Versent / saml2aws

CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP
https://github.com/Versent/saml2aws
MIT License
2.08k stars 562 forks source link

Failure to Authenticate with AzureAD when Device Verification is Enabled #1298

Open icirellik opened 4 months ago

icirellik commented 4 months ago

Periodically our organization administrator requires us to verify our devices, which blocks the SAML authentication process and requires manual verification. This is the screen you would see after a successful authentication in the browser when verification is required.

more-information

A more insightful error would be helpful as automatic verification would defeat the security protections. As you can see from the output below the current error is confusing as it indicates the OTP was entered twice instead of directing the user to log in in the browser which is the correct action in this instance.

saml2aws login --force
Using IdP Account default to access AzureAD https://account.activedirectory.windowsazure.com
To use saved password just hit enter.
? Username person@example.org
? Password

Authenticating as person@example.org  ...
? Enter verification code 123456
? Enter verification code 123456
Error authenticating to IdP.: error processing MFA, errcode: 500121, message: PhoneAppOtpAuthFailedDuplicateCodeEntered

The verbose output indicates a successful authentication followed by a duplicate code:

// First OTP
{"Success":true,"ResultValue":"Success"}
// Second OTP
{"Success":false,"ResultValue":"PhoneAppOtpAuthFailedDuplicateCodeEntered"}
radityasurya commented 4 months ago

I also had this issue, enter two different otp code seems to be working