05-12-2022 07:56 AM
I’m getting an issue with DUO’s single sign-on feature with an authentication source of SAML IdP. As follows:
“/saml2/sp/id/sso”
, which doesn’t happen again with old login (DUO redirects to Azure login page and then handles MFA steps as usual).
Deflated output:
C#: 125, 145, …, 126, 1
Scala: 124, -111, …, 126, 1, 0, 0, -1, -1
Base64 encoded output:
C#: fZFLS8NQEIX/…gugP+fqX4B
Scala: fJFLS8NQEIX/…gugP+fqX4BAAD//w==
The only difference is in the first byte (the remaining bytes are expected due to the unsigned/signed mechanism between C# bytes and Scala bytes), resulting in the first characters in the base64 encode string having a mismatch (J and Z), when I try to replace the first byte to 125 or J to Z then DUO confirms this is valid SAML Request. I’m investigating further into the cause of this discrepancy, however what I’m wondering is is there anything special in DUO’s SAMLRequest validation mechanism? While the other IdPs all work fine with the SAML Request that the new login generates? Any assumption is very helpful. Thanks for your time.
05-18-2022 07:00 AM
Hi @Karpy, thanks for sharing your question here and providing so much detail. I see that you have a support case open with us about this already, so that’s great. They’re the best equipped to help you answer this question. They may also be able to provide some guidance on how to get this working.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide