Closed lconnell closed 12 months ago
wolfeidau
commented
6 years ago If your using an MFA with ADFS (3.0) then you will need to modify saml2aws to support the intermediate request used by your MFA. This normally means a bit of debugging in chrome to see what is going on behind the scenes.
You can kind of get the gist of it with the existing MFA code.
What is the MFA your using?
lconnell
commented
6 years ago I am using the Google Authenticator
sagar-srivastava
commented
5 years ago I am using OKTA with OKTA MFA and I am getting the exact error after authentication and Authorization while the debug says status=200 ok.
live4live4
commented
5 years ago +1 using OKTA got the exact error.
micahlmartin
commented
5 years ago Can you share more info about your configuration as well as the debug logging with the --verbose output?
live4live4
commented
5 years ago ? Please choose a provider: ADFS ? Please choose an MFA Auto ? AWS Profile saml
? URL https://fs.example.com/adfs/ls/idpinitiatedsignon.htm ? Username xxx@example.com
? Password No password supplied
account { URL: fs.example.com/adfs/ls/idpinitiatedsignon.htm Username: xxx@example.com Provider: ADFS MFA: Auto SkipVerify: false AmazonWebservicesURN: urn:amazon:webservices SessionDuration: 3600 Profile: saml RoleARN: }
Configuration saved for IDP account: default
saml2aws login Using IDP Account default to access ADFS https://fs.example.com/adfs/ls/idpinitiatedsignon.htm To use saved password just hit enter. ? Username xxx@example.com ? Password
Authenticating as xxx@example.com ... Response did not contain a valid SAML assertion Please check your username and password is correct
We use OKTA MFA for our ADFS service.
mphoratiu
commented
5 years ago I had the same issue, make sure you're not required to be on some company VPN before connecting. That's the way it behaves if it is required.
live4live4
commented
5 years ago @mphoratiu we don't use VPN, without MFA saml2aws worked perfectly. Once MFA enabled, it stopped working. It didn't even prompt me to enter the passcode, which is demonstrated in the official doc.
$ saml2aws login Using IDP Account default to access Ping https://id.example.com To use saved password just hit enter. Username [mark.wolfe@example.com]: Password: ****
Authenticating as mark.wolfe@example.com ... Enter passcode: 123456
Selected role: arn:aws:iam::123123123123:role/AWS-Admin-CloudOPSNonProd Requesting AWS credentials using SAML assertion Saving credentials Logged in as: arn:aws:sts::123123123123:assumed-role/AWS-Admin-CloudOPSNonProd/wolfeidau@example.com
Your new access key pair has been stored in the AWS configuration Note that it will expire at 2016-09-19 15:59:49 +1000 AEST To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile saml ec2 describe-instances --region us-east-1).
ore0z
commented
5 years ago I just thought I'd drop a note in here, I had this error when I was trying to set up my access on a new computer and it ended up being my Okta account being locked. I normally didn't have to enter a password but I guess the first time you log in I had to. My account was locked because normally I would enter a blank or bogus password. Also commenting for my future self when I find this again ;)
neelakansha85
commented
5 years ago +1 using Okta provider and Push MFA.
I am getting a request for push notification on my device and on trying to approve, it recognizes that the request was approved however fails with this error. Below is the output with --verbose:
$ saml2aws login --verbose
DEBU[0000] Running command=login
DEBU[0000] check if Creds Exist command=login
DEBU[0000] Expand name=/Users/nshah/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink name=/Users/nshah/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists filename=/Users/nshah/.aws/credentials pkg=awsconfig
Using IDP Account default to access Okta https://mytest.okta.com/home/amazon_aws/6jzlat0sauzQlP13z569/50
DEBU[0000] Get credentials helper=osxkeychain serverURL="https://mytest.okta.com/home/amazon_aws/6jzlat0sauzQlP13z569/50"
DEBU[0000] Get credentials helper=osxkeychain user=nshah
To use saved password just hit enter.
? Username nshah
? Password
DEBU[0002] building provider command=login idpAccount="account {\n URL: https://mytest.okta.com/home/amazon_aws/6jzlat0sauzQlP13z569/50\n Username: nshah\n Provider: Okta\n MFA: PUSH\n SkipVerify: false\n AmazonWebservicesURN: urn:amazon:webservices\n SessionDuration: 3600\n Profile: saml\n RoleARN: \n}"
Authenticating as nshah ...
DEBU[0002] HTTP Req URL="https://mytest.okta.com/api/v1/authn" http=client method=POST
DEBU[0004] HTTP Res Status="200 OK" http=client
DEBU[0004] MFA factorID=opf10spckqPkgbbtJ357 mfaIdentifer="OKTA PUSH" oktaVerify="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" provider=okta
DEBU[0004] HTTP Req URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0004] HTTP Res Status="200 OK" http=client
Waiting for approval, please check your Okta Verify app ...DEBU[0004] HTTP Req URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0005] HTTP Res Status="200 OK" http=client
.DEBU[0005] Waiting for user to authorize login provider=okta
DEBU[0005] HTTP Req URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0006] HTTP Res Status="200 OK" http=client
.DEBU[0006] Waiting for user to authorize login provider=okta
DEBU[0006] HTTP Req URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0007] HTTP Res Status="200 OK" http=client
.DEBU[0007] Waiting for user to authorize login provider=okta
DEBU[0007] HTTP Req URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0007] HTTP Res Status="200 OK" http=client
.DEBU[0007] Waiting for user to authorize login provider=okta
DEBU[0007] HTTP Req URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0008] HTTP Res Status="200 OK" http=client
.DEBU[0008] Waiting for user to authorize login provider=okta
DEBU[0008] HTTP Req URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0009] HTTP Res Status="200 OK" http=client
.DEBU[0009] Waiting for user to authorize login provider=okta
DEBU[0009] HTTP Req URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0009] HTTP Res Status="200 OK" http=client
.DEBU[0009] Waiting for user to authorize login provider=okta
DEBU[0009] HTTP Req URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0010] HTTP Res Status="200 OK" http=client
.DEBU[0010] Waiting for user to authorize login provider=okta
DEBU[0010] HTTP Req URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0010] HTTP Res Status="200 OK" http=client
.DEBU[0010] Waiting for user to authorize login provider=okta
DEBU[0010] HTTP Req URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0011] HTTP Res Status="200 OK" http=client
.DEBU[0011] Waiting for user to authorize login provider=okta
DEBU[0011] HTTP Req URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0012] HTTP Res Status="200 OK" http=client
Approved
DEBU[0012] HTTP Req URL="https://mytest.okta.com/login/sessionCookieRedirect?checkAccountSetupComplete=true&redirectUrl=https%3A%2F%2Fmytest.okta.com%2Fhome%2Famazon_aws%2F6jzlat0sauzQlP13z569%2F50&token=81773zufdrt1nM-C4s2a84_h_WSY3dzOx1vHJ5UU2eqjsL" http=client method=GET
DEBU[0013] HTTP Res Status="200 OK" http=client
Response did not contain a valid SAML assertion
Please check your username and password is correctThe results are the same even if you provide --role=<iam-role-arn>
I do however get a notification from my MFA authenticator after attempting to login.
Configuration: ADFS Auto