re: GovCloud Support - JumpCloud

[mr-brody]

Hi,

This is similar to closed issue: https://github.com/Versent/saml2aws/issues/89

I'm unable to authenticate against AWS GovCloud using JumpCloud and saml2aws. Authenticating via a browser works without issue. I see that there is a similar message in the aforementioned close issue as well with what I believe is a similar use case.

The debug output shows the following without the account# sanitized: Selected role: arn:aws-us-gov:iam::<ACCT#>:role/my-role Requesting AWS credentials using SAML assertion InvalidIdentityToken: Specified provider doesn't exist (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlManifestNotFoundException; Request ID: 6a04524e-7641-11e8-8430-23423423423432a) status code: 400, request id: 6a00cfd1-7641-11e8-a7cb-41b0c078a475 error retrieving STS credentials using SAML github.com/versent/saml2aws/cmd/saml2aws/commands.loginToStsUsingRole /Users/markw/Code/go/src/github.com/versent/saml2aws/cmd/saml2aws/commands/login.go:244 github.com/versent/saml2aws/cmd/saml2aws/commands.Login /Users/markw/Code/go/src/github.com/versent/saml2aws/cmd/saml2aws/commands/login.go:89 main.main /Users/markw/Code/go/src/github.com/versent/saml2aws/cmd/saml2aws/main.go:105 runtime.main /usr/local/Cellar/go/1.10/libexec/src/runtime/proc.go:198 runtime.goexit /usr/local/Cellar/go/1.10/libexec/src/runtime/asm_amd64.s:2361 error logging into aws role using saml assertion github.com/versent/saml2aws/cmd/saml2aws/commands.Login /Users/markw/Code/go/src/github.com/versent/saml2aws/cmd/saml2aws/commands/login.go:91 main.main /Users/markw/Code/go/src/github.com/versent/saml2aws/cmd/saml2aws/main.go:105 runtime.main /usr/local/Cellar/go/1.10/libexec/src/runtime/proc.go:198 runtime.goexit /usr/local/Cellar/go/1.10/libexec/src/runtime/asm_amd64.s:2361

[my-role] url = https://sso.jumpcloud.com/saml2/my-role username = my-user@example.com provider = JumpCloud mfa = Auto skip_verify = false timeout = 0 aws_urn = urn:amazon:webservices:govcloud aws_session_duration = 3600

Thanks in advance for your help.

[mr-brody]

I've been testing out my configuration with debugs and can see the IdP is successfully passing back the assertion, metadata looks good.

I copied the assertion, replaced the encoded characters '+' with a '+' and passed it directly into the AWS call 'sts assume role' and I am returned temp creds.

My hunch is that saml2aws is sending the assertion to the commercial endpoint rather than the govcloud one. Also, looking at the previous commits I may have missed it but didn't find any changes to JumpCloud configurations.

[wolfeidau]

@mr-brody do know of any docs on how to use the AWS SDK with Gov Cloud, I am guessing you need to ensure regions are correctly configured.

You have highlighted that I should also plumb the AWS SDK verbose output into my logger to make debugging this easier, I will add a ticket.

[mr-brody]

Hi @wolfeidau --- thanks for looking into this.

I am pretty familiar with the AWS SDK, cli, etc as I used to work at AWS. At this point though, I am not getting back temporary cred to use the sdk.

Referencing the AWS docs, here's where the error appears to be: "The client app calls the AWS STS AssumeRoleWithSAML API, passing the ARN of the SAML provider, the ARN of the role to assume, and the SAML assertion from IdP." https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html

Using the AWS CLI and the JumpCloud console work fine so I suspect there might be an issue with the JumpCloud provider configuration in saml2aws not using the govcloud endpoint. I had default creds pointing to the gov cloud region when manually testing from the CLI( [default] region = us-gov-west-1).

Was hoping to get debugs on where the saml2aws client is posting the assertion to confirm my suspicions...presuming my configurations in the tail of the first message I sent are accurately defined.

[mr-brody]

Replying back to my previous comment --- after t-shooting this a bit more, I can confirm the suspicion that like assertion is not being sent to the govcloud endpoint. In order to test, I used environment variables: export AWS_REGION=us-gov-west-1

Expected behavior: Defining a region with a named profile within ~/.saml2aws should respect the region. Specifying the urn and/or defining a region variable does not work for govcloud. The SAML assertion should go to this endpoint in govcloud: signin.amazonaws-us-gov.com/saml

Observed behavior: All SAML assertions go to commercial endpoint when using saml2aws(using Jumpcloud IDaaS: https://signin.aws.amazon.com/saml

Any help here is greatly appreciated. Please let me know if you need any additional info.

[nimbius]

@wolfeidau @mr-brody I am experiencing a similar problem with govcloud. the STS endpoint is listed here: https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-endpoints.html

sts.us-gov-west-1.amazonaws.com sts.us-gov-east-1.amazonaws.com

To clarify, this is not a jumpcloud issue, as I am reproducing it in ADFS

[mr-brody]

Hi @nimbius - I left a comment in this post -> https://github.com/Versent/saml2aws/issues/89. It looks like there is a new-ish feature to pass in a region flag into the ~/.saml2aws file: https://github.com/Versent/saml2aws/commit/2de4696ef4fbf9e3a6e5398ff66294098fbacbb1

I tested with Okta initially but have also tested with JumpCloud and both work. Hope this helps and I think it is safe to close this one out.

url                  = <my-url>
username             = mr-brody@somecompany.com
provider             = Okta
mfa                  = Auto
skip_verify          = false
timeout              = 0
aws_urn              = urn:amazon:webservices:govcloud
aws_session_duration = 43200
aws_profile          = gov-profile
resource_id          =
subdomain            =
role_arn             =
region               = **us-gov-west-1**