Closed howdoicomputer closed 4 years ago
Hm, I'm getting an unmarshal related error now.
<html><head><title>Working...</title></head><body><form method="POST" name="hiddenform" action="https://login.microsoftonline.com:443/common/DeviceAuthTls/reprocess"><input type="hidden" name="ctx" value="rQIIAZWSO2_TUBiG66QNKkNBCIkVJCQkUBI7viSuqETiJmncXGzXSW0vluNL4kvOcezjOPHCytgRIbF0QeqIGKB_oFIHVAmJgZEJGBBiYqRVxQ_gHR59wyt9w_s8zhMlYvshfh2zeMVrmP-uf4nu3Lz9-ez49cvwrH36U_l4V_iAn2DEFKEw3i6XDdOECUAlw0TuwrbcyDYRjFal1AUWTGMjSyK7ZMJZ-T2GXWDYNww7yT0gaIalSJJm2ZI_YyhakooxTqXdyorXu5Lm1b_kbg3qCZpWrgAjN7N_5zYdGM30EMboVf5NfhDaoGNxEIDLh6Wrmg2QaxrIhUCIYGhHyLXjHfOwtzRYzkTNgJxbmTxsU2zFVzNDaiy9dNZorFJaFlvSlJgOFyzni4uJ2g81vuGA4piss5Q-k8W94YFQqy6h4XO9FSPTXmzwlEdZ-65WE4lZNIHD_lQwmKrfU4uaYmRhZX4QHU7CCSB1V5H7mmUHw3ZTCQCng04j7caEDpudZsubCE1DNrke7gxpRh0M5kym27A91xqBVucDJQT-qJHYMsXPybYkpBrkID6JieyAPaSriDT4AUt6qM9ZjBPvp81dvT4QY4Yo1mS9Lo46_dQd1XzFJwxmV1eb2WglWsNpouNywvSrvlJxtO5yUKQ7mUVbmS53FwbBQKLl0Q43Ka6AG7C4OjH3i0ibV9ujOqXuqrvjWsQKsCsRiqJqsJ8KriDZ-CGdyCBgZO6AoKSe7AqLDhO9zRcux59BcJ7fuhwFuNb9MIKOG9hf8_fQ1JiFCIJn8TRByI6cYHWlysU69mM9h2_9WceONy7tu-A_bY-Jp413ueC59_3R2vlGuSzgq4AXRE-SnVpXGvOkIIwTHjgqau-1hk9YsC9Kbdhx5vUdeps4KmBHhcKvQu7FjbXTzf939y81" /><input type="hidden" name="flowtoken" value="AQABAAEAAAAP0wLlqdLVToOpA4kwzSnxJ5-BgQIbihMGa-ITFBaVhb0QJi8eQ9tKg9HJGN8s6Vjd4zxc5IuhTw-Q02nMXYlTbX3tcxNfcw265nWAkpYrsqNycwKA5OEF0sG9ygZKyxywYaO8hxSXVu2esbQCF8IKzey8eC9ocEw94XP76AEhmubIW486ZJ8vQgFaXpop7T_vVL2LUTKcLBxvqKQDFmcq2rgooTawj92y0qXCceD9pq9X8jAgVoLRpsZZSDFNJm4AGpG1uh63GkNt7TUMpIpEFOytfQNBRYqUDqMC_KvJw1nceqAt-NImMBUccxcUMubE6xKYqGpeywRw2des1xhKUvcWUAZMtv8nEf1H4905z-vmzv-pYNDpeBIw2zxbsgpQRZ-2-oZA4A9CKTAzAdKRQz4vQHKlbecuU61Kpa92ggXytFX__OA-shJgmsxfAmVtrB52iPQVmwpKwmCYHKBAnjUfq3AqXRuUawDV8tNZoUFQQ-wRdIFLnoCiCHb68qJm3At0siMFelL_MVinIx3CBucmrfZ30Dc-moIkDAbMXSuZem7txi8vhTeoAZV178hZfRZCYjjRZg7qt3txExqG2J6l8Bpp-TppR4d0Xk_idY31kFQJk-qyFwh4J4-nVSIgAA" /><noscript><p>Script is disabled. Click Submit to continue.</p><input type="submit" value="Submit" /></noscript></form><script language="javascript">document.forms[0].submit();</script></body></html>
error authenticating to IdP: loginPassword response unmarshal error: unexpected end of JSON input
I got this error when I wasn't using the correct application id. Try confirming that this is correct
Duplicate of https://github.com/Versent/saml2aws/issues/351
We hit this issue recently too. Oddly enough it hit me last night - but not colleagues - then /them/ this morning. My guess is MS rolling out minor update to the page?
Workaround of using aws-azure-login good for now https://github.com/sportradar/aws-azure-login
I found our problem was caused by a change we made to not require MFA from our office CIDR. (Though similar, it wasn't done through "Conditional Access" in Azure portal, there's some other page where that can be done)
Odd that not requiring MFA, broke the saml2aws plugins ability to parse the page.
Access from outside that range prompted for MFA, and saml2aws still worked. As did adding an explicit Conditional Access policy for my user, requiring MFA.
@rdkls how is this a duplicate if this issue was created first? Also the workaround is to not use this tool and instead use another tool... I wouldn't call that a workaround. Also considering that the referenced tool requires installation through NPM while this one has natively compiled binaries doesn't make them equivalent (the other tool doesn't even mention macOS support).
@jessechahal I think all of us using that tool use it as docker. At least that's what we do at my place
I found our problem was caused by a change we made to not require MFA from our office CIDR. (Though similar, it wasn't done through "Conditional Access" in Azure portal, there's some other page where that can be done)
I actually never tried it from outside the office , so i decided to give it a go from home today, after your post, to see if it was a similar config issue
DEBU[0007] HTTP Req URL="https://login.microsoftonline.com/common/login" http=client method=POST
DEBU[0008] HTTP Res Status="200 OK" http=client
DEBU[0008] HTTP Req URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0010] HTTP Res Status="200 OK" http=client
Phone approval required.
DEBU[0010] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0010] HTTP Res Status="200 OK" http=client
DEBU[0011] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0011] HTTP Res Status="200 OK" http=client
DEBU[0012] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0013] HTTP Res Status="200 OK" http=client
DEBU[0014] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0014] HTTP Res Status="200 OK" http=client
DEBU[0015] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0015] HTTP Res Status="200 OK" http=client
DEBU[0015] HTTP Req URL="https://login.microsoftonline.com/common/SAS/ProcessAuth" http=client method=POST
DEBU[0016] HTTP Res Status="200 OK" http=client
unexpected end of JSON input
ProcessAuth response unmarshal error
github.com/versent/saml2aws/pkg/provider/aad.(*Client).Authenticate
/Users/markw/go/src/github.com/versent/saml2aws/pkg/provider/aad/aad.go:842
github.com/versent/saml2aws/cmd/saml2aws/commands.ListRoles
/Users/markw/go/src/github.com/versent/saml2aws/cmd/saml2aws/commands/list_roles.go:43
main.main
/Users/markw/go/src/github.com/versent/saml2aws/cmd/saml2aws/main.go:142
runtime.main
/usr/local/Cellar/go/1.13.1/libexec/src/runtime/proc.go:203
runtime.goexit
/usr/local/Cellar/go/1.13.1/libexec/src/runtime/asm_amd64.s:1357
error authenticating to IdP
github.com/versent/saml2aws/cmd/saml2aws/commands.ListRoles
/Users/markw/go/src/github.com/versent/saml2aws/cmd/saml2aws/commands/list_roles.go:45
main.main
/Users/markw/go/src/github.com/versent/saml2aws/cmd/saml2aws/main.go:142
runtime.main
/usr/local/Cellar/go/1.13.1/libexec/src/runtime/proc.go:203
runtime.goexit
/usr/local/Cellar/go/1.13.1/libexec/src/runtime/asm_amd64.s:1357
sadly, no fix!
I'm seeing the same issue above, was anyone able to resolve this?
if any golang guru want to help me I did a python version to solve this problem, would be awesome to have as part of saml2aws
https://github.com/giuliocalzolari/aad-aws-login/blob/master/azure_saml.py
So the issue seems to be the that the response is a html page with a prefilled hidden form that is automatically submitted via javascript, as opposed to a JSON response.
example html response
<html>
<head>
<title>Working...</title>
</head>
<body>
<form method="POST" name="hiddenform" action="https://account.activedirectory.windowsazure.com/">
<input type="hidden" name="code" value="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" />
<input type="hidden" name="id_token" value="yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" />
<input type="hidden" name="state" value="OpenIdConnect.AuthenticationProperties=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" />
<input type="hidden" name="session_state" value="3509D102-8CB7-42EF-8D07-041B45A12827" />
<noscript>
<p>Script is disabled. Click Submit to continue.</p><input type="submit" value="Submit" />
</noscript></form>
<script language="javascript">document.forms[0].submit();</script>
</body>
</html>
PR with fix submitted https://github.com/Versent/saml2aws/pull/435
I've been trying to use
saml2aws
to replace this project: https://github.com/piontas/python-aada since that project uses a headless Chromium browser to complete the authentication flow and that seems really heavy.However, I'm getting problems with authentication where it spits back saying that a SAML response wasn't obtained and that my credentials my be incorrect.
I've tried following these directions but no dice: https://github.com/Versent/saml2aws/tree/master/doc/provider/aad