RajK.51787 (American Automobile Association) asked a question.
I am working on setting up an external IDP for some group of users. These users from an external org and they use DUO as their IDP and MFA.
Is OIDC recommended or should we use SAML2.0 for the integration with DUO? DUO's documentation seems to be preferring OIDC over SAML2.0 and team from external org seem to be preferring OIDC over SAML. They are insisting on setting up for factor only but I think it should be SSO as authentication and MFA happens for those users at their end.
I actually set it up using OIDC with SSO option in our preview tenant but unable to successfully test, JIT does not seem to be working. Nothing being logged in the event log.
I do have routing rules setup to redirect the users based on their domain and also have Global session policies and authentication policies to skip any Okta specific sessions validation or MFA for any users from that org.
It is possible that I have incorrectly configured Authorize URL and Redirect URL.
If anyone has experience in this type of setup (DUO as external IDP through OIDC connection), please share your guidance, experience and any challenges you might have faced.
It should not matter that it is DUO. If they support acting as IdP ( they do ) then it's a custom OIDC setup in Okta. You can use either, but I tend to defer to OIDC now.
What error are you seeing ? I've been setting up alot of IdPs on Okta so should be able to advise if you can provide more details ?
So, two use cases. New user. Existing user. Test with an existing user first as then you don't need to handle JIT.
User lands at Okta login page. Routing rule sends them to DUO. Successfully authenticates at DUO and then......what do you see ?
If the endpoints for the IdP are incorrect, you'll see that in a) logs and b) where you are redirected to.
So take it step by step. Are you being redirected to DUO successfully ?
Hi Niall - Thanks for the response. As I proceeded with OIDC connection to DUO, I am able to get past the previous errors. But I am getting this error now.
The UserInfo response from the Identity Provider is invalid.
I am trying to make sure we have profile scope is defined at the IDP.
I am also seeing this error. I thought Nonce can be of any value. Is there a specific format?
com.saasure.platform.services.idp.IdpAuthException$InvalidTokenException: com.saasure.platform.services.idp.exception.IdpAuthenticationException: Nonce is invalid in id_token
UserInfo endpoint is optional. I've never had to configure it as the claims in the id_token recieved have been the information needed to create the Okta profile. Have you tried to leave it out ?
Leaving Userinfo endpoint blank didn't help either. I think, it is related to some missing setting on IDP side. I kept receiving error about not being able to read token and also same Nonce invalid error.
IDP side admin team is not openly sharing the information. So, we ended up switching to SAML 2.0 based. All worked fine with no issues.
Good news. SAML works just as well. If that's the easy route, then that's the best route.