Shibboleth v4.1.2 and DuoOIDC

Michael Grady mgrady at unicon.net
Sat Jun 5 19:53:33 UTC 2021 

Is this an upgraded system from v3? If so, did you set the property to tell the IdP to search for and use all files that end in .properties, or did you add that new Duo OIDC properties file to the list of property files to be used at the start of idp.properties?

> On Jun 4, 2021, at 6:37 PM, Mark L. Boyce <Mark.Boyce at ucop.edu> wrote:
> 
> Evening All,
> 
> Either I'm missing something (likely) or there something wrong:
> 
> following the instructions at https://wiki.shibboleth.net/confluence/display/IDPPLUGINS/DuoOIDCAuthnConfiguration-QuickSetup <https://wiki.shibboleth.net/confluence/display/IDPPLUGINS/DuoOIDCAuthnConfiguration-QuickSetup>       and https://wiki.shibboleth.net/confluence/display/IDPPLUGINS/DuoOIDCAuthnConfiguration#duo-oidc-username-determination <https://wiki.shibboleth.net/confluence/display/IDPPLUGINS/DuoOIDCAuthnConfiguration#duo-oidc-username-determination>I've installed the DuoOIDC plugin and enabled the module. I've added the appropriate entries into the duo-oidc properties file and created the new Web SDK in Duo. Edited MFA to replace my 2nd factor authn/Duo with authn/DuoOIDC. All appears as I believe it should. When I attempt to authenticate, however, I recieve the following in the IdP Warn/Process logs:
> 
> 2021-06-04 16:00:31,234 - WARN [net.shibboleth.ext.spring.context.FilesystemGenericWebApplicationContext:?] - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.authn.DuoOIDC.DuoIntegration' defined in URL [jar:file:/apps/apache-tomcat-9.0.34/webapps/idp/WEB-INF/lib/idp-plugin-duo-impl-1.1.0.jar!/META-INF/net/shibboleth/idp/flows/authn/DuoOIDC/duo-oidc-authn-beans.xml <jar:file:/apps/apache-tomcat-9.0.34/webapps/idp/WEB-INF/lib/idp-plugin-duo-impl-1.1.0.jar!/META-INF/net/shibboleth/idp/flows/authn/DuoOIDC/duo-oidc-authn-beans.xml>]: Invocation of init method failed; nested exception is net.shibboleth.utilities.java.support.component.ComponentInitializationException: API host, clientId, secret key,token endpoint, health check endpoint, authorization endpoint, and one of redirectURI or allowed redirect URI origins must be set
> 2021-06-04 16:00:31,234 - ERROR [org.springframework.webflow.execution.FlowExecutionException:91] -
> org.springframework.webflow.execution.FlowExecutionException: Exception thrown in state 'CallSubflow' of flow 'authn/MFA'
>         at org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573)
> Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.authn.DuoOIDC.DuoIntegration' defined in URL [jar:file:/apps/apache-tomcat-9.0.34/webapps/idp/WEB-INF/lib/idp-plugin-duo-impl-1.1.0.jar!/META-INF/net/shibboleth/idp/flows/authn/DuoOIDC/duo-oidc-authn-beans.xml <jar:file:/apps/apache-tomcat-9.0.34/webapps/idp/WEB-INF/lib/idp-plugin-duo-impl-1.1.0.jar!/META-INF/net/shibboleth/idp/flows/authn/DuoOIDC/duo-oidc-authn-beans.xml>]: Invocation of init method failed; nested exception is net.shibboleth.utilities.java.support.component.ComponentInitializationException: API host, clientId, secret key,token endpoint, health check endpoint, authorization endpoint, and one of redirectURI or allowed redirect URI origins must be set
>         at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1786)
> Caused by: net.shibboleth.utilities.java.support.component.ComponentInitializationException: API host, clientId, secret key,token endpoint, health check endpoint, authorization endpoint, and one of redirectURI or allowed redirect URI origins must be set
>         at net.shibboleth.idp.plugin.authn.duo.DefaultDuoOIDCIntegration.doInitialize(DefaultDuoOIDCIntegration.java:286)
> 
> Any thoughts would be appreciated.
> 
> Thanks,
> 
> m.
> 
> -- 
> University of California, Office Of The President
> 
> Information Technology Services
> Senior Identity Management Analyst
> Phone: 510.987.9681
> <="">
> -- 
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

--
Michael A. Grady
IAM Architect, Unicon, Inc.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210605/eaabb9f1/attachment.htm>

More information about the users mailing list