We're using Okta Verify on our Macs to validate the computer is enrolled in the company MDM (proving it is company hardware). This relies on SCEP between Okta and Jamf Pro to deploy a rotating certificate in macOS Keychain which Okta Verify can detect and then approve using TouchID.
A normal auth flow using example.okta.com in a browser is:
Login to Okta
Be prompted for YubiKey
See Dashboard
Click AWS tile
Get prompted for Okta Verify if it's a production account
TouchID to authenticate Okta Verify
Access granted
The issue here is saml2aws fails after the YubiKey is accepted with the following error:
Error authenticating to IdP.: error retrieving auth response: request for url: https://EXAMPLE.okta.com/api/v1/authn failed status: 401 Unauthorized
Is there any configuration we can change to the ~/.saml2aws file to make this work, or is this an unsupported configuration for API access? If this is an unsupported configuration, how can we get CLI API access without providing a less secure path than forcing it to be on company hardware?
We're using Okta Verify on our Macs to validate the computer is enrolled in the company MDM (proving it is company hardware). This relies on SCEP between Okta and Jamf Pro to deploy a rotating certificate in macOS Keychain which Okta Verify can detect and then approve using TouchID.
A normal auth flow using
example.okta.comin a browser is:The issue here is saml2aws fails after the YubiKey is accepted with the following error:
Is there any configuration we can change to the
~/.saml2awsfile to make this work, or is this an unsupported configuration for API access? If this is an unsupported configuration, how can we get CLI API access without providing a less secure path than forcing it to be on company hardware?