search

Versent / saml2aws

CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP
https://github.com/Versent/saml2aws
MIT License
2.06k stars 563 forks source link

saml2aws fails for Azure AD #350

Closed howdoicomputer closed 4 years ago

howdoicomputer commented 4 years ago

I've been trying to use saml2aws to replace this project: https://github.com/piontas/python-aada since that project uses a headless Chromium browser to complete the authentication flow and that seems really heavy.

However, I'm getting problems with authentication where it spits back saying that a SAML response wasn't obtained and that my credentials my be incorrect.

I've tried following these directions but no dice: https://github.com/Versent/saml2aws/tree/master/doc/provider/aad

howdoicomputer commented 4 years ago

Hm, I'm getting an unmarshal related error now.

<html><head><title>Working...</title></head><body><form method="POST" name="hiddenform" action="https://login.microsoftonline.com:443/common/DeviceAuthTls/reprocess"><input type="hidden" name="ctx" value="rQIIAZWSO2_TUBiG66QNKkNBCIkVJCQkUBI7viSuqETiJmncXGzXSW0vluNL4kvOcezjOPHCytgRIbF0QeqIGKB_oFIHVAmJgZEJGBBiYqRVxQ_gHR59wyt9w_s8zhMlYvshfh2zeMVrmP-uf4nu3Lz9-ez49cvwrH36U_l4V_iAn2DEFKEw3i6XDdOECUAlw0TuwrbcyDYRjFal1AUWTGMjSyK7ZMJZ-T2GXWDYNww7yT0gaIalSJJm2ZI_YyhakooxTqXdyorXu5Lm1b_kbg3qCZpWrgAjN7N_5zYdGM30EMboVf5NfhDaoGNxEIDLh6Wrmg2QaxrIhUCIYGhHyLXjHfOwtzRYzkTNgJxbmTxsU2zFVzNDaiy9dNZorFJaFlvSlJgOFyzni4uJ2g81vuGA4piss5Q-k8W94YFQqy6h4XO9FSPTXmzwlEdZ-65WE4lZNIHD_lQwmKrfU4uaYmRhZX4QHU7CCSB1V5H7mmUHw3ZTCQCng04j7caEDpudZsubCE1DNrke7gxpRh0M5kym27A91xqBVucDJQT-qJHYMsXPybYkpBrkID6JieyAPaSriDT4AUt6qM9ZjBPvp81dvT4QY4Yo1mS9Lo46_dQd1XzFJwxmV1eb2WglWsNpouNywvSrvlJxtO5yUKQ7mUVbmS53FwbBQKLl0Q43Ka6AG7C4OjH3i0ibV9ujOqXuqrvjWsQKsCsRiqJqsJ8KriDZ-CGdyCBgZO6AoKSe7AqLDhO9zRcux59BcJ7fuhwFuNb9MIKOG9hf8_fQ1JiFCIJn8TRByI6cYHWlysU69mM9h2_9WceONy7tu-A_bY-Jp413ueC59_3R2vlGuSzgq4AXRE-SnVpXGvOkIIwTHjgqau-1hk9YsC9Kbdhx5vUdeps4KmBHhcKvQu7FjbXTzf939y81" /><input type="hidden" name="flowtoken" value="AQABAAEAAAAP0wLlqdLVToOpA4kwzSnxJ5-BgQIbihMGa-ITFBaVhb0QJi8eQ9tKg9HJGN8s6Vjd4zxc5IuhTw-Q02nMXYlTbX3tcxNfcw265nWAkpYrsqNycwKA5OEF0sG9ygZKyxywYaO8hxSXVu2esbQCF8IKzey8eC9ocEw94XP76AEhmubIW486ZJ8vQgFaXpop7T_vVL2LUTKcLBxvqKQDFmcq2rgooTawj92y0qXCceD9pq9X8jAgVoLRpsZZSDFNJm4AGpG1uh63GkNt7TUMpIpEFOytfQNBRYqUDqMC_KvJw1nceqAt-NImMBUccxcUMubE6xKYqGpeywRw2des1xhKUvcWUAZMtv8nEf1H4905z-vmzv-pYNDpeBIw2zxbsgpQRZ-2-oZA4A9CKTAzAdKRQz4vQHKlbecuU61Kpa92ggXytFX__OA-shJgmsxfAmVtrB52iPQVmwpKwmCYHKBAnjUfq3AqXRuUawDV8tNZoUFQQ-wRdIFLnoCiCHb68qJm3At0siMFelL_MVinIx3CBucmrfZ30Dc-moIkDAbMXSuZem7txi8vhTeoAZV178hZfRZCYjjRZg7qt3txExqG2J6l8Bpp-TppR4d0Xk_idY31kFQJk-qyFwh4J4-nVSIgAA" /><noscript><p>Script is disabled. Click Submit to continue.</p><input type="submit" value="Submit" /></noscript></form><script language="javascript">document.forms[0].submit();</script></body></html>
error authenticating to IdP: loginPassword response unmarshal error: unexpected end of JSON input
jessechahal commented 4 years ago

I got this error when I wasn't using the correct application id. Try confirming that this is correct

rdkls commented 4 years ago

Duplicate of https://github.com/Versent/saml2aws/issues/351

We hit this issue recently too. Oddly enough it hit me last night - but not colleagues - then /them/ this morning. My guess is MS rolling out minor update to the page?

Workaround of using aws-azure-login good for now https://github.com/sportradar/aws-azure-login

rdkls commented 4 years ago

I found our problem was caused by a change we made to not require MFA from our office CIDR. (Though similar, it wasn't done through "Conditional Access" in Azure portal, there's some other page where that can be done)

Odd that not requiring MFA, broke the saml2aws plugins ability to parse the page.

Access from outside that range prompted for MFA, and saml2aws still worked. As did adding an explicit Conditional Access policy for my user, requiring MFA.

jessechahal commented 4 years ago

@rdkls how is this a duplicate if this issue was created first? Also the workaround is to not use this tool and instead use another tool... I wouldn't call that a workaround. Also considering that the referenced tool requires installation through NPM while this one has natively compiled binaries doesn't make them equivalent (the other tool doesn't even mention macOS support).

FernandoMiguel commented 4 years ago

@jessechahal I think all of us using that tool use it as docker. At least that's what we do at my place

FernandoMiguel commented 4 years ago

I found our problem was caused by a change we made to not require MFA from our office CIDR. (Though similar, it wasn't done through "Conditional Access" in Azure portal, there's some other page where that can be done)

I actually never tried it from outside the office , so i decided to give it a go from home today, after your post, to see if it was a similar config issue

DEBU[0007] HTTP Req                                      URL="https://login.microsoftonline.com/common/login" http=client method=POST
DEBU[0008] HTTP Res                                      Status="200 OK" http=client
DEBU[0008] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0010] HTTP Res                                      Status="200 OK" http=client
Phone approval required.
DEBU[0010] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0010] HTTP Res                                      Status="200 OK" http=client
DEBU[0011] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0011] HTTP Res                                      Status="200 OK" http=client
DEBU[0012] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0013] HTTP Res                                      Status="200 OK" http=client
DEBU[0014] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0014] HTTP Res                                      Status="200 OK" http=client
DEBU[0015] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0015] HTTP Res                                      Status="200 OK" http=client
DEBU[0015] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/ProcessAuth" http=client method=POST
DEBU[0016] HTTP Res                                      Status="200 OK" http=client
unexpected end of JSON input
ProcessAuth response unmarshal error
github.com/versent/saml2aws/pkg/provider/aad.(*Client).Authenticate
    /Users/markw/go/src/github.com/versent/saml2aws/pkg/provider/aad/aad.go:842
github.com/versent/saml2aws/cmd/saml2aws/commands.ListRoles
    /Users/markw/go/src/github.com/versent/saml2aws/cmd/saml2aws/commands/list_roles.go:43
main.main
    /Users/markw/go/src/github.com/versent/saml2aws/cmd/saml2aws/main.go:142
runtime.main
    /usr/local/Cellar/go/1.13.1/libexec/src/runtime/proc.go:203
runtime.goexit
    /usr/local/Cellar/go/1.13.1/libexec/src/runtime/asm_amd64.s:1357
error authenticating to IdP
github.com/versent/saml2aws/cmd/saml2aws/commands.ListRoles
    /Users/markw/go/src/github.com/versent/saml2aws/cmd/saml2aws/commands/list_roles.go:45
main.main
    /Users/markw/go/src/github.com/versent/saml2aws/cmd/saml2aws/main.go:142
runtime.main
    /usr/local/Cellar/go/1.13.1/libexec/src/runtime/proc.go:203
runtime.goexit
    /usr/local/Cellar/go/1.13.1/libexec/src/runtime/asm_amd64.s:1357

sadly, no fix!

jameshodge-gvc commented 4 years ago

I'm seeing the same issue above, was anyone able to resolve this?

giuliocalzolari commented 4 years ago

if any golang guru want to help me I did a python version to solve this problem, would be awesome to have as part of saml2aws

https://github.com/giuliocalzolari/aad-aws-login/blob/master/azure_saml.py

KernelPanicAUS commented 4 years ago

So the issue seems to be the that the response is a html page with a prefilled hidden form that is automatically submitted via javascript, as opposed to a JSON response.

example html response

<html>

<head>
  <title>Working...</title>
</head>

<body>
  <form method="POST" name="hiddenform" action="https://account.activedirectory.windowsazure.com/">
    <input type="hidden" name="code" value="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" />
    <input type="hidden" name="id_token" value="yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" />
    <input type="hidden" name="state" value="OpenIdConnect.AuthenticationProperties=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" />
    <input type="hidden" name="session_state" value="3509D102-8CB7-42EF-8D07-041B45A12827" />
    <noscript>
      <p>Script is disabled. Click Submit to continue.</p><input type="submit" value="Submit" />
    </noscript></form>
  <script language="javascript">document.forms[0].submit();</script>
</body>

</html>
KernelPanicAUS commented 4 years ago

PR with fix submitted https://github.com/Versent/saml2aws/pull/435