Skip to main content

Integrate Kisi with Duo by Cisco


This is a Kisi-built integration, maintained and supported by Kisi.

With Duo's multi-factor authentication, signing into Kisi can be tailored to your organization’s security needs and requirements. Duo verifies user identities and establishes device trust before granting access, ensuring that only authorized users with trusted devices can log in to Kisi.


  • a Kisi organization owner account
  • a valid and activated SSO license
  • an authentication source on Duo, e.g. Active Directory or SAML Identity Provider

Before setting up the integration, ensure you are logged in as the Kisi organization owner and have a valid, activated SSO license. If these prerequisites are met and the SSO & SCIM option is still not visible on the dashboard, please reach out to Kisi Support for assistance.

Set up the integration in Duo

  1. Sign in to the Duo Admin portal
  2. Click on Single Sign-On and set up an authentication source if you haven’t already (Active Directory or SAML Identity Provider)
  3. Navigate to Applications and click Protect an Application
  4. Search for Generic SAML Service Provider and click Protect
  5. Copy the Metadata URL in the Metadata section and save it because you will need it in an upcoming step.
  6. Under the Service Provider section, fill out the following fields:
    • Entity ID :
    • Assertion Consumer Service (ACS) URL:<your-kisi-domain>. You can find your Kisi organization domain under Settings > General
  7. Under the SAML Response section, navigate to Map attributes, and map the IdP attributes to the following SAML Response Attributes:
    • <Email Address>: Email
    • <First Name>: FirstName
    • <Last Name>: LastName
  8. Under Settings, enter a name for your integration, e.g.:
    • Name: Kisi
  9. Click Save

Set up the integration in Kisi​

  1. Sign in to Kisi as the organization owner
  2. Navigate to Settings and click on SSO & SCIM
  3. Click on Change SSO Settings
  4. Paste the IdP Metadata URL that you obtained above in the Metadata URL field. You can find the Metadata URL in Duo under your Kisi/Generic SAML Service Provider > Metadata
  5. Click Save

Before testing the SSO setup, make sure that relevant users and groups in Duo by Cisco are assigned to the Kisi app.

Flexible authentication: SSO or password

Kisi organizations with Single Sign-On (SSO) enabled can, if needed, also enable authentication with password for users. If enabled, the user will be able to log in with email and password. If the user is in the organizations' IdP directory, an SSO login will also be available.

User removal impact on event logs

If you're utilizing a Single Sign-On (SSO) platform and an employee is removed, upon reviewing the Event history, the logs related to that user will continue displaying the user's name, even though they've been removed from the system.