How to configure Duo SAML SSO
Duo SAML SSO features
- Identity Provider Initiated Login
- Service Provider Initiated Login
NOTE: Just-in-Time (JIT) user creation is not supported. You can provision users via SCIM on Calendly’s Enterprise plan.
Before you begin
- SSO is included on a Calendly enterprise plan.
- To configure SAML SSO, you must be a Calendly owner or admin.
- You must use the same email address in Calendly and Duo.
- During setup, you’ll switch between Calendly and Duo. It’s best to keep each platform open in a separate browser window.
Configure Duo SAML SSO
Go to the Calendly single sign-on configuration page
- In Calendly, go to Account, Organization Settings, then Single sign-on.
Add Duo details to Calendly
- In a separate window, open Duo and go to Applications.
- Select Protect an Application.
- Search for Generic SAML Service Provider. For the row that has Single Sign-On in the Protection Type, select Protect.
- In Duo, copy Entity ID. Paste it into Entity ID in Calendly under Step 1: Enter your identity provider information.
- In Duo, copy Single Sign-On URL and paste into Identity provider's SAML HTTP Request URL in Calendly.
- In Duo, select Download certificate. In Calendly, upload the downloaded certificate by selecting Upload certificate.
- In Calendly, set Session duration to the appropriate value for your organization’s security policies.
- In Calendly, select Save & continue.
Duo | Calendly |
Entity ID → | Entity ID |
Single Sign-On URL → | Identity provider's SAML HTTP Request URL |
Download certificate → | Upload certificate |
Add Calendly details to Duo
- In Calendly under Step 2: Enable SSO for yourself, copy Audience URL and paste into Entity ID in Duo.
- In Calendly, copy ACS URL and paste into Assertion Consumer Service in Duo.
- In Calendly, copy Default Relay State into Default Relay State in Duo.
Calendly | Duo |
Audience URL → | Entity ID |
ACS URL → | Assertion Consumer Service |
Default Relay State → | Default Relay State |
Update attributes and settings in Duo
- In Duo, ensure NameID format is set to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
- Ensure NameID attribute is set to <Email Address>.
- Ensure Signature algorithm is set to SHA256.
- For Signing options, ensure both Sign response and Sign assertion are checked.
- Under Map attributes, configure the following:
- <Email Address> → email
- <First Name> → firstName
- <Last Name> → lastName
- Under Settings, update Name to Calendly.
- In Permitted groups, select the group you wish to have access to Calendly. You can also return here after testing the SAML connection.
- Select Save.
Test the SAML connection
In Calendly under Step 2: Enable SSO for yourself, select Test connection. You will be redirected to the Identity Provider and then back to Calendly.
- If successful, you’ll receive a success notification at the top of the page in Calendly.
- If unsuccessful, you will land on an error page in Okta or receive an error notification in Calendly. Check your SAML setup, then try test the connection again.
Enforce Duo SSO for your organization
When you enforce SAML SSO, all users will be logged out of their accounts. When they next log in to Calendly, they will be required to use Duo.
- In Duo, assign all Calendly users the app.
- In Calendly, select Enforce SAML SSO for my organization, then Apply.
Once SSO is enforced, all users will be logged out and need to use SAML SSO to log into Calendly. Only the organization owner can log in using their fallback (original) login method by selecting Log in using another method on the login page.