Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2356
Views
0
Helpful
1
Replies

AWS DUO integration with AD

Enrique Davila
Level 1
Level 1

‎04-22-2019 03:09 PM

Hi,

I’be been trying to integrate AWS console with DUO using AD, I already completed all the config related to the DAG. But when once I complete the two factor authentication I get:

“Your request included an invalid SAML response”

I have already gone through this link:

https://help.duo.com/s/article/2130?language=en_US

But from what I have checked everything looks good or I may be missing something. I collected the logs from the DAG and below are the attributes sent on the SAML message:

<saml:AuthnStatement AuthnInstant="2019-04-22T20:57:53Z" SessionNotOnOrAfter="2019-04-23T04:57:53Z" SessionIndex="_d0426e1273936fb6bab8a2ef7695e6c8e650c1b4e2">
  <saml:AuthnContext>
    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
  </saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
  <saml:Attribute Name="distinguishedName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">CN=spffull,CN=Users,DC=voseda,DC=com</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="sAMAccountName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">spffull</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="userPrincipalName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">spffull@voseda.com</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">spffull@voseda.com</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="duo_username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">spffull</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">CN=DAG-AWS-SPF,CN=Users,DC=voseda,DC=com</saml:AttributeValue>
  </saml:Attribute>
  <saml:Attribute Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">spffull@voseda.com</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

</saml:Assertion>
</samlp:Response>

Any ideas on what I may be missing?

Thanks!
Enrique

Labels:
0 Helpful
1 Reply 1

DuoKristina
Cisco Employee
Cisco Employee

‎04-29-2019 12:49 PM

Hi @enrique.davila,

I suggest you open a case about this with Duo Support.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents