Duo SSO Integration Not Working with Custom Domain

Problem statement

This article will explain a potential cause for Invalid Audience errors while configuring a SAML connection with Duo using the Duo Single Sign-On for Auth0 guide.

Symptoms

  • Auth0 is the SAML SP
  • Duo is the SAML IdP
  • Using the Auth0 integration on Duo dashboard
  • Using a custom domain in Auth0

Cause

The Auth0 integration in Duo (Duo Single Sign-On for Auth0) does not support custom domains at this time.

Solution

As a workaround, configure a Generic SAML setup in Duo as described here: Duo Single Sign-On for Generic SAML Service Providers.

This allows for the configuration of all aspects of the setup manually or by using a metadata URL/file. If providing the metadata URL, it will be in the following format:

  • https://[CUSTOM_DOMAIN]/samlp/metadata?connection=[CONNECTION_NAME]
    • Replace [CUSTOM_DOMAIN] with the tenants custom domain and replace [CONNECTION_NAME] with the connection name.