Open igordust opened 1 year ago
marevers
commented
1 year ago Having the same issue currently. We experienced a different error when using a prior version (2.36.4). Upgraded to 2.36.10 and now the behavior is the same as described. It keeps asking for the code, even after entering a correct code.
Kiroha
commented
1 year ago Hello,
We've encounter the same problem today in our company. We need to disable the MFA for the enterpriseapp to let the saml2aws continue to work. I think Microsoft change something on their side and the rollout is not the same for all tenants.
JixPo
commented
1 year ago Hi there,
We are facing this issue for all users here from today. It seems we already had a few occurences starting 2 weeks ago.
saml2aws up to date ;-)
ikorchynskyi
commented
10 months ago Having the same issue with the latest 2.36.13 version. It keeps asking for the code after accepting the previous one:
$ saml2aws login --disable-keychain -a ******** --verbose
DEBU[0000] Running command=login
DEBU[0000] Check if creds exist. command=login
DEBU[0000] Expand name=/********/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink name=/********/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists filename=/********/.aws/credentials pkg=awsconfig
Using IdP Account ******** to access AzureAD https://account.activedirectory.windowsazure.com
To use saved password just hit enter.
? Username ********
? Password ********
DEBU[0005] building provider command=login idpAccount="********"
Authenticating as ******** ...
DEBU[0008] processing ConvergedSignIn provider=AzureAD
DEBU[0008] HTTP Req URL="https://login.microsoftonline.com/common/GetCredentialType?mkt=en-US" http=client method=POST
DEBU[0009] HTTP Res Status="200 OK" http=client
DEBU[0010] processing ConvergedTFA provider=AzureAD
DEBU[0010] HTTP Req URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0011] HTTP Res Status="200 OK" http=client
Phone approval required. Entropy is: 31
DEBU[0011] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0011] HTTP Res Status="200 OK" http=client
DEBU[0023] processing ConvergedTFA provider=AzureAD
DEBU[0023] HTTP Req URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0024] HTTP Res Status="200 OK" http=client
Phone approval required. Entropy is: 50
DEBU[0031] HTTP Req URL="https://login.microsoftonline.com/common/SAS/ProcessAuth" http=client method=POST
DEBU[0032] HTTP Res Status="200 OK" http=client
DEBU[0032] processing ConvergedTFA provider=AzureAD
DEBU[0032] HTTP Req URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0033] HTTP Res Status="200 OK" http=client
Phone approval required. Entropy is: 59
DEBU[0033] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0033] HTTP Res Status="200 OK" http=client
^C
mendhak
commented
6 months ago Did anyone find a solution to this? Some of us are getting stuck in the same loop, it happens with push authentication as well as TOTP. We can't figure out what the common factor is between us.
Kiroha
commented
6 months ago Did anyone find a solution to this? Some of us are getting stuck in the same loop, it happens with push authentication as well as TOTP. We can't figure out what the common factor is between us.
On our side, we roll back the conditional access in Azure to standard MFA and not the new MFA level
Bozz95
commented
5 months ago Looking forward to hearing about the closure of this issue as I really need it.
sebd23
commented
5 months ago I have the same issue. saml2aws version : 2.36.16. Is there any solution ?
rohanpower
commented
5 months ago +1
paokrab
commented
4 months ago +1
ioanvapi
commented
4 months ago +1
gmcmillan82
commented
4 months ago +1
Pedro-Luzzi
commented
2 months ago +1
mhauer-eb
commented
1 month ago +1
paokrab
commented
2 weeks ago +1
mhauer-eb
commented
2 weeks ago I don't know if this could be related:
I have this problem, when I try to connect to my company M365 account from my personal device.
This also doesn't work when I try to open another office app (e.g. teams) where the difference is, that after I enter the correct phone-approval-code I get a message that "I should set up my device to meet the company requirements" (which would be installing the Company Portal app). I think this is the same problem in the end, as it works flawlessly from my company-device.
As per the subject, the authentication with Azure AD with MFA enabled doesn't work, it's asking the MFA code indefinitely. I attach a debug session.
After the third MFA code request I stopped, but as you can see, something fails silently in the MFA check, apparently. Unfortunately, I don't have any control on Azure AD configuration, so I can't supply further details on it. Is there a way to gather additional information from my side?