Help with setting up Duo Admin Panel and Shibboleth
Melvin Lasky
melvin.lasky at manhattan.edu
Fri Jan 28 03:48:36 UTC 2022
Mark!!!!!
Thanks so much! That did it.
You are the best.
Mel
Melvin Lasky
Associate Director of Enterprise Architecture
Riverdale, NY 10471
Phone: 718-862-7410
melvin.lasky at manhattan.edu
www.manhattan.edu
> On Jan 27, 2022, at 10:18 PM, Mark Boyce <Mark.Boyce at ucop.edu> wrote:
>
> Duo requires that you set the NameID Format to “persistent” and send the Administrator’s email address …
>
> <bean parent="RelyingPartyByName" c:relyingPartyIds="…..">
> <property name="profileConfigurations">
> <list>
> <bean parent="SAML2.SSO" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
> </list>
> </property>
> </bean>
> You’ll need to set that up in saml-nameid.xml:
>
> <!-- SAML2 email NameID Generation for Duo -->
> <bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:omitQualifiers="true" p:format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
> p:attributeSourceIds="#{ {'mail'} }">
> <property name="activationCondition">
> <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="…." />
> </property>
> </bean>
>
> m.
> From: users <users-bounces at shibboleth.net <mailto:users-bounces at shibboleth.net>> On Behalf Of Melvin Lasky via users
> Sent: Thursday, January 27, 2022 5:48 PM
> To: Shib Users <users at shibboleth.net <mailto:users at shibboleth.net>>
> Cc: Melvin Lasky <melvin.lasky at manhattan.edu <mailto:melvin.lasky at manhattan.edu>>
> Subject: Help with setting up Duo Admin Panel and Shibboleth
>
> CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> Hey All,
> I’ve been having a hard time setting up Duo Admin Panel with Shibboleth so if anyone can shed some light that be great.
>
> I keep getting:
>
> Invalid response from SSO provider.
>
> I tried unencrypted assertions with my
>
> <bean parent="RelyingPartyByName" c:relyingPartyIds=“xxxxx">
> <property name="profileConfigurations">
> <list>
> <bean parent="SAML2.SSO" p:encryptAssertions="false" />
> </list>
> </property>
> </bean>
>
> (Where XXX is my Duo URL stuff)
>
> But that didn’t work.
>
> I saw this in there document (https://help.duo.com/s/article/4388?language=en_US <https://www.google.com/url?q=https://help.duo.com/s/article/4388?language%3Den_US&source=gmail-imap&ust=1643944735000000&usg=AOvVaw3pzzhF4v3wZL9eL2Lpjiap>)
>
> • If the IdP is not signing both the assertion and the response. Duo requires that ADFS, Azure, Duo Access Gateway, Okta, and Shibboleth sign both the assertion and the response.
> • To resolve this issue when using one of these IdPs, configure the IdP to sign both the assertion and the response.
>
> ——
>
> How do I do that? I assume signing the assertion is just me taking out that relying party section but how do I sign the response?
>
> Thanks for your help!
>
> Any suggestions would be greatly appreciated!
>
> Mel
>
>
> Melvin Lasky
> Associate Director of Enterprise Architecture
>
> <image001.jpg>
>
>
>
> Riverdale, NY 10471
> Phone: 718-862-7410
> melvin.lasky at manhattan.edu <mailto:melvin.lasky at manhattan.edu>
> www.manhattan.edu <https://www.google.com/url?q=http://www.manhattan.edu&source=gmail-imap&ust=1643944735000000&usg=AOvVaw3Dit4GmpPS1-edeZJMyTmO>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220127/5f8bec6b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1.jpeg
Type: image/jpeg
Size: 3547 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20220127/5f8bec6b/attachment.jpeg>
More information about the users
mailing list