SAML Authentication with Duo Security

Duo security provides a great way of authenticating your users for your self-hosted Humio installation.


Before configuring SAML authentication, a few things needs to be in place:

  • Duo Access Gateway (DAG) installed and configured with at least one Authentication Source.
  • Familiarize yourself with Humio’s configuration.
  • Make sure you have one root account added, typically by adding your email address in the administration section of Humio’s Web UI.


  1. Open your DAG and take note of the following parameters from the Applications page

    • SSO URL
    • Entity ID

    Save the certificate to a known location on your Humio host.

  2. Change the following configuration properties in Humio

    • PUBLIC_URL (See explanation in configuration properties))
    • SAML_IDP_SIGN_ON_URL to the value of “SSO URL” from the DAG
    • SAML_IDP_ENTITY_ID to the value of “Entity ID” from the DAG
    • SAML_IDP_CERTIFICATE with the location of your DAG certificate. If running the Docker image, please make sure you have mounted a certs volume by adding the following volume -v /certs:/certs:ro
  3. Restart Humio

  4. Read the output of http://$YOUR_HUMIO_URL:$PORT/api/v1/saml/metadata and take notes of the following values

    • md:EntityDescriptor#entityID, which should be a url starting with your PUBLIC_URL followed by /api/v1/saml/metadata
    • md:AssertionConsumerService#Location, which should be a url starting with your PUBLIC_URL followed by /api/v1/saml/acs
  5. Log into your Duo account and add a new “Generic SAML Service Provider”, where

    • “Entity ID” is the value of md:EntityDescriptor#entityID
    • “Assertion Consumer Service” is the value of md:AssertionConsumerService#Location
    • “NameID attribute” should be set to email
  6. Save the configuration file and upload it to your DAG.