Shib with DUO MFA

Hall, Gerry gerry.hall at
Fri May 31 15:22:19 EDT 2019

Based on a previous email that indicated that ‘idp.authn.flows.initial’ is no longer valid, I have removed the 'idp.authn.flows.initial = Password' from  However in testing, I now remember why I added it in the first place.

The problem I have now is that if I go to a Shibboleth protected resource that also uses DUO without first going to a Shibboleth protected resource that is not using DUO, I get an error (see errors below).  I believe that this is because I (1.) do not have a pre-existing session nor do I (2.) have a previously executed login flow.  To get around this, I use the 'idp.authn.flows.initial = Password' setting.

Obviously if 'idp.authn.flows.initial' is no longer valid, there has to be a way to satisfy one of the pre-existing conditions for DUO.  How can I force one of the above requirements to be satisfied when I go directly to a Shibboleth and DUO protected resource that is using the DUO authn context?

Here is what I use in shibboleth2.xml file to trigger the DUO MFA context (and I agree that the context string was not the best of choices):

            <SSO entityID=""   authnContextClassRef=""

                        forceAuthn="true" >

                                    SAML2 SAML1


On the IdP, in general-authn.xml, I have this:

<bean id="authn/Duo" parent="shibboleth.AuthenticationFlow"




            The list below should be changed to reflect whatever locally- or

            community-defined values are appropriate to represent MFA. It is

            strongly advised that the value not be specific to Duo or any

            particular technology.


            <property name="supportedPrincipals">


                    <bean parent="shibboleth.SAML2AuthnContextClassRef"

                        c:classRef="" />

                    <bean parent="shibboleth.SAML1AuthenticationMethod"

                        c:method="" />




<bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"



            <property name="supportedPrincipals">


                    <bean parent="shibboleth.SAML2AuthnContextClassRef"

                        c:classRef="" />

                    <bean parent="shibboleth.SAML1AuthenticationMethod"

                        c:method="" />

                    <bean parent="shibboleth.SAML2AuthnContextClassRef"

                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />

                    <bean parent="shibboleth.SAML2AuthnContextClassRef"

                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />

                    <bean parent="shibboleth.SAML1AuthenticationMethod"

                        c:method="urn:oasis:names:tc:SAML:1.0:am:password" />




(error from IdP logs)

2019-05-31 07:48:25,000 - - ERROR [net.shibboleth.idp.authn.duo:-2] - DuoWebException

org.springframework.expression.ExpressionInvocationTargetException: A problem occurred when trying to execute method 'generateSignedRequestToken' on object of type [java.lang.Class]

            at org.springframework.expression.spel.ast.MethodReference.throwSimpleExceptionIfPossible(

Caused by: com.duosecurity.duoweb.DuoWebException: ERR|The username passed to sign_request() is invalid.

            at net.shibboleth.idp.authn.duo.impl.DuoSupport.generateSignedRequestToken(

2019-05-31 07:48:25,008 - - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: AuthenticationException

2019-05-31 07:48:25,104

(browser error message)


The system encountered an error at Fri May 31 08:01:08 2019

To report this problem, please contact the site administrator at root at localhost.

Please include the following message in any email:

opensaml::FatalProfileException at (

SAML response reported an IdP error.

Error from identity provider:

    Status: urn:oasis:names:tc:SAML:2.0:status:Requester

    Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed

    Message: An error occurred.


This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list