TL; DR: I’ve been having issues after Winter 18 and am wondering if Duo recommends switching “Service Provider Initiated Request Binding” from HTTP Redirect to “HTTP Post” in Salesforce’s SSO settings as noted here in the Salesforce community by another user. This conflicts with their setup instructions here.
We’ve been using Duo for SSO for a while; I’ve always had to login to my org before I could use my Salesforce login to access connected apps, the community, etc. Kind of annoying, but workable. If users don’t do things in this order, we get a 404 error. (this applies to connected apps, etc.)
I started noticing problems after Salesforce’s Winter release. I had issues logging into my ETL tool and finally had to uncheck our saved custom domain to get in. Our vendor uses OKTA and couldn’t reproduc the issue. The found the link above and suggested I give this change a shot. I’m looking for advice whether I should since it doesn’t follow the Salesforce SSO setup instructions on the Duo site.
I’ve also had issues opening community links and receiving the 404 error while I was already logged into my production org. The only way to get back in is to refresh my org browser page, which if I’m remote will trigger 2FA once I send the push, I can usually open community links once again.