Help with setting up Duo Admin Panel and Shibboleth

Melvin Lasky melvin.lasky at manhattan.edu
Fri Jan 28 00:16:07 UTC 2022 

Yeah, so I have a ticket open with them, but I’m not sure how far I’ll get.

All they said was this: 

"I understand you're encountering the error outlined here,  which is basically either the SAML assertion was encrypted when your IdP doesn't support encrypted assertions, or the IdP didn't sign both the assertion and the response.

Since you have mentioned you tried to unencrypted assertions, would you please check if the Shibboleth is signing both the assertion and the response?”

——

I have nothing in relying-party.xml for Duo.

I have this in my Duo metadata: 

 <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol”>

So that looks good I guess?

In the Duo Panel I have 

Encrypt Assertions: Require encrypted assertions

Request signing: Do not sign messages from Duo

------------

The Certificate for signing is in the Duo Metadata file. I double checked that looks right.

My attribute filter is this:

<AttributeFilterPolicy id="releaseForDuo" >
  <PolicyRequirementRule xsi:type="RequesterRegex" regex="https:\/\/admin-ourduonumber\.duosecurity\.com\/.*" />
        <AttributeRule attributeID="mail" permitAny="true" />
</AttributeFilterPolicy>

(Ourduonumber is the weird number they add to the end of admin-)

——

I’m really not sure what else to try.

Thanks again for all your help and replies. 

Appreciate it.
Melvin Lasky
Associate Director of Enterprise Architecture
Riverdale, NY 10471
Phone: 718-862-7410
melvin.lasky at manhattan.edu
www.manhattan.edu


> On Jan 27, 2022, at 7:07 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> 
> On 1/27/22, 7:02 PM, "Melvin Lasky" <melvin.lasky at manhattan.edu> wrote:
> 
>>   Ok yeah, so I do have the WantAssertionsSigned in the metadata from Duo. It came like that. 
>>   So I’m really at a loss as to what I’m supposed to do here :-(
> 
> You can do some log or browser tracing just to verify that it's doing what it should be, but unless they actually require encryption (I don't recall, just that we are doing it), there has to be something else wrong. Either they have logs saying what that is or I don't see what you can really do other than a whole lot of trial and error.
> 
> I'm passing email address in standard fashion, so I presume it must have settings there controlling how it maps that in. Maybe that's not set up right.
> 
> -- Scott
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220127/cc8596f4/attachment.htm>

More information about the users mailing list