Error with Google Workspace SSO Profile for Duo

I’m trying to setup Duo as the SSO source for Google Workspace (using the Duo Google Workspace - Single Sign-On application) but it’s throwing an error when it first tries to redirect the user to Duo. I’m setting it up as a profile since it is only being applied to certain OUs in Google. We have a different SSO provider as our primary, but the Duo documentation is all for setting it up as the primary. This is the error I’m getting:

Oops!

We had trouble logging you in.

To access this application, contact your Help Desk. Let them know what app you were trying to access and the error below.

Error:Issuer in message received (https://accounts.google.com/samlrp/metadata?rpid=REDACTED) does not match the configured Entity ID expected (google.com/a/REDACTED.org)

Any assistance would be greatly appreciated!

Hi there @AD_Tech,

This error likely indicates that the Entity ID or Issuer that the service provider uses to identify itself does not match the Entity ID configured in the Duo Admin Panel for the ACS URL the service provider is configured to send its Response to. Here are some troubleshooting steps that might help:

  • Make sure the ACS URL is configured correctly on the service provider side

  • If it is, make sure that the Entity ID configured in the Duo Admin Panel is correct

  • If this is a named integration and the Entity ID is not provided directly to Duo SSO, make sure that any fields used to generate the Entity ID are correct

Note: The Entity ID being sent by the service provider is the first one listed in the error message, while the Entity ID configured in Duo SSO is the second one listed in the error message

Hope this helps!

Kindly,

Lauren

Log in to the Duo Admin Panel.
Click Administrators in the left sidebar, and then click Admin Login Settings.
Scroll to the Single Sign-On with SAML Configuration section of the "Administrator Login Settings" page.
Enable SSO by changing the "Authentication with SAML" setting.