Help with setting up Duo Admin Panel and Shibboleth

melvin.lasky at manhattan.edu melvin.lasky at manhattan.edu
Fri Jan 28 00:24:19 UTC 2022 

LOL about the logic. I thought the same. Hahahaha. 

Ok forgive my ignorance here as I usually don’t have many problems with this, what’s the best way to trace this? Web browser? SAMLTRACER extension? But don’t I need unencrypted assertions otherwise it’s gonna be all gobble gook right? Also, my logs in shib look good to me for it. I see it sending my Mail attribute. 

shib-idp;idp-process.log;dev;nothing; - [149.61.2.59]2022-01-27 23:37:25,638 - INFO [Shibboleth-Audit.SSO:283] - 2022-01-27T23:37:25.638103Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|DUO_5865aaf2ccf211d1a6cb78fc09cd90d6d971d12eabf3ac46d51f7609a946bdf5|https://admin-ourduonumber.duosecurity.com/saml/OURDUOSTUFF/metadata|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://ourshibserver.manhattan.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_fa30dd18e43297d0a286d029346f62d4|melvin.lasky||mail|||

So I’m not even sure what to check LOL. It’s gotta be something stupid I have wrong somewhere.

Mel


Melvin Lasky
Associate Director of Enterprise Architecture
Riverdale, NY 10471 <x-apple-data-detectors://1/0>
Phone: 718-862-7410 <tel:718-862-7410>
melvin.lasky at manhattan.edu <mailto:melvin.lasky at manhattan.edu>
www.manhattan.edu <http://www.manhattan.edu/>

> On Jan 27, 2022, at 7:18 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> 
> On 1/27/22, 7:14 PM, "Melvin Lasky" <melvin.lasky at manhattan.edu> wrote:
> 
>>   "I understand you're encountering the error outlined here,  which is basically either the SAML assertion was
>> encrypted when your IdP doesn't support encrypted assertions
> 
> That's a fascinating bit of logic.
> 
>>   The Certificate for signing is in the Duo Metadata file. I double checked that looks right.
> 
> Well, an IdP can simply skip encryption if there's no key to use. Make sure the metadata file has a key marked for more than just signing, but more to the point, just trace it, don't waste time guessing what it's doing.
> 
> -- Scott
> 
> 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220127/c57413a9/attachment.htm>

More information about the users mailing list