GoogleApps TOTP flow broken

[v3rm0n]

Commit https://github.com/Versent/saml2aws/commit/ef8cf8222c4e4d625e8cff3a20218d93d66a2a68 broke the login flow for TOTP. Previously since U2F was not supported, the alternate challenge page logic was triggered. Looks like MFA flag support is needed.

[v3rm0n]

I added a PR that addresses this issue https://github.com/Versent/saml2aws/pull/408

[mothershipper]

Firstly, my apologies! TOTP was the one flow I didn't test when submitting it :(

Does this always break TOTP, or only if you also have a security key registered as well?

[v3rm0n]

Probably only when security key is registered. I will start using U2F as well, but it would be nice if we could trigger the alternative method, someone might need it...

[mothershipper]

Oh, of course, specifying the factor up front would be nice if you know you don't have your u2f token available.

I guess I'm wondering if it would also make sense to dump users into the alternate auth flow on an error instead of returning. For example, if we time out waiting for a u2f token -- instead of failing out, should it prompt us to pick an alternate factor instead?

If that's something that'll be accepted upstream, I'm happy to work on that bit as well :)

[v3rm0n]

Leaving this here for other people struggling with this: Until the fix gets merged or issue gets fixed any other way, I created a Docker image from my branch which can be used as a drop in replacement for saml2aws by creating a script:

docker run -v `pwd`:/app -v $HOME/.aws/:/root/.aws -v $HOME/.saml2aws:/root/.saml2aws --rm -it maidok/saml2aws:latest "$@"

Or you know, since it has access to AWS credentials, build your own image using this as a base

FROM golang:1.13

RUN mkdir -p $GOPATH/src/github.com/versent/saml2aws
RUN git clone https://github.com/v3rm0n/saml2aws.git $GOPATH/src/github.com/versent/saml2aws

WORKDIR $GOPATH/src/github.com/versent/saml2aws

RUN git checkout google-mfa-alt

RUN make mod && make install

ENTRYPOINT ["saml2aws"]