Salesforce SSO Issues


#1

TL; DR: I’ve been having issues after Winter 18 and am wondering if Duo recommends switching “Service Provider Initiated Request Binding” from HTTP Redirect to “HTTP Post” in Salesforce’s SSO settings as noted here in the Salesforce community by another user. This conflicts with their setup instructions here.

We’ve been using Duo for SSO for a while; I’ve always had to login to my org before I could use my Salesforce login to access connected apps, the community, etc. Kind of annoying, but workable. If users don’t do things in this order, we get a 404 error. (this applies to connected apps, etc.)

I started noticing problems after Salesforce’s Winter release. I had issues logging into my ETL tool and finally had to uncheck our saved custom domain to get in. Our vendor uses OKTA and couldn’t reproduc the issue. The found the link above and suggested I give this change a shot. I’m looking for advice whether I should since it doesn’t follow the Salesforce SSO setup instructions on the Duo site.

I’ve also had issues opening community links and receiving the 404 error while I was already logged into my production org. The only way to get back in is to refresh my org browser page, which if I’m remote will trigger 2FA once I send the push, I can usually open community links once again.


#2

Hey there @yramt,

My name is Jamie, and I work on the team that does SSO for Duo.

I’m sorry to hear that you’re having problems with SalesForce and the Duo Access Gateway.

I was unable to reproduce the issue but would you be able to send an e-mail to support@duo.com with the details you summarized here so we can track it with a ticket for you? You can tell them to pull in Jamie on the ticket. They may also ask you to provide some logs from your Duo Access Gateway and SalesForce during the times that authentication issues occurred.

Because this also seems to be an issue that popped up after a SalesForce release and it doesn’t look like you’re the only one having problems, I’d recommend contacting SalesForce about this issue as well so we can attack this from both sides.

Thanks,

Jamie