AWS DUO integration with AD

#1

Hi,

I’be been trying to integrate AWS console with DUO using AD, I already completed all the config related to the DAG. But when once I complete the two factor authentication I get:

“Your request included an invalid SAML response”

I have already gone through this link:

https://help.duo.com/s/article/2130?language=en_US

But from what I have checked everything looks good or I may be missing something. I collected the logs from the DAG and below are the attributes sent on the SAML message:

<saml:AuthnStatement AuthnInstant="2019-04-22T20:57:53Z" SessionNotOnOrAfter="2019-04-23T04:57:53Z" SessionIndex="_d0426e1273936fb6bab8a2ef7695e6c8e650c1b4e2">
  <saml:AuthnContext>
    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
  </saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
  <saml:Attribute Name="distinguishedName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">CN=spffull,CN=Users,DC=voseda,DC=com</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="sAMAccountName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">spffull</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="userPrincipalName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">spffull@voseda.com</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">spffull@voseda.com</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="duo_username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">spffull</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">CN=DAG-AWS-SPF,CN=Users,DC=voseda,DC=com</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">spffull@voseda.com</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

</saml:Assertion>
</samlp:Response>

Any ideas on what I may be missing?

Thanks!
Enrique

#2

Hi @enrique.davila,

I suggest you open a case about this with Duo Support.