search

Versent / saml2aws

CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP
https://github.com/Versent/saml2aws
MIT License
2.08k stars 562 forks source link

AzureAD compliant device conditional access policy not working #1075

Open jjensenp44 opened 1 year ago

jjensenp44 commented 1 year ago

Hi Team,

Would you consider supporting sending the device compliance status with the authentication to AzureAD. We have a conditional access policy setup in AzureAD that requires the device to be compliant to be able to access any AzureAD SSO federated app. Saml2aws is not currently working with this setup as it is not able to pass the compliance state of the machine to AzureAD and access is therefor denied with a "Error authenticating to IdP.: failed get SAMLAssertion" Error . Normally passing the compliance state is done through the browser. Edge works out of the box but with Chrome you need to add the "Windows Accounts" extension from the Chrome app store. Is this something you could please look into integrating into saml2aws?

Regards Jacob

srepetsk commented 1 year ago

I'm running into this same error as described above:

$ saml2aws login --verbose
DEBU[0000] Running                                       command=login
DEBU[0000] Check if creds exist.                         command=login
DEBU[0000] Expand                                        name=/home/<username>/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink                                name=/home/<username>/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists                            filename=/home/<username>/.aws/credentials pkg=awsconfig
Using IdP Account default to access AzureAD https://account.activedirectory.windowsazure.us/
To use saved password just hit enter.
? Username <username@domain>
? Password ******************

DEBU[0001] building provider                             command=login idpAccount="account {\n  AppID: <App ID>\n  URL: https://account.activedirectory.windowsazure.us/\n  Username: <username@domain>\n  Provider: AzureAD\n  MFA: Auto\n  SkipVerify: false\n  AmazonWebservicesURN: urn:amazon:webservices\n  SessionDuration: 3600\n  Profile: aad\n  RoleARN: arn:aws:iam::<ARN/Role>\n  Region: us-east-1\n}"
Authenticating as <username@domain> ...
DEBU[0003] processing ConvergedSignIn                    provider=AzureAD
DEBU[0003] HTTP Req                                      URL="https://login.microsoftonline.us/common/GetCredentialType?mkt=en-US" http=client method=POST
DEBU[0003] HTTP Res                                      Status="200 OK" http=client
DEBU[0003] HTTP Req                                      URL="https://login.microsoftonline.us/common/login" http=client method=POST
DEBU[0004] HTTP Res                                      Status="200 OK" http=client
DEBU[0004] unknown process step found:ConvergedConditionalAccess  provider=AzureAD
failed get SAMLAssertion
github.com/versent/saml2aws/v2/pkg/provider/aad.(*Client).Authenticate
        github.com/versent/saml2aws/v2/pkg/provider/aad/aad.go:222
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
        github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:105
main.main
        ./main.go:191
runtime.main
        runtime/proc.go:250
runtime.goexit
        runtime/asm_amd64.s:1598
Error authenticating to IdP.
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
        github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107
main.main
        ./main.go:191
runtime.main
        runtime/proc.go:250
runtime.goexit
        runtime/asm_amd64.s:1598
kieran-lowe commented 11 months ago

I've started seeing this issue more and more - exactly the same error as @srepetsk above.

jjensenp44 commented 11 months ago

We had to create our own version of saml2aws to get this to work.

https://github.com/chansen-p44/saml2aws

It would be nice if that could be merged into the official version.

tinaboyce commented 11 months ago

@jjensenp44 I'm not totally against that idea. Are you able to make a PR and we could go from there?

I had a quick look at the code, there is a few things that came to mind

  1. Are there any code written?
  2. Are there anyway to decouple the changes you made in Chromium launch settings in the browser.go, like a flag to isolate this feature with the rest?
jjensenp44 commented 11 months ago

Sorry. I am not a developer so cannot answer your question. This version was made by one of the engineers that are no longer with the company so this is what it is.

INeerav commented 3 weeks ago

@tinaboyce any updates on this issue? Or any recommendations for us to modify anything Azure Ad end?