SSO login not compatible with Device Compliance in Azure AD

Noovolari / leapp

Leapp is the DevTool to access your cloud

https://www.leapp.cloud/

Mozilla Public License 2.0

1.6k stars 146 forks source link

SSO login not compatible with Device Compliance in Azure AD #326

Open amartin-idea11 opened 2 years ago

amartin-idea11 commented 2 years ago

Describe the bug When using SAML SSO from Azure AD, and a conditional access policy applies includes "Require device to be marked as compliant", the sign-in fails due to "The current browser is not supported, please use Microsoft Edge, Internet Explorer, Chrome or Firefox 91+ to access this application."

Leapp Version 0.14.2

To Reproduce

Use SAML SSO from Azure AD
End-user device managed by Intune
Conditional access policy requires the device be marked as compliant
Try to authenticate to an AWS IAM Role Federated session

Expected behavior After authentication, I would expect the session to be activated

Screenshots

Desktop (please complete the following information):

OS: Windows 10
OS Version 21H2
Leapp Version 0.14.2

Additional context Because the app being authenticated against is "Microsoft App Access Panel", I can't set an exception to this app.

ghost commented 2 years ago

Hi! Did you try with In-browser auth. method? It can be found when you edit AWS SSO integration:

amartin-idea11 commented 2 years ago

Hi c-sami, I am not using AWS Single Sign-on in this environment. I have no integrations configured, and the session is configured as IAM Role Federated from our Azure AD IDP as shown below. I had a poke around, but I couldn't find any similar setting for this kind of sign-in, but I could be missing it?

andreacavagna01 commented 1 year ago

Hi, we just released v0.16.0. With that, an updated version of Chromium is online, and your problem should be solved.

I'm going to close this issue. Feel free to reopen it if needed.

amartin-idea11 commented 1 year ago

I've installed v0.16.1 and retried, but I am still getting the same behavior. The Azure log shows it as not receiving all the device info (e.g. no Device ID).

This is normally what you see when the application does not pass all the info along. In the case of Chrome, it requires the extension called "Windows Accounts".

My local Chrome install does have that add-in already, but if Leapp is using it's own packaged Chromium, possibly it will need this extension included before it'll work?

Note I am unable to reopen this issue, could you do that?

ericvilla commented 1 year ago

Hi @amartin-idea11, have you already managed to solve this issue on your own?

amartin-idea11 commented 1 year ago

Hi @ericvilla no I haven't unfortunately. We ended up changing our policies so we're enforcing device compliance on specific apps instead of default w/ exceptions.