Cannot create NameID. Source attribute 'Email' does not exist

Using Palo Alto GlobalProtect SSO with Duo (and AzureAD for user authentication). When the user clicks ‘Connect’, GlobalProtect reports back “Oops! We had trouble logging you in” with the error as follows:

Cannot create NameID. Source attribute ‘Email’ does not exist.

Why is Duo trying to create a NameID? What is user ID used for? and why does it need the ‘Email’ attribute to authenticate a username/password?

Hi @jwckauman,

Once a user successfully authenticates with Duo SSO our services starts to generate a SAMLResponse to send back to Palo Alto. The NameID value is a value that always gets returned in that response that shows who the user is.

By default Duo SSO for named applications uses something called Bridge Attributes. You can see what values we are automatically trying to map for your identity provider for Palo Alto here. You can follow the instructions on that docs page to change the “Email” section to use a different attribute.

The way that attributes mapping works in Duo SSO is that whatever is listed under “Custom Attributes” gets looked up by Duo SSO during authentication. We either do this “just in time” against Active Directory or use the list of attributes that were sent to us in the SAMLResponse from a SAML IdP.