Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
855
Views
2
Helpful
3
Replies

NameID issue during webex + DUO + Azure SSO integration

Go to solution
Sviatlana
Level 1
Level 1

‎02-03-2023 06:02 AM

Hi!
I’m trying to enable DUO SSO for webex (Conrtol Hub). Azure AD is configured as authentication source.
I made all steps according to this guide https://duo.com/docs/sso-webex#top. But when I test SSO on Control Hub page I see such error: Cannot create NameID. Source attribute ‘Email’ does not exist.
At the same time I see logs about successful login to webex in DUO and Azure admin panels. Moreover DUO creates a new user.
Seems that something wrong with NameID format or attributes. In Azure nameID format uses user.mail: NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”

In SAML tracer I see that webex sends nameID in transient format: Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:transient”
Also in SAML tracer I see that correct Email attribute is sending as webex expects: Attribute Name=“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Email”>

I opened case to webex and DUO team but everybody told me that everything was Ok from their side.
I read appropriate topic on the DUO KB and checked configuration many times, but issue is still here.

I would appreciate everyone who can help solve this issue. Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎02-06-2023 03:07 PM

I found your Duo support case and noted that you were also asking the community.

I saw you sent them a screenshot of your Azure claims.

It looks like instead of naming the claim with just the attribute name (like Email) the claim names are a url (like http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Email). Did you try to log in with the five claim names configured so they match what’s shown in the example here?

2X_c_c47382633dfcd255532827bcccf1a12ce610bcb0.png

Duo, not DUO.

View solution in original post

3 Replies 3

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎02-06-2023 03:07 PM

I found your Duo support case and noted that you were also asking the community.

I saw you sent them a screenshot of your Azure claims.

It looks like instead of naming the claim with just the attribute name (like Email) the claim names are a url (like http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Email). Did you try to log in with the five claim names configured so they match what’s shown in the example here?

2X_c_c47382633dfcd255532827bcccf1a12ce610bcb0.png

Duo, not DUO.

Go to solution
Sviatlana
Level 1
Level 1

‎02-08-2023 02:48 AM

Kristina many thanks for your idea! It works!
The problem was that I used the default settings of claim format which contains namespace (likehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/)

I removed these default claims and created the new ones.

I am very grateful that you responded!

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to Sviatlana

‎02-08-2023 11:58 AM

Glad that helped you get this working.

Duo, not DUO.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents