# Duo This tutorial will explain configuring Duo for single sign-on to Pritunl. Users will authenticate through Duo when downloading VPN profiles and before each VPN connection. Although Duo can be used independently for best security it should be used in combination with another single sign-on provider. If Duo is used in combination with another provider the user will need to authenticate with Duo when downloading VPN profiles and before each VPN connection. VPN re-connections will not require a Duo authentication, this can be changed with the [**Two-Step Authentication Cache**](/kb/vpn/users/two-step-authentication.md) settings. ### Create Pritunl App on Duo In the Duo admin interface select *Applications* then click *Protect an Application* and search for *OpenVPN*. Then click *Protect this Application*. Once the the application has been created set the *Name* to `Pritunl` and set *Username normalization* to *Simple*. Then click *Save Changes*. ![](/files/VO6jz27BomWqplh9VEkO) ### Configure Pritunl Once the Duo app has been configured open the *Pritunl* settings and set *Single Sign-On* to *Duo* or one the combinations including Duo. Then copy the *Integration key* to *Duo Integration Key*, *Secret key* to *Duo Secret Key* and *API hostname* to *Duo API Hostname*. ![](/files/hSHHCZ2hEgBGdrdDams9) ![](/files/Wbj8w1tTkitfbIaEAxzj) ### Select Duo Mode Pritunl supports several Duo modes. The *Push* mode will send a push authentication request to the users mobile device. The *Phone Callback* mode will call the users phone and ask the user to approve the authentication request. The *Passcode* mode will require the user to enter the passcode from the Duo mobile app or a hardware token from Duo. The *Push + Phone Callback* mode will use a phone callback if the user does not have the Duo mobile app installed. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.pritunl.com/kb/vpn/sso/duo.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.