Shibboleth v4.1.2 and DuoOIDC

Mark L. Boyce Mark.Boyce at ucop.edu
Sun Jun 6 02:46:45 UTC 2021 

you're correct.. I'd omitted adding the properties files... progress, 
but now I'm seeing:

ERROR 
[net.shibboleth.idp.plugin.authn.duo.impl.HealthCheckDuoOIDCAuthAPI:80] 
- Profile Action HealthCheckDuoOIDCAuthAPI: Duo 2FA health check failed, 
current status 'FAIL', message 'invalid_client', message detail 'Failed 
to verify signature.'
2021-06-05 19:41:26,083 - ERROR 
[net.shibboleth.idp.plugin.authn.duo.impl.HealthCheckDuoOIDCAuthAPI:97] 
- Profile Action HealthCheckDuoOIDCAuthAPI: Duo API health check failed
net.shibboleth.idp.plugin.authn.duo.DuoClientException: Duo 2FA health 
check responded with a failure status of: invalid_client

On 6/5/21 2:53 PM, Michael Grady wrote:
> Is this an upgraded system from v3? If so, did you set the property to 
> tell the IdP to search for and use all files that end in .properties, 
> or did you add that new Duo OIDC properties file to the list of 
> property files to be used at the start of idp.properties?
>
>> On Jun 4, 2021, at 6:37 PM, Mark L. Boyce <Mark.Boyce at ucop.edu 
>> <mailto:Mark.Boyce at ucop.edu>> wrote:
>>
>> Evening All,
>>
>> Either I'm missing something (likely) or there something wrong:
>>
>> following the instructions at 
>> https://wiki.shibboleth.net/confluence/display/IDPPLUGINS/DuoOIDCAuthnConfiguration-QuickSetup 
>> and 
>> https://wiki.shibboleth.net/confluence/display/IDPPLUGINS/DuoOIDCAuthnConfiguration#duo-oidc-username-determination 
>> I've installed the DuoOIDC plugin and enabled the module. I've added 
>> the appropriate entries into the duo-oidc properties file and created 
>> the new Web SDK in Duo. Edited MFA to replace my 2nd factor authn/Duo 
>> with authn/DuoOIDC. All appears as I believe it should. When I 
>> attempt to authenticate, however, I recieve the following in the IdP 
>> Warn/Process logs:
>>
>> 2021-06-04 16:00:31,234 - WARN 
>> [net.shibboleth.ext.spring.context.FilesystemGenericWebApplicationContext:?] 
>> - Exception encountered during context initialization - cancelling 
>> refresh attempt: 
>> org.springframework.beans.factory.BeanCreationException: Error 
>> creating bean with name 'shibboleth.authn.DuoOIDC.DuoIntegration' 
>> defined in URL 
>> [jar:file:/apps/apache-tomcat-9.0.34/webapps/idp/WEB-INF/lib/idp-plugin-duo-impl-1.1.0.jar!/META-INF/net/shibboleth/idp/flows/authn/DuoOIDC/duo-oidc-authn-beans.xml]: 
>> Invocation of init method failed; nested exception is 
>> net.shibboleth.utilities.java.support.component.ComponentInitializationException: 
>> API host, clientId, secret key,token endpoint, health check endpoint, 
>> authorization endpoint, and one of redirectURI or allowed redirect 
>> URI origins must be set
>> 2021-06-04 16:00:31,234 - ERROR 
>> [org.springframework.webflow.execution.FlowExecutionException:91] -
>> org.springframework.webflow.execution.FlowExecutionException: 
>> Exception thrown in state 'CallSubflow' of flow 'authn/MFA'
>>         at 
>> org.springframework.webflow.engine.impl.FlowExecutionImpl.wrap(FlowExecutionImpl.java:573)
>> Caused by: org.springframework.beans.factory.BeanCreationException: 
>> Error creating bean with name 
>> 'shibboleth.authn.DuoOIDC.DuoIntegration' defined in URL 
>> [jar:file:/apps/apache-tomcat-9.0.34/webapps/idp/WEB-INF/lib/idp-plugin-duo-impl-1.1.0.jar!/META-INF/net/shibboleth/idp/flows/authn/DuoOIDC/duo-oidc-authn-beans.xml]: 
>> Invocation of init method failed; nested exception is 
>> net.shibboleth.utilities.java.support.component.ComponentInitializationException: 
>> API host, clientId, secret key,token endpoint, health check endpoint, 
>> authorization endpoint, and one of redirectURI or allowed redirect 
>> URI origins must be set
>>         at 
>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1786)
>> Caused by: 
>> net.shibboleth.utilities.java.support.component.ComponentInitializationException: 
>> API host, clientId, secret key,token endpoint, health check endpoint, 
>> authorization endpoint, and one of redirectURI or allowed redirect 
>> URI origins must be set
>>         at 
>> net.shibboleth.idp.plugin.authn.duo.DefaultDuoOIDCIntegration.doInitialize(DefaultDuoOIDCIntegration.java:286)
>>
>> Any thoughts would be appreciated.
>>
>> Thanks,
>>
>> m.
>>
>> -- 
>>
>> University of California, Office Of The President
>>
>> Information Technology Services
>> Senior Identity Management Analyst
>> Phone: 510.987.9681
>> University Of California Logo<="">
>> -- 
>> For Consortium Member technical support, see 
>> https://wiki.shibboleth.net/confluence/x/coFAAg 
>> <https://wiki.shibboleth.net/confluence/x/coFAAg>
>> To unsubscribe from this list send an email to 
>> users-unsubscribe at shibboleth.net 
>> <mailto:users-unsubscribe at shibboleth.net>
>
> --
> Michael A. Grady
> IAM Architect, Unicon, Inc.
>
>
>
>
-- 

University of California, Office Of The President

Information Technology Services
Senior Identity Management Analyst
Phone: 510.987.9681
University Of California Logo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210605/337a7b76/attachment.htm>

More information about the users mailing list