AzureAD: Stuck in loop for PhoneAppNotification even if the code is correct

Hello everyone,

I'm trying to use this tool to get AWS Cli credentials loggin in AzureAD. I reach the moment when the program asks me to confirm the login via phone app but after confirming using the right number it keeps asking me to config again with a new number.

You can see some logs with verbose, I redacted some sensitive information:

DEBU[0005] Running                                       command=login
DEBU[0005] Check if creds exist.                         command=login
DEBU[0005] Expand                                        name=/home/bozmir/.aws/credentials pkg=awsconfig
DEBU[0005] resolveSymlink                                name=/mnt/c/Users/mirco.bozzolini/.aws/credentials pkg=awsconfig
DEBU[0005] ensureConfigExists                            filename=/mnt/c/Users/mirco.bozzolini/.aws/credentials pkg=awsconfig
Using IdP Account default to access AzureAD https://account.activedirectory.windowsazure.com
To use saved password just hit enter.
? Username <REDACTED>
? Password ****************

DEBU[0018] building provider                             command=login idpAccount="account {\n  AppID: <REDACTED>\n  URL: https://account.activedirectory.windowsazure.com\n  Username: <REDACTED>\n  Provider: AzureAD\n  MFA: PhoneAppNotification\n  SkipVerify: false\n  AmazonWebservicesURN: urn:amazon:webservices\n  SessionDuration: 3600\n  Profile: tep-azure\n  RoleARN: \n  Region: \n}"
Authenticating as <REDACTED> ...
DEBU[0019] processing ConvergedSignIn                    provider=AzureAD
DEBU[0019] HTTP Req                                      URL="https://login.microsoftonline.com/common/GetCredentialType?mkt=en-US" http=client method=POST
DEBU[0019] HTTP Res                                      Status="200 OK" http=client
DEBU[0019] HTTP Req                                      URL="https://login.microsoftonline.com/common/login" http=client method=POST
DEBU[0020] HTTP Res                                      Status="200 OK" http=client
DEBU[0020] processing KmsiInterrupt                      provider=AzureAD
DEBU[0020] HTTP Req                                      URL="https://login.microsoftonline.com/kmsi" http=client method=POST
DEBU[0020] HTTP Res                                      Status="200 OK" http=client
DEBU[0020] processing a 'hiddenform'                     provider=AzureAD
DEBU[0020] HTTP Req                                      URL="https://account.activedirectory.windowsazure.com/" http=client method=POST
DEBU[0023] HTTP Res                                      Status="200 OK" http=client
DEBU[0024] processing SAMLRequest                        provider=AzureAD
DEBU[0024] processing ConvergedTFA                       provider=AzureAD
DEBU[0024] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0024] HTTP Res                                      Status="200 OK" http=client
Phone approval required. Entropy is: 96
DEBU[0024] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0025] HTTP Res                                      Status="200 OK" http=client
DEBU[0027] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0027] HTTP Res                                      Status="200 OK" http=client
DEBU[0029] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0029] HTTP Res                                      Status="200 OK" http=client
DEBU[0031] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0031] HTTP Res                                      Status="200 OK" http=client
DEBU[0033] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0033] HTTP Res                                      Status="200 OK" http=client
DEBU[0033] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/ProcessAuth" http=client method=POST
DEBU[0033] HTTP Res                                      Status="200 OK" http=client
DEBU[0033] processing ConvergedTFA                       provider=AzureAD
DEBU[0033] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0034] HTTP Res                                      Status="200 OK" http=client
Phone approval required. Entropy is: 32
DEBU[0034] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0034] HTTP Res                                      Status="200 OK" http=client
DEBU[0036] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0037] HTTP Res                                      Status="200 OK" http=client
DEBU[0039] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0039] HTTP Res                                      Status="200 OK" http=client
DEBU[0041] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0041] HTTP Res                                      Status="200 OK" http=client
DEBU[0041] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/ProcessAuth" http=client method=POST
DEBU[0041] HTTP Res                                      Status="200 OK" http=client
DEBU[0041] processing ConvergedTFA                       provider=AzureAD
DEBU[0041] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0042] HTTP Res                                      Status="200 OK" http=client
Phone approval required. Entropy is: 91
DEBU[0042] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0042] HTTP Res                                      Status="200 OK" http=client
DEBU[0044] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0044] HTTP Res                                      Status="200 OK" http=client
DEBU[0046] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0046] HTTP Res                                      Status="200 OK" http=client
DEBU[0048] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0049] HTTP Res                                      Status="200 OK" http=client
DEBU[0049] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/ProcessAuth" http=client method=POST
DEBU[0049] HTTP Res                                      Status="200 OK" http=client
DEBU[0049] processing ConvergedTFA                       provider=AzureAD
DEBU[0049] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST

This time I stopped the program after 4 tries.

Looking at the code with some additional logs it seems the process is stuck at the Authenticate function, because it receive the same page before and after the processConvergedTFA.

I know the code I'm sending is correct because the processConvergedTFA returns without errors, but I think there might be a problem with my AD configuration which returns an unexpected page.

I would really appreciate some help 🙏

Versent / saml2aws

AzureAD: Stuck in loop for PhoneAppNotification even if the code is correct #1226