DAG integration with vCloud director

I tried to integrate the DUO with vCloud director,however after integration im getting the below error.

  1. DAG(Linux VM)—>We are using AD integration here.
  2. DUO admin console—>We configured a new service provider application,after that we are getting below error.Please help

Oops! We could not authenticate you to the requested site.

Thanks,
Manivel R

تكملة النقاش من DAG integration with vCloud director:

@manivel

That’s not quite enough information to figure out what’s going on. Check out this knowledge base article to learn how to enable debug logging in the Duo Access Gateway, and then take a look at the logs to see what is happening. Search the knowledge base for any errors you see in your log and you may find additional guidance.

If you need help interpreting the logs or want assisted troubleshooting, please contact Duo Support.

Hi Kristina,

We fixed most of the issues except one issue.Please suggest.

  1. DUO admin console(GOT JSON file from here)
  2. DAG(Linux machine)—>Active Directory is acting as a authentication source(In DAG URL(at the metadata section),at the bottom,we got the XML file of DAG)
  3. vCloud director----> We got the SAML metadata(i.e VCD XML file).
  4. AD server—>In relying party trust(ADFS)

Process

  1. DUO JSON file downloaded and then uploaded the JSON file in DAG gateway(Application section)
  2. In DAG,we downloaded the XML file in application’s metadata section and uploaded the XML file under Vcloud director Federation “SAML” section.
  3. In vCloud director,we downloaded the XML file from SAML field and uploaded the same file in relying party trust(ADFS)i.e AD server.

When i try to login the vCloud director,

  1. First authentication is AD credentials—>Its successful
  2. Second authentication is DUO push---->Its successful.
  3. After landing in to vcloud page,i got an error as https://globalvcd.usinternal.com/cloud/failure.jsp

Error is SAML authentication failed for this organization.

Thanks,
Manivel R

Thanks for the additional information about the steps you’re taking. Are you trying to use BOTH Duo Access Gateway and AD FS at the same time? Your process is a bit confusing.

Are you pointing DAG to AD FS as a SAML authentication source, or are you pointing DAG to the same AD used by AD FS as an LDAP authentication source? Either way, there should be no federation redirect from vCloud Director to AD FS once you have introduced DAG to the login path, so I am not sure why you would upload anything from vCloud Director to AD FS (unless I am misunderstanding your step 3).

Are you following the vCloud directions here? Did you map the attributes specified in the second paragraph? Note that the Duo generic SAML application doesn’t support sending group information today.

The answer likely lies in the vCloud logs. Somewhere it should tell you why exactly it is rejecting the SSO login, and you could take that information and work backwards to adjust the SSO config accordingly.

Since your configuration and issues are complex, you should consider contacting Duo Support. This community isn’t

Thanks for the update.I have already raised a case and waiting for update.
I like to achieve this one.
AD is my identity provider.
1st authentication is AD credentials
2nd auth is DUO push.
After that,my vcloud director should login.

This DUO is bit confusing.
From DAG admin console, JSON file should import and upload on DAG.
I see in DAG,there is one xml file.I uploaded that xml file in vCloud director.

I just integrated my DAG in to AD(i tried out this way as well).
1st and 2nd auth are successful and in the final stage,SAML auth failed error message.

Which means, we no need to do any configuration(in ADFS) for SAML auth ?

Correct me if im wrong.

Thanks,
Manivel R

Its fixed.

Thank you,
Manivel RR

@manivel what was your solution please?