Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1667
Views
1
Helpful
2
Replies

vCenter 7.03 & Duo SSO Generic OIDC Support?

briskik1
Level 1
Level 1

‎01-31-2023 07:49 AM

We had our vCenter 7.03 environment using Microsoft ADFS for Authentication, which has Duo for MFA. The ADFS servers were using the Duo AD FS Adapter version 1.2. We recently upgraded the adapter to version 2 for Universal Prompt Support. Apparently version 2 broke something in the ADFS page /.well-known/openid-configuration thats needed for vCenter.

I then read and setup Duo SSO and Generic OIDC for vCenter to attempt to use. I followed the same vmware KB article VMware Knowledge Base attempting to have Duo SSO/OIDC map the same attributes that ADFS would use. Our Duo Proxy Servers are connected to our Active Directory servers, and not ADFS. In Duo OIDC application page, I have the openid scope enabled, and manually created a new scope called ‘allatclaims’, and manually mapped these values trying to mimic the ADFS document.

Token-Groups - Qualified by Long Domain Name → Group
User-Prinicipal-Name → Name ID
User-Prinicipal-Name → UPN

Here are the VMware KB’s i’ve used to setup ADFS

https://kb.vmware.com/s/article/78029

What happens is, I log into vCenter web interface, I enter my username, I get redirected to Duo SSO, enter Username, Password, MFA and get redirected back to vCenter UI page with a [400] Unable to authenticate. error message.

vCenter logs shows a message of "Csp responded with status 400 BAD_REQUEST and body {“error_title”: “invalid_request”, “error_message”: “Request was malformed”}

The error of Request was malformed leads me to think that maybe we’re not mapping the correct values in the OIDC webpage.

Is there plans to support either fix the ADFS Duo 2.0 Adapter or Support vCenter using OIDC? Otherwise I’ll likely have to revert the Universal Prompt on ADFS Adapter 2.0 and use 1.2

0 Helpful
2 Replies 2

DuoKristina
Cisco Employee
Cisco Employee

‎01-31-2023 12:33 PM

Per our documentation, “The Duo AD FS module supports relying parties that use Microsoft’s WS-Federation protocol, like Office 365, as well as SAML 2.0 federated logons for cloud apps like Google G Suite and salesforce.com.” This does not include AD FS application groups.

While the prior version of the Duo plugin may have worked this way in your vCenter config, we did not officially test for nor state support for application groups in that version either.

We are evaluating AD FS application group (OIDC relying party) support now. You can contact Duo Support to be added to the feature request for OIDC application support with the Duo AD FS plugin.

For now your best best is to roll back to the prior version of the Duo plugin.

Duo, not DUO.
0 Helpful

DuoKristina
Cisco Employee
Cisco Employee

‎02-02-2023 04:44 AM

We’ve updated our AD FS documentation to b clearer about what types of applications are and aren’t supported today.

Duo, not DUO.
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents