Help with setting up Duo Admin Panel and Shibboleth

Mark Boyce Mark.Boyce at ucop.edu
Fri Jan 28 03:18:46 UTC 2022 

Duo requires that you set the NameID Format to “persistent” and send the Administrator’s email address …

<bean parent="RelyingPartyByName" c:relyingPartyIds="…..">
                                                <property name="profileConfigurations">
                                                                <list>
                                                                                <bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
                                                                </list>
                                                </property>
                                </bean>
You’ll need to set that up in saml-nameid.xml:

        <!-- SAML2 email NameID Generation for Duo -->
                                <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:omitQualifiers="true" p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                                                p:attributeSourceIds="#{ {'mail'} }">
                                                <property name="activationCondition">
                                                                <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="…." />
                                                </property>
                                </bean>

m.
From: users <users-bounces at shibboleth.net> On Behalf Of Melvin Lasky via users
Sent: Thursday, January 27, 2022 5:48 PM
To: Shib Users <users at shibboleth.net>
Cc: Melvin Lasky <melvin.lasky at manhattan.edu>
Subject: Help with setting up Duo Admin Panel and Shibboleth


CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hey All,
I’ve been having a hard time setting up Duo Admin Panel with Shibboleth so if anyone can shed some light that be great.

I keep getting:

Invalid response from SSO provider.

I tried unencrypted assertions with my

        <bean parent="RelyingPartyByName" c:relyingPartyIds=“xxxxx">
            <property name="profileConfigurations">
                <list>
                    <bean parent="SAML2.SSO" p:encryptAssertions="false" />
                </list>
            </property>
        </bean>

(Where XXX is my Duo URL stuff)

But that didn’t work.

I saw this in there document (https://help.duo.com/s/article/4388?language=en_US)

• If the IdP is not signing both the assertion and the response. Duo requires that ADFS, Azure, Duo Access Gateway, Okta, and Shibboleth sign both the assertion and the response.
• To resolve this issue when using one of these IdPs, configure the IdP to sign both the assertion and the response.

——

How do I do that? I assume signing the assertion is just me taking out that relying party section but how do I sign the response?

Thanks for your help!

Any suggestions would be greatly appreciated!

Mel


Melvin Lasky
Associate Director of Enterprise Architecture
[cid:image001.jpg at 01D813C3.603B5040]



Riverdale, NY 10471
Phone: 718-862-7410
melvin.lasky at manhattan.edu<mailto:melvin.lasky at manhattan.edu>
www.manhattan.edu<http://www.manhattan.edu>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220128/dc314d85/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3547 bytes
Desc: image001.jpg
URL: <http://shibboleth.net/pipermail/users/attachments/20220128/dc314d85/attachment.jpg>

More information about the users mailing list