Help with setting up Duo Admin Panel and Shibboleth

Mark Boyce Mark.Boyce at
Fri Jan 28 03:18:46 UTC 2022

Duo requires that you set the NameID Format to “persistent” and send the Administrator’s email address …

<bean parent="RelyingPartyByName" c:relyingPartyIds="…..">
                                                <property name="profileConfigurations">
                                                                                <bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
You’ll need to set that up in saml-nameid.xml:

        <!-- SAML2 email NameID Generation for Duo -->
                                <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:omitQualifiers="true" p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                                                p:attributeSourceIds="#{ {'mail'} }">
                                                <property name="activationCondition">
                                                                <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="…." />

From: users <users-bounces at> On Behalf Of Melvin Lasky via users
Sent: Thursday, January 27, 2022 5:48 PM
To: Shib Users <users at>
Cc: Melvin Lasky <melvin.lasky at>
Subject: Help with setting up Duo Admin Panel and Shibboleth

CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hey All,
I’ve been having a hard time setting up Duo Admin Panel with Shibboleth so if anyone can shed some light that be great.

I keep getting:

Invalid response from SSO provider.

I tried unencrypted assertions with my

        <bean parent="RelyingPartyByName" c:relyingPartyIds=“xxxxx">
            <property name="profileConfigurations">
                    <bean parent="SAML2.SSO" p:encryptAssertions="false" />

(Where XXX is my Duo URL stuff)

But that didn’t work.

I saw this in there document (

• If the IdP is not signing both the assertion and the response. Duo requires that ADFS, Azure, Duo Access Gateway, Okta, and Shibboleth sign both the assertion and the response.
• To resolve this issue when using one of these IdPs, configure the IdP to sign both the assertion and the response.


How do I do that? I assume signing the assertion is just me taking out that relying party section but how do I sign the response?

Thanks for your help!

Any suggestions would be greatly appreciated!


Melvin Lasky
Associate Director of Enterprise Architecture
[cid:image001.jpg at 01D813C3.603B5040]

Riverdale, NY 10471
Phone: 718-862-7410
melvin.lasky at<mailto:melvin.lasky at><>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3547 bytes
Desc: image001.jpg
URL: <>

More information about the users mailing list