cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2512
Views
0
Helpful
1
Replies

Cannot create NameID. Source attribute 'Email' does not exist

jwckauman
Level 1
Level 1

Using Palo Alto GlobalProtect SSO with Duo (and AzureAD for user authentication). When the user clicks ‘Connect’, GlobalProtect reports back “Oops! We had trouble logging you in” with the error as follows:

Cannot create NameID. Source attribute ‘Email’ does not exist.

Why is Duo trying to create a NameID? What is user ID used for? and why does it need the ‘Email’ attribute to authenticate a username/password?

1 Reply 1

jamieis
Cisco Employee
Cisco Employee

Hi @jwckauman,

Once a user successfully authenticates with Duo SSO our services starts to generate a SAMLResponse to send back to Palo Alto. The NameID value is a value that always gets returned in that response that shows who the user is.

By default Duo SSO for named applications uses something called Bridge Attributes. You can see what values we are automatically trying to map for your identity provider for Palo Alto here. You can follow the instructions on that docs page to change the “Email” section to use a different attribute.

The way that attributes mapping works in Duo SSO is that whatever is listed under “Custom Attributes” gets looked up by Duo SSO during authentication. We either do this “just in time” against Active Directory or use the list of attributes that were sent to us in the SAMLResponse from a SAML IdP.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links