Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

DUO Enroll API call failing with invalid signature

jralexander137
New Contributor II
New Contributor II

Hi we are having an issue with DUO account provisioning and enrollment. In the createAccount JSON its configured to do 2 calls, account creation, then enrolling the account. The first call completes with 200 then the enroll call fails with

2023-12-03 18:57:37,334 [quartzScheduler_Worker-14] DEBUG rest.RestProvisioningService  - Got Webservice API Response: [headers:[Server: Duo/1.0, Date: Sun, 03 Dec 2023 18:57:37 GMT, Content-Type: application/json, Content-Length: 86, Connection: keep-alive], responseText:{"code": 40103, "message": "Invalid signature in request credentials", "stat": "FAIL"}, cookies:[], statusCode:401]

If the first call is being encoded properly but the 2nd isn't what might cause that? This should be the OOTB config from Sav docs. Per DUO support this is their response regarding this error:

To resolve, verify that the signature is encoded in hexadecimal ASCII; is using the correct HMAC-SHA1 signature as the password; and lists parameters in alphabetical order. The parameters and their values must also be encoded in hexadecimal ASCII (e.g. the = symbol should be encoded as %3D and the | symbol should be encoded as %7C).

 

That being said, I would assume the connector would encode both calls the same way? Using Rest connection.

Here is the connection config, sensitive info removed (ikey, skey, partial URL):

{
"authentications" : {
"acctAuth" : {
"accessToken" : "Basic xyz",
"authError" : [
"InvalidAuthenticationToken",
"AuthenticationFailed",
"Authentication_MissingOrMalformed",
"Authentication_ExpiredToken"
],
"authType" : "BasicWithHmac",
"errorPath" : "error.code",
"httpMethod" : "POST",
"maxRefreshTryCount" : 5,
"properties" : {
"IKEY" : "",
"SKEY" : ""
},
"tokenResponsePath" : "access_token",
"tokenType" : "Basic",
"url" : ".duosecurity.com"
}
}
}

All of these configs work fine in the test Sav and DUO environments, this is only happening in PRD.

1 REPLY 1

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @jralexander137,

Could you please confirm if the Prod and Test are on the same versions?

{
"authentications": {
"userAuth": {
"authType": "BasicWithHmac",
"url": "api-xxxx.duo.com",
"httpMethod": "POST",
"properties":{
"IKEY":"",
"SKEY":""
},
"authError": [
"InvalidAuthenticationToken",
"AuthenticationFailed",
"Authentication_MissingOrMalformed",
"Authentication_ExpiredToken"
],
"errorPath": "error.code",
"maxRefreshTryCount": 5,
"tokenResponsePath": "access_token",
"tokenType": "Basic",
"accessToken": "Basic xyz"
}
}


Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".