Question about DUO's SAML Request validation mechanism

I’m getting an issue with DUO’s single sign-on feature with an authentication source of SAML IdP. As follows:

  • Following this tutorial (How to Use Duo Single Sign-On (SSO) | Duo Security), I have created an authentication source called Azure, and created a Generic SAML Service Provider application to integrate our web app with DUO SSO.
  • Description of our web application, it is basically a login application, the old system (old login) is written in C#, and we are rewriting it using Scala (new login) ). The SAML SSO feature in New login is up and running on several IdPs (Azure, Okta, OneLogin, ADFS) and in theory it can be compatible with any IdP that supports the SAML protocol. However, when integrating with DUO, the new login will get the error “Malformed AuthnRequest received. Encoding is invalid” when DUO receives the SAML request at the endpoint

“/saml2/sp/id/sso”

, which doesn’t happen again with old login (DUO redirects to Azure login page and then handles MFA steps as usual).

  • After investigation, I found that the only deviation lies in the SAML Request of the new login and the old login, which is the root cause of the difference in the deflate + encoding base64 mechanism between Java and C#. Specifically as below:

Deflated output:
C#: 125, 145, …, 126, 1

Scala: 124, -111, …, 126, 1, 0, 0, -1, -1

Base64 encoded output:
C#: fZFLS8NQEIX/…gugP+fqX4B

Scala: fJFLS8NQEIX/…gugP+fqX4BAAD//w==

The only difference is in the first byte (the remaining bytes are expected due to the unsigned/signed mechanism between C# bytes and Scala bytes), resulting in the first characters in the base64 encode string having a mismatch (J and Z), when I try to replace the first byte to 125 or J to Z then DUO confirms this is valid SAML Request. I’m investigating further into the cause of this discrepancy, however what I’m wondering is is there anything special in DUO’s SAMLRequest validation mechanism? While the other IdPs all work fine with the SAML Request that the new login generates? Any assumption is very helpful. Thanks for your time.

Hi @Karpy, thanks for sharing your question here and providing so much detail. I see that you have a support case open with us about this already, so that’s great. They’re the best equipped to help you answer this question. They may also be able to provide some guidance on how to get this working.