDO app tiles. You may also see other app tiles.
Tip: You can drag the tiles around on the dashboard to order them as you like, create tabs to group tiles, and rename tabs.
Launch CDO from the Cisco Secure Sign-On Dashboard
- Click the appropriate CDO button on the Cisco Secure Sign-on dashboard. The CDO tile directs you to https://defenseorchestrator.com, the CDO (EU) tile directs you to https://defenseorchestrator.eu, and the CDO (APJC) tile directs you to https://www.apj.cdo.cisco.com/.
- Click the authenticator logo to choose Duo Security or Google Authenticator, if you have set up both authenticators.
- If you already have a user record on an existing tenant, you are logged into that tenant.
- If you already have a user record on several tenants, you will be able to choose which CDO tenant to connect to.
- If you do not already have a user record on an existing tenant, you will be able to learn more about CDO or request a trial account.
Manage Super Admins on Your Tenant
It is a best practice to limit the number of Super Admins on your tenant. Determine which users should have Super Admin privileges, review User Management, and change the roles of other users to "Admin."
Troubleshooting Login Failures after Migration
If you can't log in or you can't reach CDO, try one of these troubleshooting tips.
Login to CDO Fails Because of Incorrect Username or Password
If you try to log in to CDO and you know you are using the correct username and password and your login is failing, or you try "forgot password" and nothing seems to be working, you may have tried to login without creating a new Cisco Secure Sign-On account. You need to sign up for a new Cisco Secure Sign-On account.
Login to the Cisco Secure Sign-On Dashboard Succeeds but You Can't Launch CDO
You may have created a Cisco Secure Sign-On account with a different username than your CDO account. Contact the Cisco Technical Assistance Center (TAC) to standardize your user information between CDO and Cisco Secure Sign-On.
Login Fails Using a Saved Bookmark
You may be attempting to log in using an old bookmark you saved in your browser. The bookmark could be pointing to https://cdo.onelogin.com.
Log in to https://sign-on.security.cisco.com.
- If you have not yet created a a Cisco Secure Sign-On account, create an account.
- If you have created your new account, click the CDO tile on the dashboard that corresponds to Cisco Defense Orchestrator (US), Cisco Defense Orchestrator (EU), or Cisco Defense Orchestrator (APJC)
- Update your bookmark to point to https://sign-on-security.cisco.com.
Login Fails Because You are Inadvertently Logging in to the Wrong CDO Region
Make sure you are logging into the appropriate CDO region. After you log into https://sign-on.security.cisco.com, you will be given a choice of what region to access. Click the CDO tile to access defenseorchestrator.com or CDO (EU) to access defenseorchestrator.eu.