search

Versent / saml2aws

CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP
https://github.com/Versent/saml2aws
MIT License
2.07k stars 562 forks source link

Okta: not able to verify since always "verify failed status: 429 Too Many Requests" #504

Open markus-geiger opened 4 years ago

markus-geiger commented 4 years ago

We're not able to use saml2aws since we're always running into "429 Too Many Requests""

Projects like gimme-aws-creds and aws-okta always work fine.

Can the last request be skipped?

saml2aws login --verbose

DEBU[0000] Running                                       command=login
DEBU[0000] check if Creds Exist                          command=login
DEBU[0000] Expand                                        name=/home/*****/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink                                name=/home/*****/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists                            filename=/home/*****/.aws/credentials pkg=awsconfig
Using IDP Account default to access Okta https://******.okta.com/app/amazon_aws/****/sso/saml
DEBU[0000] building provider                             command=login idpAccount="account {\n  URL: https://******.okta.com/app/amazon_aws/****8/sso/saml\n  Username: user@******.com\n  Provider: Okta\n  MFA: Auto\n  SkipVerify: true\n  AmazonWebservicesURN: urn:amazon:webservices\n  SessionDuration: 3600\n  Profile: ******-nonprod\n  RoleARN: \n  Region: \n}"
Authenticating as user@******.com ...
DEBU[0000] HTTP Req                                      URL="https://******.okta.com/api/v1/authn" http=client method=POST
DEBU[0001] HTTP Res                                      Status="200 OK" http=client
DEBU[0001] MFA                                           factorID=foobar mfaIdentifer="OKTA SMS" oktaVerify="https://******.okta.com/api/v1/authn/factors/foobar/verify" provider=okta
DEBU[0001] HTTP Req                                      URL="https://******.okta.com/api/v1/authn/factors/foobar/verify" http=client method=POST
DEBU[0002] HTTP Res                                      Status="200 OK" http=client
? Enter verification code 671695
DEBU[0012] HTTP Req                                      URL="https://******.okta.com/api/v1/authn/factors/foobar/verify" http=client method=POST
DEBU[0012] HTTP Res                                      Status="200 OK" http=client
DEBU[0012] HTTP Req                                      URL="https://******.okta.com/login/sessionCookieRedirect?checkAccountSetupComplete=true&redirectUrl=https%3A%2F%2F******.okta.com%2Fapp%2Famazon_aws%2F****8%2Fsso%2Fsaml&token=******" http=client method=GET
DEBU[0013] HTTP Res                                      Status="200 OK" http=client
DEBU[0013] HTTP Req                                      URL="https://******.okta.com/app/amazon_aws/****8/sso/saml" http=client method=GET
DEBU[0013] HTTP Res                                      Status="200 OK" http=client
DEBU[0013] HTTP Req                                      URL="https://******.okta.com/api/v1/authn" http=client method=POST
DEBU[0014] HTTP Res                                      Status="200 OK" http=client
DEBU[0014] MFA                                           factorID=foobar mfaIdentifer="OKTA SMS" oktaVerify="https://******.okta.com/api/v1/authn/factors/foobar/verify" provider=okta
DEBU[0014] HTTP Req                                      URL="https://******.okta.com/api/v1/authn/factors/foobar/verify" http=client method=POST
request for url: https://******.okta.com/api/v1/authn/factors/foobar/verify failed status: 429 Too Many Requests

github.com/versent/saml2aws/pkg/provider.SuccessOrRedirectResponseValidator
    /Users/markw/Code/notgopath/saml2aws/pkg/provider/http.go:188
github.com/versent/saml2aws/pkg/provider.(*HTTPClient).Do
    /Users/markw/Code/notgopath/saml2aws/pkg/provider/http.go:133
github.com/versent/saml2aws/pkg/provider/okta.verifyMfa
    /Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:353
github.com/versent/saml2aws/pkg/provider/okta.(*Client).Authenticate
    /Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:145
github.com/versent/saml2aws/pkg/provider/okta.(*Client).follow
    /Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:218
github.com/versent/saml2aws/pkg/provider/okta.(*Client).Authenticate
    /Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:165
github.com/versent/saml2aws/cmd/saml2aws/commands.Login
    /Users/markw/Code/notgopath/saml2aws/cmd/saml2aws/commands/login.go:70
main.main
    /Users/markw/Code/notgopath/saml2aws/cmd/saml2aws/main.go:151
runtime.main
    /usr/local/Cellar/go/1.14.2_1/libexec/src/runtime/proc.go:203
runtime.goexit
    /usr/local/Cellar/go/1.14.2_1/libexec/src/runtime/asm_amd64.s:1373
error retrieving verify response
github.com/versent/saml2aws/pkg/provider/okta.verifyMfa
    /Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:355
github.com/versent/saml2aws/pkg/provider/okta.(*Client).Authenticate
    /Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:145
github.com/versent/saml2aws/pkg/provider/okta.(*Client).follow
    /Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:218
github.com/versent/saml2aws/pkg/provider/okta.(*Client).Authenticate
    /Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:165
github.com/versent/saml2aws/cmd/saml2aws/commands.Login
    /Users/markw/Code/notgopath/saml2aws/cmd/saml2aws/commands/login.go:70
main.main
    /Users/markw/Code/notgopath/saml2aws/cmd/saml2aws/main.go:151
runtime.main
    /usr/local/Cellar/go/1.14.2_1/libexec/src/runtime/proc.go:203
runtime.goexit
    /usr/local/Cellar/go/1.14.2_1/libexec/src/runtime/asm_amd64.s:1373
error verifying MFA
github.com/versent/saml2aws/pkg/provider/okta.(*Client).Authenticate
    /Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:147
github.com/versent/saml2aws/pkg/provider/okta.(*Client).follow
    /Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:218
github.com/versent/saml2aws/pkg/provider/okta.(*Client).Authenticate
    /Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:165
github.com/versent/saml2aws/cmd/saml2aws/commands.Login
    /Users/markw/Code/notgopath/saml2aws/cmd/saml2aws/commands/login.go:70
main.main
    /Users/markw/Code/notgopath/saml2aws/cmd/saml2aws/main.go:151
runtime.main
    /usr/local/Cellar/go/1.14.2_1/libexec/src/runtime/proc.go:203
runtime.goexit
    /usr/local/Cellar/go/1.14.2_1/libexec/src/runtime/asm_amd64.s:1373
error authenticating to IdP
github.com/versent/saml2aws/cmd/saml2aws/commands.Login
    /Users/markw/Code/notgopath/saml2aws/cmd/saml2aws/commands/login.go:72
main.main
    /Users/markw/Code/notgopath/saml2aws/cmd/saml2aws/main.go:151
runtime.main
    /usr/local/Cellar/go/1.14.2_1/libexec/src/runtime/proc.go:203
runtime.goexit
    /usr/local/Cellar/go/1.14.2_1/libexec/src/runtime/asm_amd64.s:1373
markus-geiger commented 4 years ago

Quote from a colleague:

I think there is a problem with the way how our step-up auth is set up with okta. It asks for MFA right after it was entered already, and that's why saml2aws goes to mfa endpoint immediately again and fails with 429.

In other words, what should happen: auth -> saml -> mfa -> saml And this is what happens: auth -> mfa -> saml -> mfa (and fail with 429)