Open alexwlchan opened 4 years ago
Let me cross check whether url query string encoding has an issue here.
I went digging for a bit, and AFAICT the correct URL is getting requested – it’s just not getting any auth data that Active Directory can use to validate the SAML request.
This is the method that gets called for az rest
:
If you follow that through to where it actually invokes requests
, I don't see any auth data there:
Maybe I need to allow it to create auth tokens? But that also errors, and besides, login.microsoftonline.com isn't an Azure REST API, is it?
add to S173
Is your feature request related to a problem? Please describe. I want to make SAML requests to Azure Active Directory using the CLI.
Describe the solution you'd like Ideally, a way to make an HTTP request as the logged-in user.
There’s already an
az rest
command that looked like it would be close:but it doesn't seem to work. If I try that, the response is a "Please sign into your account" page.
Describe alternatives you've considered I’m familiar with dtjohnson/aws-azure-login, which is what I’m using, but spinning up a headless browser and scraping the AD login screen feels a bit icky – surely there should be a better way?
Additional context At work, we use Azure Active Directory to manage users, and we’re trying to use SAML to authenticate an AD user with AWS.
As part of this workflow, I want to be able to run a command-line tool that logs me into AD, authenticates with AWS, then uses AWS STS to create some local AWS credentials.
These are the steps I'm doing:
Run
az login --allow-no-subscriptions
to log into the CLI.Get my tenant ID by running
az account show
Get the app ID URL by running
az ad app list --display-name 'AWS'
(typically something like https://signin.aws.amazon.com/saml#12)Construct an AuthnRequest following the instructions in the Single Sign-On SAML protocol docs. That gives me a URL like
Somehow open the contents of that URL as a signed-in user.
I’m struggling to do step 5 with the CLI – it knows I’m logged in, but I can’t see how to make an authenticated request.
Am I asking for a new feature, missing something that’s already there, or barking up the wrong tree?
Related: https://github.com/wellcometrust/platform/issues/3753