search

Versent / saml2aws

CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP
https://github.com/Versent/saml2aws
MIT License
2.07k stars 563 forks source link

Login not possible in AzureAD when System-preferred multifactor authentication is activated #1054

Open BamOidaFixMan opened 1 year ago

BamOidaFixMan commented 1 year ago

Today we turned on the System-preferred multifactor authentication in Azure AD and the login via saml2aws was not possible anymore. Here is the related Microsoft article. https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/ga-system-preferred-multifactor-authentication/ba-p/3773138

I have the Authenticator App and Yubikey konfigured.

Here is the verbose output:

DEBU[0011] building provider command=login idpAccount="account {\n AppID: xxxxxxxxxxxxxxxxxx\n URL: https://account.activedirectory.windowsazure.com\n Username: itsamee@mariao.com\n Provider: AzureAD\n MFA: Auto\n SkipVerify: false\n AmazonWebservicesURN: urn:amazon:webservices\n SessionDuration: 28800\n Profile: saml\n RoleARN: \n Region: \n}" Authenticating as itsamee@mariao.com ... DEBU[0011] processing ConvergedSignIn provider=AzureAD DEBU[0011] HTTP Req URL="https://login.microsoftonline.com/common/GetCredentialType?mkt=en-US" http=client method=POST DEBU[0011] HTTP Res Status="200 OK" http=client DEBU[0011] HTTP Req URL="https://login.microsoftonline.com/common/login" http=client method=POST DEBU[0012] HTTP Res Status="200 OK" http=client DEBU[0012] processing KmsiInterrupt provider=AzureAD DEBU[0012] HTTP Req URL="https://login.microsoftonline.com/kmsi" http=client method=POST DEBU[0012] HTTP Res Status="200 OK" http=client DEBU[0012] processing a 'hiddenform' provider=AzureAD DEBU[0012] HTTP Req URL="https://account.activedirectory.windowsazure.com/" http=client method=POST DEBU[0015] HTTP Res Status="200 OK" http=client DEBU[0015] processing SAMLRequest provider=AzureAD DEBU[0015] processing ConvergedTFA provider=AzureAD DEBU[0015] HTTP Req URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST DEBU[0015] HTTP Res Status="200 OK" http=client MFA BeginAuth result is not success: Specified authentication method is not supported. error processing MFA BeginAuth github.com/versent/saml2aws/v2/pkg/provider/aad.(Client).processMfa github.com/versent/saml2aws/v2/pkg/provider/aad/aad.go:449 github.com/versent/saml2aws/v2/pkg/provider/aad.(Client).processConvergedTFA github.com/versent/saml2aws/v2/pkg/provider/aad/aad.go:429 github.com/versent/saml2aws/v2/pkg/provider/aad.(*Client).Authenticate github.com/versent/saml2aws/v2/pkg/provider/aad/aad.go:195 github.com/versent/saml2aws/v2/cmd/saml2aws/commands. Login github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:105 main.main github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:191 runtime.main runtime/proc.go:250 runtime.goexit runtime/asm_arm64.s:1172 Error authenticating to IdP. github.com/versent/saml2aws/v2/cmd/saml2aws/commands. Login github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107 main.main github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:191 runtime.main runtime/proc.go:250 runtime.goexit runtime/asm_arm64.s:1172

kieran-lowe commented 1 year ago

I'm also impacted by this, I have system-preferred multifactor authentication turned on and get either the same error as @BamOidaFixMan or one with error processing MFA, errcode: 50012, message: AADSTS50012: Authentication failed..

I have Microsoft Authenticator configured. If I explicitly set --mfa=PhoneAppOTP I can login without a problem. The only thing changed for me was the enablement of the above, prior to that I've not had a problem.

Please see debug output below:

Debug Output

$ saml2aws --version
2.36.8
$ saml2aws login -a aad --verbose --disable-keychain

error processing MFA, errcode: 50012, message: AADSTS50012: Authentication failed.
Error authenticating to IdP.

OR

MFA BeginAuth result is not success: <nil>
error processing MFA BeginAuth

Verbose Output

AADSTS50012: Authentication failed - error verbose output

DEBU[0000] Running                                       command=login
DEBU[0000] Check if creds exist.                         command=login
DEBU[0000] Expand                                        name=/Users/<REDACTED>/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink                                name=/Users/<REDACTED>/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists                            filename=/Users/<REDACTED>/.aws/credentials pkg=awsconfig
Using IdP Account aad to access AzureAD https://account.activedirectory.windowsazure.com
To use saved password just hit enter.
? Username <REDACTED>
? Password

DEBU[0003] building provider                             command=login idpAccount="<REDACTED>"
Authenticating as <REDACTED>
DEBU[0004] processing ConvergedSignIn                    provider=AzureAD
DEBU[0004] HTTP Req                                      URL="https://login.microsoftonline.com/common/GetCredentialType?mkt=en-US" http=client method=POST
DEBU[0004] HTTP Res                                      Status="200 OK" http=client
DEBU[0004] HTTP Req                                      URL="https://login.microsoftonline.com/common/login" http=client method=POST
DEBU[0005] HTTP Res                                      Status="200 OK" http=client
DEBU[0005] processing a 'hiddenform'                     provider=AzureAD
DEBU[0005] HTTP Req                                      URL="https://device.login.microsoftonline.com:443/" http=client method=POST
DEBU[0005] HTTP Res                                      Status="200 OK" http=client
DEBU[0005] processing a 'hiddenform'                     provider=AzureAD
DEBU[0005] HTTP Req                                      URL="https://login.microsoftonline.com:443/common/DeviceAuthTls/reprocess" http=client method=POST
DEBU[0005] HTTP Res                                      Status="200 OK" http=client
DEBU[0005] processing ConvergedTFA                       provider=AzureAD
DEBU[0005] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0005] HTTP Res                                      Status="200 OK" http=client
Phone approval required. Entropy is: <REDACTED>
DEBU[0005] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0005] HTTP Res                                      Status="200 OK" http=client
DEBU[0006] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0006] HTTP Res                                      Status="200 OK" http=client
error processing MFA, errcode: 50012, message: AADSTS50012: Authentication failed.
Error authenticating to IdP.
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
    github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107
main.main
    github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:191
runtime.main
    runtime/proc.go:250
runtime.goexit
    runtime/asm_amd64.s:1598

MFA BeginAuth result is not success: - error verbose output

DEBU[0000] Running                                       command=login
DEBU[0000] Check if creds exist.                         command=login
DEBU[0000] Expand                                        name=/Users/<REDACTED>/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink                                name=/Users/<REDACTED>/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists                            filename=/Users/<REDACTED>/.aws/credentials pkg=awsconfig
Using IdP Account aad to access AzureAD https://account.activedirectory.windowsazure.com
To use saved password just hit enter.
? Username <REDACTED>
? Password

DEBU[0007] building provider                             command=login idpAccount="<REDACTED>"
Authenticating as <REDACTED>
DEBU[0007] processing ConvergedSignIn                    provider=AzureAD
DEBU[0007] HTTP Req                                      URL="https://login.microsoftonline.com/common/GetCredentialType?mkt=en-US" http=client method=POST
DEBU[0007] HTTP Res                                      Status="200 OK" http=client
DEBU[0007] HTTP Req                                      URL="https://login.microsoftonline.com/common/login" http=client method=POST
DEBU[0008] HTTP Res                                      Status="200 OK" http=client
DEBU[0008] processing a 'hiddenform'                     provider=AzureAD
DEBU[0008] HTTP Req                                      URL="https://device.login.microsoftonline.com:443/" http=client method=POST
DEBU[0008] HTTP Res                                      Status="200 OK" http=client
DEBU[0008] processing a 'hiddenform'                     provider=AzureAD
DEBU[0008] HTTP Req                                      URL="https://login.microsoftonline.com:443/common/DeviceAuthTls/reprocess" http=client method=POST
DEBU[0008] HTTP Res                                      Status="200 OK" http=client
DEBU[0008] processing ConvergedTFA                       provider=AzureAD
DEBU[0008] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0008] HTTP Res                                      Status="200 OK" http=client
MFA BeginAuth result is not success: <nil>
error processing MFA BeginAuth
github.com/versent/saml2aws/v2/pkg/provider/aad.(*Client).processMfa
    github.com/versent/saml2aws/v2/pkg/provider/aad/aad.go:449
github.com/versent/saml2aws/v2/pkg/provider/aad.(*Client).processConvergedTFA
    github.com/versent/saml2aws/v2/pkg/provider/aad/aad.go:429
github.com/versent/saml2aws/v2/pkg/provider/aad.(*Client).Authenticate
    github.com/versent/saml2aws/v2/pkg/provider/aad/aad.go:195
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
    github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:105
main.main
    github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:191
runtime.main
    runtime/proc.go:250
runtime.goexit
    runtime/asm_amd64.s:1598
Error authenticating to IdP.
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
    github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107
main.main
    github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:191
runtime.main
    runtime/proc.go:250
runtime.goexit
    runtime/asm_amd64.s:1598

Not sure if the following are related?

kieran-lowe commented 1 year ago

Was just curious @christianmeyer since you refactored the AzureAD provider in #795, if you've encountered any of the above recently?

Since this system-preferred MFA is GA I think at this point now, I feel quite a few issues will be raised in future.

kieran-lowe commented 1 year ago

Just an update my side - tried again today and it's working absolutely fine for me. Apparently nothing has been changed for me, and can't see anything different in terms of logs -- no idea what's going on.

Is anyone else seeing the same? @BamOidaFixMan

gavin-burns-US commented 1 year ago

Just an update my side - tried again today and it's working absolutely fine for me. Apparently nothing has been changed for me, and can't see anything different in terms of logs -- no idea what's going on.

Is anyone else seeing the same? @BamOidaFixMan

Has any solution been floated in the ether?

kieran-lowe commented 9 months ago

Just an update my side - tried again today and it's working absolutely fine for me. Apparently nothing has been changed for me, and can't see anything different in terms of logs -- no idea what's going on. Is anyone else seeing the same? @BamOidaFixMan

Has any solution been floated in the ether?

Not that I'm aware of. But saying that I've haven't had a problem recently or any of the errors above, it has just worked...

tinaboyce commented 9 months ago

Thanks for your input on this @kieran-lowe . @BamOidaFixMan , is this still an issue?

rbarrett-impinj commented 7 months ago

Seems like this is impacted regardless of having System-preferred MFA on or not. My company is migrating from Okta to Entra right now, and it seems we are impacted by this.