01-31-2023 07:49 AM
We had our vCenter 7.03 environment using Microsoft ADFS for Authentication, which has Duo for MFA. The ADFS servers were using the Duo AD FS Adapter version 1.2. We recently upgraded the adapter to version 2 for Universal Prompt Support. Apparently version 2 broke something in the ADFS page /.well-known/openid-configuration thats needed for vCenter.
I then read and setup Duo SSO and Generic OIDC for vCenter to attempt to use. I followed the same vmware KB article VMware Knowledge Base attempting to have Duo SSO/OIDC map the same attributes that ADFS would use. Our Duo Proxy Servers are connected to our Active Directory servers, and not ADFS. In Duo OIDC application page, I have the openid scope enabled, and manually created a new scope called ‘allatclaims’, and manually mapped these values trying to mimic the ADFS document.
Token-Groups - Qualified by Long Domain Name → Group
User-Prinicipal-Name → Name ID
User-Prinicipal-Name → UPN
Here are the VMware KB’s i’ve used to setup ADFS
https://kb.vmware.com/s/article/78029
What happens is, I log into vCenter web interface, I enter my username, I get redirected to Duo SSO, enter Username, Password, MFA and get redirected back to vCenter UI page with a [400] Unable to authenticate. error message.
vCenter logs shows a message of "Csp responded with status 400 BAD_REQUEST and body {“error_title”: “invalid_request”, “error_message”: “Request was malformed”}
The error of Request was malformed leads me to think that maybe we’re not mapping the correct values in the OIDC webpage.
Is there plans to support either fix the ADFS Duo 2.0 Adapter or Support vCenter using OIDC? Otherwise I’ll likely have to revert the Universal Prompt on ADFS Adapter 2.0 and use 1.2
01-31-2023 12:33 PM
Per our documentation, “The Duo AD FS module supports relying parties that use Microsoft’s WS-Federation protocol, like Office 365, as well as SAML 2.0 federated logons for cloud apps like Google G Suite and salesforce.com.” This does not include AD FS application groups.
While the prior version of the Duo plugin may have worked this way in your vCenter config, we did not officially test for nor state support for application groups in that version either.
We are evaluating AD FS application group (OIDC relying party) support now. You can contact Duo Support to be added to the feature request for OIDC application support with the Duo AD FS plugin.
For now your best best is to roll back to the prior version of the Duo plugin.
02-02-2023 04:44 AM
We’ve updated our AD FS documentation to b clearer about what types of applications are and aren’t supported today.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide