Objective
This guide explains how to configure SAML 2.0 Single Sign-On (SSO) between Cisco Duo and Comeen Play.
This setup allows you to:
Enable secure SSO via Cisco Duo
Restrict access based on SAML attributes
Prerequisites:
Before starting the configuration:
You have administrator access to Cisco Duo.
The users who will access Comeen Play already exist in Cisco Duo.
These users also exist in Comeen Play with the same email address.
Step 1 - Create the SAML application in Cisco Duo
Go to the Applications tab
Click Add application
Select Generic SAML Service Provider – Single Sign-On
Once the application is created, locate it in the list of applications and open it to access the SAML configuration page.
This page contains the Identity Provider metadata required for the Comeen Play configuration. Keep this page open and proceed to the next step in a new tab.
Step 2 - Configure the Identity Provider in Comeen Play
Go to Comeen Play → Settings
Click Authentication
In the SAML SSO section, enable Enable this authentication method.
Click Configure SAML
The SAML configuration window opens.
In Cisco Duo, open the Generic SAML Service Provider – Single Sign-On application.
Copy the following values from Cisco Duo and paste them into the Comeen Play SAML configuration form:
Step 3 - Configure the Service Provider information in Cisco Duo
In the Comeen Play SAML configuration window, copy the following values and paste them into the Service Provider section of the Cisco Duo application.
Once all the information have been entered, save the configuration in Cisco Duo and in Comeen Play
Map the correspondence between the names of attributes in Comeen and Cisco and save.
Step 4 - Test the SSO login
Open the Comeen Play login page.
Start the login process.
You are redirected to Cisco Duo.
Authenticate with your Cisco Duo credentials.
After authentication, you are redirected back to Comeen Play.
Step 5 (optional) - Automatic Role & Group Synchronization
Comeen Play can automatically assign roles and groups to users based on SAML attributes.
When this feature is enabled:
Users are automatically assigned roles based on SAML attributes.
Users are automatically added to groups based on SAML attributes.
To enable this feature:
Open the SAML configuration in Comeen Play.
Go to User Attribute Synchronization.
Enable Automatic role and group synchronization.
1- Group Mapping
Group mapping allows Comeen Play to automatically add users to groups based on attributes received from the Identity Provider.
To configure group mapping:
Go to the User Groups page in Comeen Play.
Edit the group you want to map.
Click Add Mapping.
Enter the attribute name that will be received from the Identity Provider.
Enter the attribute value required for the user to be added to the group.
If the SAML attribute city containsBordeaux, the user will automatically be added to the Bordeaux group in Comeen.
⚠ Attribute matching is case-sensitive.
In the configuration page of the Generic SAML Service Provider application, go to the Map attributes section.
Click +, and Enter the same attribute as configured in Comeen Play.
2- Role Mapping
Go to the Roles page in Comeen Play.
Edit the role you want to map.
Click Add Mapping.
Enter the attribute name that will be received from the Identity Provider.
Enter the attribute value required for the user to be added to the role.
