Closed LightningManGTS closed 10 months ago
LightningManGTS
commented
11 months ago Never mind, I figured it out. (mail and email address are the same in my enviroment but thats fine)
The only other thing of note is that signing in with SSO is then taking me through the normal 2fa step through, as you can probably imagine, DUO
Logging in as the user and disabling the DUO 2step method then works but can cause problems if not addressed.
Timshel
commented
11 months ago Hey, I tested some 2FA with SSO activated but not all solutions. Just had a look at DUO and even the free trial creation is asking for a phone number so won't be able to test it.
Can you clarify the issue with DUO 2FA ? do you have the server side error when it fails ?
LightningManGTS
commented
11 months ago It appears that after SSO and when it goes to access the traditional prompt iframe it errors. Likely some information not being transmitted from the authentication attempt when ussing SSO compared to logging in normally. That information could be related to the master password step since in SSO it asks for the master password after the 2fa step and not before it like a normal login (and may not be decrypting the data necessary to complete DUO? this last bit is spit balling).
Edit: Before testing it again this morning I did download and "install" the latest changes to the repository.
Timshel
commented
10 months ago Hey, Managed to setup a DUO account to test it using an android device and the duo mobile app. After an SSO login the 2FA prompt is triggered but validation fail, while it works when using only Master password. Will try to fix it :)
Timshel
commented
10 months ago Just pushed a fix for the DUO 2fa it was relaying on an optional field to find the user email.
But I'm unsure if you didn't have a different issue, still can you test with latest ?
LightningManGTS
commented
10 months ago Getting the same thing, but its at least attempting to go through 2fa first. TI tested both with and without remembered devices
I updated at 12:30pm my time so it should have pulled the latest changes
LightningManGTS
commented
10 months ago Good news!
I updated my instance just now and tried the traditional duo 2 factor prompt when going through SSO and it is now working. It test both with and without Remembered Devices policy being enabled. I do believe this is resolved.
Good Afternoon,
I have your branch deployed and am testing it with DUO. Right now I am stuck with the following error in console when looking at the page in developer mode
I'm assuming there is an issue with my Attribute mappings since it says the token doesn't contain an email.
I pulled this branch about 2 hours ago.
On that note I can get more in depth information regarding the environment later. For now know that I deployed this to an LXC using TTeck's script and replacing the github repo's with yours instead of the main branch. Everything shows up fine and Vaultwarden is stable otherwise so I'm fairly certain this is more to do with Attribute mapping then anything else. I looked to see where you may have had the attributes posted but I did not see where.