Some applications on AD FS not working with Duo

charlespick · ‎12-16-2022

Added Duo to AD FS today. Switched an application’s access control to “Permit and Require MFA” and Duo is doing it’s job nicely. The application was Kasm Workspaces.

Trying to do the same with vSphere did not work as nicely. vSphere takes me to the federation page, which takes me to duo’s universal prompt, but then it goes back to the federation page with the error

Error details: MSIS7065: There are no registered protocol handlers on path /adfs/oauth2/authorize/ to process the incoming request.

Switching the access control back to not require mfa returns it to working order, just without Duo.

Thoughts?

DuoPablo · ‎12-16-2022

Hi @charlespick ,

It looks like vSphere uses OIDC and not SAML for federation. The Duo for AD FS module does not currently support OIDC. Please feel free to share this and any future Feature Request with your Duo Account Executive, Customer Success Manager (if applicable), or our Support Team.

Hope this helps!

charlespick · ‎12-16-2022

Was this removed? Is it coming back? It appears as if this used to be possible before the connector was updated to support the universal prompt. TAM Lab 113 - Part 2 - Configure DUO for MFA - YouTube

charlespick · ‎12-16-2022

@DuoPablo I also found this.

DuoPablo · ‎12-16-2022

As of version 2.0.0, the Duo for AD FS module supports the Universal Prompt, which itself is a frameless login experience, derived from OIDC standards. Adding the Universal Prompt did not also make the AD FS module capable of authenticating other OIDC applications via AD FS. The Universal Prompt makes it possible for AD FS to support true OIDC redirects in the future - when a new version is perhaps released with this capability.

OIDC appeared to work in version 1.2.0.17, per the VMware link you provided, but was never (and has not yet been) officially supported to work by Duo.