cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1053
Views
0
Helpful
1
Replies

Group Based Role Mapping with Duo SSO and Ivanti

bchaborek
Level 1
Level 1

I followed this guide to configure Duo Single Sign-On for Ivanti Connect Secure

Our Duo-SSO is connected to Azure AD.

Everything is working according to the guide, but the guide falls short in the role mapping section under the Create New User Realm section.

I need to create multiple role mappings using AD groups, this is how we have our current LDAPs Ivanti/Duo configuration. However, the guide only mentions setting Username to * and mapping to one role.

Is there any documentation on utilizing Active Directory groups for role mapping with Ivanti and Duo-SSO?

1 Reply 1

lewitt
Level 1
Level 1

I hope this helps some people out there.  I was struggling with group mapping using the Preconfigured Ivanti-Duo SSO Application.  On our Ivanti appliance, we were using the same mapping as the LDAP setup.  However, after connecting using SSO, it would always fail with the following message:

"Login failed for 'Primary' authentication using the auth server "XXXXX" ('SAML Server'). Reason: 'No rules found matching the user. User cannot be assigned to any user groups'"

Turns out, the preconfigured application for Ivanti SSO in Duo defaults in Sending the username as the Mail Attribute to the Ivanti appliance, i.e. xxxx@xxxx.com.  Ivanti is looking for the actual username, so it was checking AD for username xxxx@xxxx.com instead of the Windows login name xxxx.   

You may be able to force it to send just the username in the SAML response utilizing the preconfigured Ivanti SSO appication by selecting the "Custom Attributes" option under the Service Provider section and mapping the Mail Attribute to the <username> attribute, but I have not tested this.

We have it working as expected by building the application using the Generic SAML Service SSO Application.  There is a section in the Generic Setup where you can map Roles to pass to the Service Provider SAML Response which may work for you, but I have not tested this either.  As stated before, the user Roles/Groups are already mapped in the Ivanti User Realm.

One thing to note is that the Generic Setup initially failed for us because it also defaults to passing the email address as the NameID attribute in the SAML Response.  I had to set the NameID Attribute to <username> and things worked flawlessly!

Hope this helps!

Quick Links