12-16-2022 06:29 PM
Added Duo to AD FS today. Switched an application’s access control to “Permit and Require MFA” and Duo is doing it’s job nicely. The application was Kasm Workspaces.
Trying to do the same with vSphere did not work as nicely. vSphere takes me to the federation page, which takes me to duo’s universal prompt, but then it goes back to the federation page with the error
Error details: MSIS7065: There are no registered protocol handlers on path /adfs/oauth2/authorize/ to process the incoming request.
Switching the access control back to not require mfa returns it to working order, just without Duo.
Thoughts?
12-16-2022 07:52 PM
Hi @charlespick ,
It looks like vSphere uses OIDC and not SAML for federation. The Duo for AD FS module does not currently support OIDC. Please feel free to share this and any future Feature Request with your Duo Account Executive, Customer Success Manager (if applicable), or our Support Team.
Hope this helps!
12-16-2022 08:45 PM
Was this removed? Is it coming back? It appears as if this used to be possible before the connector was updated to support the universal prompt. TAM Lab 113 - Part 2 - Configure DUO for MFA - YouTube
12-16-2022 09:24 PM
@DuoPablo I also found this.
12-16-2022 10:51 PM
As of version 2.0.0, the Duo for AD FS module supports the Universal Prompt, which itself is a frameless login experience, derived from OIDC standards. Adding the Universal Prompt did not also make the AD FS module capable of authenticating other OIDC applications via AD FS. The Universal Prompt makes it possible for AD FS to support true OIDC redirects in the future - when a new version is perhaps released with this capability.
OIDC appeared to work in version 1.2.0.17, per the VMware link you provided, but was never (and has not yet been) officially supported to work by Duo.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide