search

Versent / saml2aws

CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP
https://github.com/Versent/saml2aws
MIT License
2.06k stars 561 forks source link

OneLogin + Duo #482

Open alandotcom opened 4 years ago

alandotcom commented 4 years ago

We're using OneLogin + Duo. Recently, we tried setting up saml2aws but ran into a few issues.

First, it was necessary to change a few things in saml2aws to get it working the v2 of their API, as well as adding supporting for Duo as an MFA option.

https://github.com/reciprocity/saml2aws/pull/2/files

I plan on cleaning this up, fixing the tests, and pushing a PR in the future. Any help is appreciated!

Second, we spent quite some time with Duo & OneLogin support, as the normal process for setting up Duo and OneLogin was not sufficient. Below I'll paste the instructions we had to follow:

On DUO admin portal navigate to Applications > Protect an Application > Seach and add "Partner Auth API". Then use the key and secret from that app in your OneLogin Duo configuration which is set via the OneLogin admin portal.

image

Apparently, we had to use the "Partner Auth API", which was different than how it was originally setup.

OneLogin does not document this very well. In case anyone else is testing this out, here's a very basic script for testing that you can get a valid SAML assertion from OneLogin:

https://gist.github.com/lumberj/fa1fef183005c726946644342a368473

radsec commented 4 years ago

Are you able to get this to function via Duo Push? I was able to edit some of the code to send a push but cannot verify_factor then.

alandotcom commented 4 years ago

@radsec no, it does not work with Duo Push. We were specifically told by the Duo support team that it won't work with push (due to how the onelogin<>duo integration works)