search

Versent / saml2aws

CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP
https://github.com/Versent/saml2aws
MIT License
2.04k stars 556 forks source link

AzureAD: reached an unknown page within the authentication process #1219

Open jf13 opened 4 months ago

jf13 commented 4 months ago

Hi, Is there any update on this?

There was old topic about it which is closed but it doesn't look like it was resolved. https://github.com/Versent/saml2aws/issues/628

I am seeing the same error on version 2.36.13:

reached an unknown page within the authentication process provider=AzureAD failed get SAMLAssertion

Check below:

% saml2aws login --verbose
DEBU[0000] Running                                       command=login
DEBU[0000] Check if creds exist.                         command=login
DEBU[0000] Expand                                        name=/Users/testuser/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink                                name=/Users/testuser/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists                            filename=/Users/testuser/.aws/credentials pkg=awsconfig
Using IdP Account default to access AzureAD https://account.activedirectory.windowsazure.com
DEBU[0000] Get credentials                               helper=osxkeychain serverURL="https://account.activedirectory.windowsazure.com"
To use saved password just hit enter.
? Username testuser@example.com
? Password *************

DEBU[0010] building provider                             command=login idpAccount="account {\n  AppID: d111a111-1111-1111-1111-111111111111\n  URL: https://account.activedirectory.windowsazure.com\n  Username: testuser@example.com\n  Provider: AzureAD\n  MFA: PhoneAppNotification\n  SkipVerify: false\n  AmazonWebservicesURN: urn:amazon:webservices\n  SessionDuration: 3600\n  Profile: saml\n  RoleARN: \n  Region: us-east-1\n}"
Authenticating as testuser@example.com ...
DEBU[0010] processing ConvergedSignIn                    provider=AzureAD
DEBU[0010] HTTP Req                                      URL="https://login.microsoftonline.com/common/GetCredentialType?mkt=en-US" http=client method=POST
DEBU[0011] HTTP Res                                      Status="200 OK" http=client
DEBU[0011] HTTP Req                                      URL="https://login.microsoftonline.com/common/login" http=client method=POST
DEBU[0011] HTTP Res                                      Status="200 OK" http=client
DEBU[0011] processing a 'hiddenform'                     provider=AzureAD
DEBU[0011] HTTP Req                                      URL="https://device.login.microsoftonline.com:443/" http=client method=POST
DEBU[0011] HTTP Res                                      Status="200 OK" http=client
DEBU[0011] processing a 'hiddenform'                     provider=AzureAD
DEBU[0011] HTTP Req                                      URL="https://login.microsoftonline.com:443/common/DeviceAuthTls/reprocess" http=client method=POST
DEBU[0011] HTTP Res                                      Status="200 OK" http=client
DEBU[0011] processing ConvergedTFA                       provider=AzureAD
DEBU[0011] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0012] HTTP Res                                      Status="200 OK" http=client
Phone approval required. Entropy is: 40
DEBU[0012] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0012] HTTP Res                                      Status="200 OK" http=client
DEBU[0013] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0014] HTTP Res                                      Status="200 OK" http=client
DEBU[0015] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0015] HTTP Res                                      Status="200 OK" http=client
DEBU[0016] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0016] HTTP Res                                      Status="200 OK" http=client
DEBU[0017] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0017] HTTP Res                                      Status="200 OK" http=client
DEBU[0018] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0018] HTTP Res                                      Status="200 OK" http=client
DEBU[0019] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0020] HTTP Res                                      Status="200 OK" http=client
DEBU[0021] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0021] HTTP Res                                      Status="200 OK" http=client
DEBU[0022] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0022] HTTP Res                                      Status="200 OK" http=client
DEBU[0023] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0023] HTTP Res                                      Status="200 OK" http=client
DEBU[0024] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0025] HTTP Res                                      Status="200 OK" http=client
DEBU[0026] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0026] HTTP Res                                      Status="200 OK" http=client
DEBU[0027] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0027] HTTP Res                                      Status="200 OK" http=client
DEBU[0027] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/ProcessAuth" http=client method=POST
DEBU[0027] HTTP Res                                      Status="200 OK" http=client
DEBU[0027] processing KmsiInterrupt                      provider=AzureAD
DEBU[0027] HTTP Req                                      URL="https://login.microsoftonline.com/kmsi" http=client method=POST
DEBU[0027] HTTP Res                                      Status="200 OK" http=client
DEBU[0027] processing a 'hiddenform'                     provider=AzureAD
DEBU[0027] HTTP Req                                      URL="https://account.activedirectory.windowsazure.com/" http=client method=POST
DEBU[0028] HTTP Res                                      Status="200 OK" http=client
DEBU[0028] reached an unknown page within the authentication process  provider=AzureAD
failed get SAMLAssertion
github.com/versent/saml2aws/v2/pkg/provider/aad.(*Client).Authenticate
    github.com/versent/saml2aws/v2/pkg/provider/aad/aad.go:221
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
    github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107
main.main
    github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:195
runtime.main
    runtime/proc.go:267
runtime.goexit
    runtime/asm_arm64.s:1197
Error authenticating to IdP.
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
    github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:109
main.main
    github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:195
runtime.main
    runtime/proc.go:267
runtime.goexit
    runtime/asm_arm64.s:1197
dammsd commented 2 months ago

I had exactly the same issue and it turned out I was using incorrect app_id