SSO: Setting up DUO with WorkTango

  • Updated


To use DUO to log in to WorkTango, you will need the following components:

If users will be accessing mobile app, please ensure that configuration allows access to SSO connections outside of the company’s network.


1. Create a cloud app within Duo

2. Log in to the Duo Admin Panel and click Applications on the left navigation, and then click Protect an Application.

Alternately, you can choose the “Add New -> Application” on the right hand side of the Dashboard view.

DUO gif.gif

Locate SAML - Service Provider in the list of applications, and then click the Protect this Application link.

You’ll be taken to a page that looks like this:

Enter the following information about the app in the Service Provider section:





Service Provider Name

The name of the service provider.

Required WorkTango

Entity ID

The service provider identifier.



Assertion Consumer Service

The URL where your service provider receives SAML assertions.



Single Logout URL

The URL where your service provider receives SAML logout assertions.



Service Provider Login URL

Enter the URL for IdP-initiated logins if your service provider specifies one.



Default Relay State

If your service provider requires a specific RelayState parameter, enter it here.



* (subdomain) = assigned WorkTango subdomain


Complete the SAML Response section and click the Save Configuration button:



Required / Optional

NameID format

Format of NameID when sent to the service provider.


NameID attribute

The authentication source attribute used to identify the user to WorkTango. This attribute is sent as the NameID. This is often a user’s e-mail address (“mail” or “email”). See the list below for the names of common attributes from Duo Access Gateway authentication sources.


Send attributes

By default Duo Access Gateway sends only the NameID IdP attribute to a service provider. Mapping or creating any additional attributes will also cause Duo Access Gateway to send all attributes.


Signature Algorithm

Defaults to SHA-256. Leave as SHA-256


Sign response

Leave this option enabled for the Duo Access Gateway to sign the SAML response. Uncheck the box if the response should not be signed.

Choice required

Sign assertion

Leave this option enabled for the DAG to sign the SAML assertion. Uncheck the box if the assertion should not be signed.

Choice required

Map attributes

If needed, specific names for the attributes sent by the DAG identity provider, you can map the authentication source attributes to the required names here. Enter the attribute name from your authentication source on the left, and the new attribute name on the right. See the list below for the names of common attributes.





mail or email


mail or email

First name


Last name


From here, DUO asks for specific authentication policies. These policies can be chosen from a list or created from the setup screen. Please consult your DUO subject matter expert or technical contact to ensure the correct policies are applied.

Once the above configuration has been completed, please follow the instructions given by DUO on how to add the application to your Duo Access Gateway found here.

Next the metadata for this application will need to be provided to the Customer Success Launch team member that is assigned to your company. Instructions on locating this information can be found here.

*The documentation provided above is only applicable to the WorkTango Recognition & Rewards platform and does not apply to our Surveys & Insights solution.

Related to

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request



Article is closed for comments.