Help with setting up Duo Admin Panel and Shibboleth

melvin.lasky at melvin.lasky at
Fri Jan 28 00:24:19 UTC 2022

LOL about the logic. I thought the same. Hahahaha. 

Ok forgive my ignorance here as I usually don’t have many problems with this, what’s the best way to trace this? Web browser? SAMLTRACER extension? But don’t I need unencrypted assertions otherwise it’s gonna be all gobble gook right? Also, my logs in shib look good to me for it. I see it sending my Mail attribute. 

shib-idp;idp-process.log;dev;nothing; - []2022-01-27 23:37:25,638 - INFO [Shibboleth-Audit.SSO:283] - 2022-01-27T23:37:25.638103Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|DUO_5865aaf2ccf211d1a6cb78fc09cd90d6d971d12eabf3ac46d51f7609a946bdf5||||urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_fa30dd18e43297d0a286d029346f62d4|melvin.lasky||mail|||

So I’m not even sure what to check LOL. It’s gotta be something stupid I have wrong somewhere.


Melvin Lasky
Associate Director of Enterprise Architecture
Riverdale, NY 10471 <x-apple-data-detectors://1/0>
Phone: 718-862-7410 <tel:718-862-7410>
melvin.lasky at <mailto:melvin.lasky at> <>

> On Jan 27, 2022, at 7:18 PM, Cantor, Scott <cantor.2 at> wrote:
> On 1/27/22, 7:14 PM, "Melvin Lasky" <melvin.lasky at> wrote:
>>   "I understand you're encountering the error outlined here,  which is basically either the SAML assertion was
>> encrypted when your IdP doesn't support encrypted assertions
> That's a fascinating bit of logic.
>>   The Certificate for signing is in the Duo Metadata file. I double checked that looks right.
> Well, an IdP can simply skip encryption if there's no key to use. Make sure the metadata file has a key marked for more than just signing, but more to the point, just trace it, don't waste time guessing what it's doing.
> -- Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list