Setting up ConnectWise Manage with Duo Access Gateway via SAML

This will give you all the details on how to set up ConnectWise Manage with Duo Access Gateway via SAML. I could not find any documentation for the pairing of these two products, so there was a little bit of trial and error.

Pre-Requisites

• A Duo Access Gateway (DAG) server already setup and ready to go.
• A Duo account with Duo MFA or higher licensing. (the free version does not support this)
• You must have an admin account to both CW:M and Duo (duh)

Recommendations/Caveats

• The moment you save the SSO configuration in CW:M, it will remove all settings related to LDAP and existing 2FA with Google Authenticator. The CW documentation says it disables it, but no, it rips it out.
• I recommend you sync your training database and do the setup there first. This way you can do it live, and also avoid issues caused by the point above
• I am not going to train you on how to use the various products, this is just about the integration. I expect you already know how to create applications in Duo and add them to the access gateway.
• This example is going to be for the training database in CW:M, so all URLs etc will reference that. The fake CW:M URL i will be using is manage.domain.com, and your DAG URL will be dag.company.com

Duo Setup

1. Log into the Duo Admin Panel and create a new Application of type SAML - Service Provider
2. Enter the following settings:
   
   • Service Provider Name: ConnectWise Manage - Training
   • Entity ID: https://manage.company.com/v4_6_release/auth/training/metadata
   • Assertion Consumer Service: https://manage.company.com/v4_6_release/auth/training/Acs
   • Service Provider Login URL: https://manage.company.com
   • NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
   • NameID attribute: userPrincipalName (this can also be mail, just make sure it's an email address format that your DAG is pulling in from your identity source
   • All other settings: default
3. Click Save Configuration
4. Scroll down and set the name of the Application (i recommend setting it to the same thing: ConnectWise Manage - Training)
5. Save and then click the link at the top to download the configuration file
6. Head over to your DAG admin panel and upload the downloaded json file
7. Download the certificate

CW:M Setup

1. Navigate to System > Authentication (or Setup Tables > SSO Configuration)
2. Set the following options:
   • Description: Duo Access Gateway (this can be whatever you want)
   • SSO Type: SAML
   • Login URL: copy and paste SSO URL from the DAG Admin
   • Identity Provider ID: copy and paste Entity ID from the DAG Admin
   • Identity Provider Certificate: upload the certificate you downloaded from the DAG Admin
   • Locations: check the box for the locations that this SSO applies to. In most cases it will just be All.
3. Save and you're ready to test
4. Use a different (incognito/private) browser window to test so you don't get locked out.
5. Upon login it will redirect you to the SSO login. It will also handle user enrollments here so if this is a brand new org it's a good way to force your users to enroll
6. Once you're done and tested, repeat the process for your production database. Replace training in the URLs with your company id. Create a new Duo Application for this, that way you will have it always working in both live and training.