On a clean install of Debian Bookworm, we're integrating Duo Universal Prompt using the Duo Web SDK for Roundcube webmail (using a reverse proxy setup). The flow is working technically, but the callback fails.

Setup : 

- Duo user is synced from Active Directory (Directory Sync)
- The Duo username equals the `sAMAccountName` field (`exampleuser`)
- Web SDK uses:
- `createAuthUrl('exampleuser', $state)`
- `exchangeAuthorizationCodeFor2FAResult($duo_code, $state)`
- Universal Prompt is fully activated and visible
- Username normalization is set to `Simple`
- Duo Push is approved by the user
- The login is marked **Granted** in the Duo Admin Authentication Log

Even though everything is correct and the user successfully approves the Duo Prompt:

```text
exchangeAuthorizationCodeFor2FAResult() → "The username is invalid"

This happens every time, despite:

- Matching state and duo_code
- Using the exact same username as in Directory Sync (sAMAccountName)
- MFA works perfectly on RDP and Windows Logon for the same user

Can it be that the OIDC backend in Duo isn't mapping the identity correctly in the Web SDK flow — possibly due to how the identity is bound post-prompt approval.

I've tried
- Changing username normalization settings
- Testing with/without aliases
- Switching between samAccountName and UPN formats
- Testing with hardcoded usernames and minimal test scripts

Is there anything else to check on the Duo Admin or directory side?

Happy to provide additional debug details privately if needed.

TIA