04-22-2019 03:09 PM
Hi,
I’be been trying to integrate AWS console with DUO using AD, I already completed all the config related to the DAG. But when once I complete the two factor authentication I get:
“Your request included an invalid SAML response”
I have already gone through this link:
https://help.duo.com/s/article/2130?language=en_US
But from what I have checked everything looks good or I may be missing something. I collected the logs from the DAG and below are the attributes sent on the SAML message:
<saml:AuthnStatement AuthnInstant="2019-04-22T20:57:53Z" SessionNotOnOrAfter="2019-04-23T04:57:53Z" SessionIndex="_d0426e1273936fb6bab8a2ef7695e6c8e650c1b4e2">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="distinguishedName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">CN=spffull,CN=Users,DC=voseda,DC=com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sAMAccountName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">spffull</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="userPrincipalName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">spffull@voseda.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">spffull@voseda.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="duo_username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">spffull</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">CN=DAG-AWS-SPF,CN=Users,DC=voseda,DC=com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">spffull@voseda.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
Any ideas on what I may be missing?
Thanks!
Enrique
04-29-2019 12:49 PM
Hi @enrique.davila,
I suggest you open a case about this with Duo Support.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide