Identity Provider

Duo Security Integration

Enable your users to sign in to your Shopify store with Duo Security's enterprise-grade multi-factor authentication and SAML SSO.

15 min setup
SAML 2.0 + MFA

Prerequisites

  • Duo Security admin access (Owner or Administrator)
  • Duo Access, Duo Beyond, or Duo MFA edition
  • SecurePie Professional or Enterprise plan
  • Your SecurePie Organization ID

Setup Instructions

1

Access Duo Admin Panel

Log in to the Duo Admin Panel to configure a new SAML application.

  1. 1.Navigate to admin.duosecurity.com
  2. 2.Sign in with your Duo admin credentials
  3. 3.Complete MFA if prompted
  4. 4.Go to Applications in the left sidebar
2

Create Generic SAML Application

Add a new Generic Service Provider application for SecurePie.

  1. 1.Click "Protect an Application"
  2. 2.Search for "Generic Service Provider"
  3. 3.Click "Protect" next to "Generic Service Provider (Single Sign-On)"
  4. 4.The application will be created and you'll see the configuration page
3

Configure Service Provider Settings

Enter the SecurePie SAML configuration in Duo.

  1. 1.Scroll down to "Service Provider" section
  2. 2.Enter the Entity ID (SP Entity ID)
  3. 3.Enter the Assertion Consumer Service (ACS) URL
  4. 4.Set NameID format to "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
  5. 5.Set NameID attribute to "mail"
Configuration
// Service Provider Settings
{
  "Entity ID": "https://securepie.com/saml/your-org-id",
  "Assertion Consumer Service": "https://securepie.com/saml/acs/your-org-id",
  "NameID format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "NameID attribute": "mail"
}
4

Configure SAML Response

Set up the SAML response settings and attribute mapping.

  1. 1.In the "SAML Response" section, keep defaults or adjust signing
  2. 2.Scroll to "Map attributes" section
  3. 3.Add the required attribute mappings for SecurePie
Configuration
// SAML Attribute Mapping
IdP Attribute       →    SAML Response Attribute
─────────────────────────────────────────────────
mail                →    email
givenName           →    firstName
sn                  →    lastName

// Optional attributes
memberOf            →    groups
department          →    department
5

Configure Authentication Policy

Set up the authentication policy for SecurePie access.

  1. 1.Scroll to "Policy" section
  2. 2.Select or create an authentication policy
  3. 3.Configure MFA requirements (recommended: "Require MFA")
  4. 4.Set user access restrictions if needed
6

Download Metadata

Export the Duo SAML metadata for SecurePie configuration.

  1. 1.Scroll to top of the application page
  2. 2.Find "Downloads" section
  3. 3.Download the "IdP Metadata" XML file
  4. 4.Note the SSO URL and Entity ID if needed
  5. 5.Click "Save" to save the Duo application
7

Configure User Source

Ensure Duo has access to user information from your directory.

  1. 1.Go to Users → Directory Sync (if using AD/LDAP)
  2. 2.Or ensure users exist in Duo directly
  3. 3.Verify user email addresses match expected values
  4. 4.Users must be enrolled in Duo for MFA
8

Configure SecurePie

Upload the Duo metadata to SecurePie to complete the integration.

  1. 1.Log in to your SecurePie dashboard
  2. 2.Go to Settings → Identity Providers
  3. 3.Click "Add Provider" → "Duo Security"
  4. 4.Upload the IdP metadata XML file
  5. 5.Click "Save" and test the connection

Duo MFA Methods

Duo supports multiple second-factor authentication methods. Users can authenticate using any method allowed by your policy.

Push Notifications

  • • Duo Mobile push (recommended)
  • • One-tap approval on mobile
  • • Biometric verification option

Other Methods

  • • TOTP codes (Duo Mobile)
  • • SMS passcodes
  • • Phone callback
  • • Hardware tokens (YubiKey)

Common Issues

User not enrolled in Duo

Users must be enrolled in Duo before they can authenticate. Send enrollment emails from the Duo Admin Panel under Users → Send Enrollment Email.

SAML assertion failed validation

Check that the Entity ID and ACS URL in Duo match exactly what SecurePie expects. URLs are case-sensitive and must include the correct protocol (https).

User denied by policy

Review your Duo authentication policy. Users may be denied if they're accessing from a restricted location, using an untrusted device, or failing other policy checks.

Email attribute not found

Ensure the "mail" attribute is mapped correctly and that users have email addresses configured in your directory source (AD, LDAP, or Duo directly).

Need Help?

Our support team can help you configure Duo Security, including advanced features like device trust, risk-based authentication, and custom policies.

Contact SupportAll Integrations