zemliany
commented
7 months ago e.g for aws-adfs that seems to be support this DUO Universal prompt feature https://github.com/venth/aws-adfs/blob/master/aws_adfs/_duo_universal_prompt_authenticator.py
Open zemliany opened 7 months ago
zemliany
commented
7 months ago e.g for aws-adfs that seems to be support this DUO Universal prompt feature https://github.com/venth/aws-adfs/blob/master/aws_adfs/_duo_universal_prompt_authenticator.py
zemliany
commented
7 months ago any updates?
bkohrn
commented
6 months ago It sounds like this may be an issue with any use of Duo; not with any single provider. My organization uses Shibboleth, and I'm encountering similar issues after they changed Duo over to the Duo Universal Prompt. In relevant part (starting after I entered my password and it sent the provider command), my verbose log reads:
DEBU[0006] HTTP Req URL="https://idp.u.washington.edu/idp/profile/SAML2/Unsolicited/SSO?execution=e1s1" http=client method=POST
DEBU[0006] HTTP Res Status="200 OK" http=client
panic: runtime error: index out of range [1] with length 0
goroutine 1 [running]:
github.com/versent/saml2aws/v2/pkg/provider/shibboleth.parseTokens({0xc0007ded80, 0xd39})
github.com/versent/saml2aws/v2/pkg/provider/shibboleth/shibboleth.go:407 +0x239
github.com/versent/saml2aws/v2/pkg/provider/shibboleth.verifyMfa(0xc00022f550, 0xc0004dc000, {0xc0004a4501, 0x1c}, {0xc0007ded80, 0x31})
github.com/versent/saml2aws/v2/pkg/provider/shibboleth/shibboleth.go:148 +0x5c
github.com/versent/saml2aws/v2/pkg/provider/shibboleth.(*Client).Authenticate(0xc00022f550, 0xc000242240)
github.com/versent/saml2aws/v2/pkg/provider/shibboleth/shibboleth.go:105 +0x4dd
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login(0xc00022a140)
github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:105 +0x4da
main.main()
./main.go:188 +0x6c48Edit: I see this on both saml2aws v2.34.0 and on saml2aws v2.36.10 (same behavior, same error, but the version I copied is from 2.34.0).
zemliany
commented
6 months ago @bkohrn yeah, seems Duo as a provider implements frameless prompt that during the starting auth session redirects to page that hosted on duosecurity.com with random prefix (e.g xxxxx-id.duosecurity.com)
Based on that announcement https://help.duo.com/s/article/6441?language=en_US I think they want to fight with third-party clients, so that’s why they trying to beat all these clients by not allowing to be used with Duo Universal Prompt and new version of frameless WebSDK4, but it doesn't mean that it's not possible to achieve workability of saml2aws with this recent novations. There is an example for gimme-aws-creds cli which supports Okta and Duo Universal Prompt through Okta Classic https://github.com/Nike-Inc/gimme-aws-creds/pull/437
From other side, gimme-aws-creds can be used instead of saml2aws, but gimme-aws-creds has a number of other disadvantages like remember_device feature doesn’t work, tool doesn’t have a SAML caching and many others
scottyrogers
commented
3 months ago We are also facing the same issue with JumpCloud and DUO. We've had conversations with DUO and they are unwilling to support saml2aws or give us an option to role back the Duo Universal Prompt forced migration they made on May 30th which broke saml2aws.
Hey, team! Are there any plans to add Duo Universal Prompt for saml2aws or any workarounds for such methods of authentication? Recently we've faced the issue due to switching Duo Prompt to Duo Universal Prompt saml2aws stopped working
saml2aws verbosity log
**NOTE**:Also, we found out following article: https://help.duo.com/s/article/6441?language=en_US As per it, seems DUO Universal Prompt called to fight with third-party / non-recommended tools. Is there any chance to add support for Universal prompt or it's not possible?
I'm running saml2aws on MacOS Ventura 13.6.4
Thanks!