search

Versent / saml2aws

CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP
https://github.com/Versent/saml2aws
MIT License
2.09k stars 564 forks source link

ConvergedConditionalAccess again #1256

Closed Sanofi-EL closed 6 months ago

Sanofi-EL commented 7 months ago

While trying to use saml2aws in my company I get the following error:

> saml2aws.exe login
Using IdP Account default to access AzureAD https://account.activedirectory.windowsazure.com
To use saved password just hit enter.
? Username (<user>@<company>.com)

? Username <user>@<company>.com
? Password ***************

Authenticating as <user>@<company>.com ...
Error authenticating to IdP.: failed get SAMLAssertion

This is the brief error message: "Error authenticating to IdP.: failed get SAMLAssertion"

This is the verbose output:

> saml2aws.exe login --verbose
time="2024-04-29T11:49:24+02:00" level=debug msg=Running command=login
time="2024-04-29T11:49:24+02:00" level=debug msg="Check if creds exist." command=login
time="2024-04-29T11:49:24+02:00" level=debug msg=Expand name="C:\\Users\\<user>/.aws/credentials" pkg=awsconfig
time="2024-04-29T11:49:25+02:00" level=debug msg=resolveSymlink name="C:\\Users\\<user>\\.aws\\credentials" pkg=awsconfig
time="2024-04-29T11:49:25+02:00" level=debug msg=ensureConfigExists filename="C:\\Users\\<user>\\.aws\\credentials" pkg=awsconfig
Using IdP Account default to access AzureAD https://account.activedirectory.windowsazure.com
To use saved password just hit enter.
? Username (<user>@<company>.com)

? Username <user>@<company>.com
? Password ***************

time="2024-04-29T11:49:29+02:00" level=debug msg="building provider" command=login idpAccount="account {\n  AppID: d54751f6-d3ac-4084-8518-dc4de63290de\n  URL: https://account.activedirectory.windowsazure.com\n  Username: <user>@<company>.com\n  Provider: AzureAD\n  MFA: Auto\n  SkipVerify: false\n  AmazonWebservicesURN: urn:amazon:webservices\n  SessionDuration: 14400\n  Profile: saml\n  RoleARN: \n  Region: \n}"
Authenticating as <user>@<company>.com ...
time="2024-04-29T11:49:30+02:00" level=debug msg="processing ConvergedSignIn" provider=AzureAD
time="2024-04-29T11:49:30+02:00" level=debug msg="HTTP Req" URL="https://login.microsoftonline.com/common/GetCredentialType?mkt=en-US" http=client method=POST
time="2024-04-29T11:49:30+02:00" level=debug msg="HTTP Res" Status="200 OK" http=client
time="2024-04-29T11:49:30+02:00" level=debug msg="HTTP Req" URL="https://login.microsoftonline.com/common/login" http=client method=POST
time="2024-04-29T11:49:30+02:00" level=debug msg="HTTP Res" Status="200 OK" http=client
time="2024-04-29T11:49:30+02:00" level=debug msg="processing a 'hiddenform'" provider=AzureAD
time="2024-04-29T11:49:30+02:00" level=debug msg="HTTP Req" URL="https://device.login.microsoftonline.com:443/" http=client method=POST
time="2024-04-29T11:49:31+02:00" level=debug msg="HTTP Res" Status="200 OK" http=client
time="2024-04-29T11:49:31+02:00" level=debug msg="processing a 'hiddenform'" provider=AzureAD
time="2024-04-29T11:49:31+02:00" level=debug msg="HTTP Req" URL="https://login.microsoftonline.com:443/common/DeviceAuthTls/reprocess" http=client method=POST
time="2024-04-29T11:49:31+02:00" level=debug msg="HTTP Res" Status="200 OK" http=client
time="2024-04-29T11:49:31+02:00" level=debug msg="unknown process step found:ConvergedConditionalAccess" provider=AzureAD
failed get SAMLAssertion
github.com/versent/saml2aws/v2/pkg/provider/aad.(*Client).Authenticate
        github.com/versent/saml2aws/v2/pkg/provider/aad/aad.go:222
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
        github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:105
main.main
        ./main.go:191
runtime.main
        runtime/proc.go:250
runtime.goexit
        runtime/asm_amd64.s:1598
Error authenticating to IdP.
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
        github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107
main.main
        ./main.go:191
runtime.main
        runtime/proc.go:250
runtime.goexit
        runtime/asm_amd64.s:1598

Here is this step: "unknown process step found:ConvergedConditionalAccess"

I am aware of this issue: #1075 . I am not using Chrome, I do not have it installed at all. The only weirdness that I could have that my company laptop belonged to another person who installed a not US English Windows on it. I switched back to US regional settings...

I have dowloaded that source code and compiled it and is is the same issue. Any tips on how to debug?

Sanofi-EL commented 6 months ago

Would like to comment that I was able solve the issue.

And the problem was, that for me personally the Active Directory (AD) Service was rejecting the connection. The message was somewhat cryptic: “unknown process step found:ConvergedConditionalAccess”. Where actually a double MFA validation imposed by my organisation/company was denying completely this second authentication. It was not exactly "unknown". This step was denied completely by AD Server, not that it was “unknown”. It was denying it, because of an internal flag, where I was not allowed to do certain AD operations.

Situation got solved, by removing me from the "black list" and allowing "outside AD Group" authentication, which permitted the second (or MFA) authentication.

There is no bug in the saml2aws tool. Closing the issue.