04-22-2019 03:09 PM
Hi,
I’be been trying to integrate AWS console with DUO using AD, I already completed all the config related to the DAG. But when once I complete the two factor authentication I get:
“Your request included an invalid SAML response”
I have already gone through this link:
https://help.duo.com/s/article/2130?language=en_US
But from what I have checked everything looks good or I may be missing something. I collected the logs from the DAG and below are the attributes sent on the SAML message:
<saml:AuthnStatement AuthnInstant="2019-04-22T20:57:53Z" SessionNotOnOrAfter="2019-04-23T04:57:53Z" SessionIndex="_d0426e1273936fb6bab8a2ef7695e6c8e650c1b4e2">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="distinguishedName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">CN=spffull,CN=Users,DC=voseda,DC=com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sAMAccountName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">spffull</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="userPrincipalName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">spffull@voseda.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">spffull@voseda.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="duo_username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">spffull</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">CN=DAG-AWS-SPF,CN=Users,DC=voseda,DC=com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">spffull@voseda.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
Any ideas on what I may be missing?
Thanks!
Enrique
04-29-2019 12:49 PM
Hi @enrique.davila,
I suggest you open a case about this with Duo Support.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: