search

Versent / saml2aws

CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP
https://github.com/Versent/saml2aws
MIT License
2.08k stars 563 forks source link

Duo Bypass Networks #395

Open magenta-pixel opened 4 years ago

magenta-pixel commented 4 years ago

IdP: Shibboleth

On networks where Duo bypass configures, does not work.

Verbose output (saml2aws login --verbose):

DEBU[0007] HTTP Req URL="https://foobar/idp/profile/SAML2/Unsolicited/SSO?execution=e1s1" http=client method=POST DEBU[0007] HTTP Res Status="200 200" http=client DEBU[0007] HTTP Req URL="https://api-xxx.duosecurity.com/frame/web/v1/auth?tx=TX%7Random" http=client method=POST DEBU[0008] HTTP Res Status="200 OK" http=client DEBU[0008] HTTP Req URL="https://foobar/idp/profile/SAML2/Unsolicited/SSO?execution=e1s2" http=client method=POST DEBU[0008] HTTP Res Status="200 200" http=client missing Assertion element error parsing aws roles github.com/versent/saml2aws/cmd/saml2aws/commands.selectAwsRole /Users/markw/Code/notgopath/saml2aws/cmd/saml2aws/commands/login.go:179 github.com/versent/saml2aws/cmd/saml2aws/commands.Login /Users/markw/Code/notgopath/saml2aws/cmd/saml2aws/commands/login.go:89 main.main /Users/markw/Code/notgopath/saml2aws/cmd/saml2aws/main.go:138 runtime.main /usr/local/Cellar/go/1.13.3/libexec/src/runtime/proc.go:203 runtime.goexit /usr/local/Cellar/go/1.13.3/libexec/src/runtime/asm_amd64.s:1357 Failed to assume role, please check whether you are permitted to assume the given role for the AWS service github.com/versent/saml2aws/cmd/saml2aws/commands.Login /Users/markw/Code/notgopath/saml2aws/cmd/saml2aws/commands/login.go:91 main.main /Users/markw/Code/notgopath/saml2aws/cmd/saml2aws/main.go:138 runtime.main /usr/local/Cellar/go/1.13.3/libexec/src/runtime/proc.go:203 runtime.goexit /usr/local/Cellar/go/1.13.3/libexec/src/runtime/asm_amd64.s:1357

ckrusch commented 4 years ago

Encountered the same issue at our organization.

Forked to ckrusch/saml2aws and implemented a change to support DUO bypass. Minor changes to pkg/provider/shibboleth/shibboleth.go.

I'm the only one who's tested it so far - have a few more developers here that will test over the next week. Feel free to test it and provide feedback. If it's positive I'll initiate a pull request linked to this issue to merge it into the Versent main branch...

Hope I got that right - new to GitHub....

jlongland commented 4 years ago

Good stuff @ckrusch - I've tested and it works for me. Super handy. Thanks!

Running on osx 10.11.6 and go1.13.4 darwin/amd64