# Duo

This tutorial will explain configuring Duo for single sign-on to Pritunl. Users will authenticate through Duo when downloading VPN profiles and before each VPN connection. Although Duo can be used independently for best security it should be used in combination with another single sign-on provider. If Duo is used in combination with another provider the user will need to authenticate with Duo when downloading VPN profiles and before each VPN connection. VPN re-connections will not require a Duo authentication, this can be changed with the [**Two-Step Authentication Cache**](https://docs.pritunl.com/kb/vpn/users/two-step-authentication) settings.

### Create Pritunl App on Duo

In the Duo admin interface select *Applications* then click *Protect an Application* and search for *OpenVPN*. Then click *Protect this Application*. Once the the application has been created set the *Name* to `Pritunl` and set *Username normalization* to *Simple*. Then click *Save Changes*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FWjxEx3TUHufw11X0Ai9q%2Fduo0.png?alt=media\&token=c16d2700-3f90-4987-be74-fc399c459277)

### Configure Pritunl

Once the Duo app has been configured open the *Pritunl* settings and set *Single Sign-On* to *Duo* or one the combinations including Duo. Then copy the *Integration key* to *Duo Integration Key*, *Secret key* to *Duo Secret Key* and *API hostname* to *Duo API Hostname*.

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FbhxZrgdU9uKZgYtQW0KM%2Fduo1.png?alt=media\&token=82082469-e940-4f67-ab07-6cceaf096e3e)

![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FBEOmO1YCj2n4sL4kEMGC%2Fduo2.png?alt=media\&token=3f66a392-aba8-475b-8272-9ae805f86784)

### Select Duo Mode

Pritunl supports several Duo modes. The *Push* mode will send a push authentication request to the users mobile device. The *Phone Callback* mode will call the users phone and ask the user to approve the authentication request. The *Passcode* mode will require the user to enter the passcode from the Duo mobile app or a hardware token from Duo. The *Push + Phone Callback* mode will use a phone callback if the user does not have the Duo mobile app installed.