Solved: Duo SSO and Webex - SLO problem

Hermozol · ‎11-27-2024

Hello.

I have been hit with the problem of integrating SSO Duo with Webex. Duo's default metadata file does not have an SLO, so when the user selects for the browser to remember it, a Webex SLO error page loads during logout.
Not being able to add SLOs as instructed in (https://help.duo.com/s/article/6802?language=en_US) results in a metadata file that cannot be applied in Webex (error).
I have a feeling that TAC is selling me on this problem because already the second engineer is pretending to work.
Have any of you had this problem?

Regards
Hermozol

Hermozol · ‎11-29-2024

Hello
Case resolved. Oryginal metadata file from duo (with ?slo=true) has <md:SingleLogoutService> in the bottom of <md:KeyDescriptor use="signing"> section in XML file. When I move it upper beyond <md:NameIDFormat> it start to work.
I don't know how SAML define position of each keys in XML but for webex it works.

Regards

View solution in original post

DuoKristina · ‎11-27-2024

Did you contact Duo Support to open your case, or when you say "TAC" do you mean another Cisco support avenue that is not Duo Support? Your most direct path to Duo experts to open a case about this with Duo Support directly. I am not sure what TAC knows about Duo or how long it might take for them to transfer a case over to Duo Support teams.

wonder if editing the downloaded metadata.xml file to add the slo endpoint then uploading it to Webex would help.

Adding two lines like this after the `SingleSignOnService` URL:

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso-abcd1234.sso.duosecurity.com/saml2/sp/DIXXXXXXXXXXXXXXXXXX/metadata?slo=true" />
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso-abcd1234.sso.duosecurity.com/saml2/sp/DIXXXXXXXXXXXXXXXXXX/metadata?slo=true" />

So you wind up with something like this:

This is a total guess. I don't have a Webex instance to test it. If you decide to try and that doesn't work, definitely I'd recommend contacting Duo Support if that's not where your current support case is already.

Duo, not DUO.

DuoKristina · ‎11-27-2024

So, I asked some of my colleagues and received clarification that the SLO endpoint referenced in that KB article exists just to let customers get past an SLO URL requirement to complete SAML configuration, but it does not actually function as true SLO.

If you do contact Duo Support they can add you to the feature request for true SLO support.

Duo, not DUO.

Hermozol · ‎11-27-2024

@DuoKristina thanks a lot.
I will try to contact Duo Support.
Regards

Hermozol · ‎11-27-2024

I think I found problem. Webex xml interpreter do not accept Duo matadata with error:
"Invalid or unsupported attribute name metadataXml: Unexpected element {urn:oasis:names:tc:SAML:2.0:metadata}:SingleLogoutService"

Hermozol · ‎11-29-2024

Hello
Case resolved. Oryginal metadata file from duo (with ?slo=true) has <md:SingleLogoutService> in the bottom of <md:KeyDescriptor use="signing"> section in XML file. When I move it upper beyond <md:NameIDFormat> it start to work.
I don't know how SAML define position of each keys in XML but for webex it works.

Regards