# DUO SSO
{% hint style="success" %}
Please complete the steps in the [Admin Console Configuration](https://docs.keeper.io/en/sso-connect-cloud/admin-console-configuration) section first.
{% endhint %}
### Duo Setup
These instructions assume Duo has already been successfully enabled and configured with an authentication source (Active Directory or IdP). To activate Duo SSO, visit your Duo Admin Panel and visit the "Single Sign-On" section.
### Step 1: DUO SSO Configuration
Log in to the Duo Admin Panel and click **Protect an Application**. Search for Keeper and choose Keeper Security with type "2FA with SSO hosted by Duo (Single Sign-On)" in the applications list then click "Protect" (shown below as Configure).
### Step 2: Metadata
The **Download** section is where you can download the SAML metadata file to upload into your SSO provisioning method.
Back on the Keeper Admin console, locate your DUO SSO Connect Cloud Provisioning method and select **Edit**.
Scroll down to the **Identity Provider** section, set IDP Type to **DUO SSO**, select **Browse Files** and select the DUO Metadata file previously downloaded.
Still within the Keeper Admin Console, exit **Edit View** and select **View** on your DUO SSO Connect Cloud Provisioning method. Within the **Service Provider** section you will find the metadata values for the **Entity ID, IDP Initiated Login Endpoint** and **Assertion Consumer Service (ACS) Endpoint**.
{% hint style="info" %}
**Single Logout Service (SLO) Endpoint** is optional.
{% endhint %}
Return to the application page in your Duo Admin Panel, copy and Paste the **Entity ID, Login Endpoint** and **ACS Endpoint** into the **Service Provider** section.
### Step 3: Map User Attributes
Within the **SAML Response** section, scroll down to **Map attributes** and map the following attributes.
{% hint style="info" %}
**Ensure that 3 attributes ("First", "Last" and "Email") are configured with the exact spelling as seen below**.
{% endhint %}
### Step 4: Policy (optional)
Within the **Policy** section, defines when and how users will authenticate when accessing this application. Your global policy always applies, but you can override its rules with custom policies.
### Step 5: Global Policy
Within the **Global Policy** section, Review / Edit / Verify any **Global Policy** as seen by your DUO and or Keeper administrator.
{% hint style="success" %}
Success! Your **Keeper Security EPM - Single Sign-On** setup is now complete!
{% endhint %}
### Troubleshooting
If you need assistance implementing the **Keeper Security EPM - Single Sign-On** application within your DUO environment, please contact the Keeper support team.
### Moving Existing Users to Duo SSO
Users created in the root node (top level) in the Keeper Admin Console will need to be moved to the SSO node if you want the users to login with Duo. An admin cannot move themselves to the SSO enabled node, another admin must perform this action.
After the user is moved to the SSO enabled node, they can login to the Keeper vault by simply typing their email address and clicking "Next". If this does not work, please ensure that your email domain (e.g. company.com) has been [reserved to your enterprise](https://docs.keeper.io/enterprise-guide/domain-reservation) and ensure that Just-In-Time provisioning is enabled.
To onboard with the Enterprise Domain, the user can select the "Enterprise SSO" pull down and type in the Enterprise Domain configured in the Keeper Admin Console.
Initially select 'Enterprise SSO Login'
Once the user has authenticated with SSO for the first time, they only need to use their email address next time to initiate SSO authentication.
If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation [can be found here](https://docs.keeper.io/enterprise-guide/domain-reservation).
