Frequently Asked Questions (FAQ)
My Sites | Register Service Provider
Common Questions
Ensure you have the needed details from the vendor to make the SSO connection.
Gather the metadata details (EntityID, Assertion Consumer Service URL (ACS), and Certificate). once you have those details you can start to make the connection by registering the service provider using our self-service page.
You can find Duke's metadata details here: https://shib.oit.duke.edu/duke-metadata-3-signed.xml
EntityID: https://shib.oit.duke.edu/shibboleth-idp
Certificate: you can find our certificate in our file above.
Sign on URL. Taken from our metadata file, see below for the corresponding URL and their Bindings
- SAML:2.0:bindings:HTTP-POST: https://shib.oit.duke.edu/idp/profile/SAML2/POST/SSO
- SAML:2.0:bindings:HTTP-Redirect: https://shib.oit.duke.edu/idp/profile/SAML2/Redirect/SSO
Make sure that the vendor is using our InCommon EntityID.
Our InCommon Entity ID is: urn:mace:incommon:duke.edu
Please fill out the help form. Please let us know the Entity ID of the service, and what attributes are needed.
You can see a list of the available attributes in our documentation page.
The next step is to test authentication. If you are working with a vendor, ask the vendor for the URL/link to test authentication. Otherwise use the URL/link you have set up for your site.
Once you have the URL/link, you should now see the Duke login screen asking for your NetID credentials.
Please review our KB Article for how to get access to our Shibboleth/SAML API.
How to create/update a registration
- You can update the Entity ID
- You can update owners of the registration. You can add individual NetID or Group Manager support group owners.
- You can update the certificate used for encrypting the SAML assertion.
- You can update certain settings related to the SAML response.
- You can update the Assertion Consumer Service (ACS) URLs.
- You can update attributes. You can also set a custom name for how an attribute is released.
- You can add/update groups for authorization purposes.
- You can enable Multi-Factor Authentication.
- You can enable OneLink Login functionality.
MFA enabling is self-service. Go to the “my sites” page and select the corresponding registration you want to enable MFA for.
Scroll down to the bottom of the registration. Under the Additional options, expand the MFA/OneLink option.
Click the notepad icon. select the checkbox beside the text Require MFA.
Scroll to the bottom and click the Update SP button.
You can update the certificate through the self-service portal by going to the my sites page.
You will need the EntityID of the registration in question. Select the corresponding registration and update the cert.
note: It ss possible that you might have to coordinate the certificate update if you are working with a vendor.
You can use Grouper/Group Manager groups to delegate authorization.
Find the corresponding registration under my sites
Scroll to the Additional Options section and expand the Group Manager/Grouper membership options.
Add the corresponding group ID in the text field and click the "Format and Validate Groups" button to make sure the group is valid and you have access to use it.
Scroll to the bottom and click the Update SP button.
Note: group requests go to the Identity and Access Management Team for approval. You can only request groups that you have created and are an owner of.
Troubleshoot Guidance
This error varies and it usually happens before you see the Duke Log in screen.
- It is possible that your service provider is not using the correct login URL. Make sure that you are using one of the following urls: https://shib.oit.duke.edu/idp/profile/SAML2/Redirect/SSO
- Another possible issue is that your service provider is signing authentication requests and we might only have the saml assertion encryption certificate. You can ask the vendor to not sign authentication requests.
https://shib.oit.duke.edu/idp/profile/SAML2/POST/SSO
https://shib.oit.duke.edu/idp/profile/SAML2/POST-SimpleSign/SSO
This error happens because the application has not been registered in Duke's SSO system.
Or the Entity ID that your application is sending does not match the one that is registered. e.g. the entity ID in the request contains a / at the end of the url and what is registered does not.
Make sure that you have registered and confirmed that the necessary details in our self-service interface match what the application is sending.
This error happens because the application has been registered but the ACS value is not correct.
Make sure that you look at the value that you application is sending, it should also tell you in the error message and compare that value to what you have in your registration