Hi,
I have Google SSO (the Google Apps option) configured & working correctly. I am now trying to introduce Duo for 2FA, i.e. switch to the Google Apps + Duo Security option.
The docs here seem to cover the case where Duo is the SSO provider, which is not what I want.
How should I configure Duo to be able to use it together with Google SSO? What kind of application should I choose on the Duo admin panel?
Thanks in advance.
Hello,
In the Duo Admin, you should us OpenVPN application.
I’m trying also to work with Google Apps + Duo but I have a trouble when I enable Duo : all users can’t reconnect (i enable a bypass in duo, also for unenrolled users, no logs in Duo). When I try to download the profile, I pass the IDP but after I have “Server error occured” with Pritunl and DUO logos.
Here is a part of logs :
[ancient-forest-6128][2023-05-12 15:59:58,848][ERROR] Invalid Duo username
username = “********”
data = {“code”: 40002, “message”: “Invalid request parameters”, “message_detail”: “username”, “stat”: “FAIL”}
I tried with JumpCloud + Duo, same error.
If I configure SAML (with Duo as IDP) + Duo, it works perfectly.
I already talk with the Duo Support and for us it is an error in pritunl side.
I just update pritunl server from 1.30 to 1.32.3504 but same trouble.
Thank you for your help in advance for each of us 
The Duo single sign-on documentation is still relevant for the other modes, it just needs the API hostname and key in addition to the Google settings. The invalid Duo username error indicates Duo couldn’t find the Google username provided by the Pritunl server. The username normalization option in the Duo settings will allow matching when the usernames contain domains on only one of the authentication providers.
@zach What doesn’t seem to work though is the phone callback. Push works, but phone callback results in a server error:
[thawing-thunder-2560][2023-05-29 08:26:23,229][ERROR] Exception on /key/duo [POST]
Traceback (most recent call last):
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py", line 2528, in wsgi_app
response = self.full_dispatch_request()
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py", line 1825, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py", line 1823, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py", line 1799, in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/auth/app.py", line 26, in _wrapped
return call(*args, **kwargs)
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/handlers/key.py", line 2942, in key_duo_post
valid = duo_auth.authenticate()
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/sso/duo.py", line 61, in authenticate
self._auth(factor)
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/sso/duo.py", line 120, in _auth
self._auth('phone')
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/sso/duo.py", line 127, in _auth
raise InvalidUser('Invalid username')
pritunl.exceptions.InvalidUser: Invalid username
[thawing-thunder-2560][2023-05-29 08:26:23,229][ERROR] Invalid Duo username
username = "username@company.com"
data = {"code": 40002, "message": "Invalid request parameters", "message_detail": "The phone factor is not supported on this account. Please contact Duo Support for more information.", "stat": "FAIL"}
Traceback (most recent call last):
File "/usr/lib/pritunl/usr/lib/python3.9/threading.py", line 937, in _bootstrap
self._bootstrap_inner()
File "/usr/lib/pritunl/usr/lib/python3.9/threading.py", line 980, in _bootstrap_inner
self.run()
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/cheroot/workers/threadpool.py", line 120, in run
keep_conn_open = conn.communicate()
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/cheroot/server.py", line 1287, in communicate
req.respond()
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/cheroot/server.py", line 1077, in respond
self.server.gateway(self).respond()
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/cheroot/wsgi.py", line 134, in respond
response = self.req.server.wsgi_app(self.env, self.start_response)
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py", line 2551, in __call__
return self.wsgi_app(environ, start_response)
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py", line 2528, in wsgi_app
response = self.full_dispatch_request()
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py", line 1823, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py", line 1799, in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/auth/app.py", line 26, in _wrapped
return call(*args, **kwargs)
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/handlers/key.py", line 2942, in key_duo_post
valid = duo_auth.authenticate()
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/sso/duo.py", line 61, in authenticate
self._auth(factor)
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/sso/duo.py", line 120, in _auth
self._auth('phone')
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/sso/duo.py", line 122, in _auth
logger.error('Invalid Duo username',
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/logger/__init__.py", line 55, in error
kwargs['traceback'] = traceback.format_stack()
I don’t understand if this is an issue on the Duo side, so I’ve opened a support ticket with them too.
However, if you know what the root cause is, please let me know.
Suggestion for improvement: I think that the exception handling in this part of the code could be improved, as it raises InvalidUser('Invalid username') while it seems that the Duo error is unrelated: The phone factor is not supported on this account.
EDIT: Nevermind, it was a Duo policy configuration issue. It’s working now. Nevertheless, my suggestion for the error handling still applies 