Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1728
Views
0
Helpful
5
Replies

Microsoft AD FS 3 and 4 - Required claims

redscout88
Level 1
Level 1

‎06-12-2019 01:59 PM

In this article, claim rules examples for enabling/disabling MFA are shown. I can’t find anywhere that lists what claims the Duo application expects and where to set those up, though. I’m not using Active Directory as my identity provider, so I need to set these up manually.

Does anyone know what claims I need to set up and where? UPN/sAMAccountName and Acceptance Transform Rules for my Claims Provider Trust? Or the Issuance Transform Rules for my Relying Party Trust?

0 Helpful
5 Replies 5

Amy2
Level 5
Level 5

‎06-13-2019 05:54 AM

Hi redscout88,

Have you seen our guide to configuration for Duo with AD FS 3? You may find the answers you’re looking for there. If you still have questions after reading it, then let me know what additional info you’re looking for and I’ll be happy to help further.

0 Helpful

redscout88
Level 1
Level 1
In response to Amy2

‎06-13-2019 07:57 AM

That still just seems to cover enabling/disabling MFA based on a set of claims. I have no problem with making MFA required, but I always an error message when ADFS takes me to the MFA page and it tries to load the Duo content.

I’m trying to figure out which properties Duo expects in order to load without error during ADFS sign in. I assume that’s some kind of identifier like UPN/SAM Account Name based on the install instructions, but I can’t figure out where that needs to be made available to Duo.

0 Helpful

PatrickKnight
Level 1
Level 1

‎06-14-2019 05:50 AM

Chris,

As far as the usernames that get sent to Duo we default to sAMAccountName. In version 1.2.0.12 and higher there is the option to use UPN as the account name, which is documented here.

If you’re uncertain what username is being sent today, you can enable debug logging and see what is reported there.

0 Helpful

redscout88
Level 1
Level 1
In response to PatrickKnight

‎06-14-2019 07:23 AM

I double checked my registry, and I have it set up to use UPN. Where does Duo get that from, though? I have a UPN claim set up on both my claims provider and relying party.

Also, I enabled debug logging in the registry and restarted ADFS, but I don’t see a Duo folder in my Windows Event Logs. What should the log be called? Just “Duo” or something?

0 Helpful

redscout88
Level 1
Level 1
In response to redscout88

‎07-29-2019 10:24 AM

I figured out that the undocumented required setup is an ADFS anchor claim matching the claim type being used by Duo.

Now I’ve got it working through the push notification, but still need to resolve a “SessionSecurityToken does not contain a single AnchorID claim” error occurring immediately after Duo auth before I can say this will work for us.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents