search

Versent / saml2aws

CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP
https://github.com/Versent/saml2aws
MIT License
2.08k stars 562 forks source link

Okta login with Duo fails #554

Open clebio opened 4 years ago

clebio commented 4 years ago

Using either Duo Push or Passcode options on Mac OS (brew-installed), login is failing. Maybe these verbose logs will help?

$ saml2aws login -a example --verbose
DEBU[0000] Running                                       command=login

# snip...

? Select a DUO MFA Option Duo Push
DEBU[0011] HTTP Req                                      URL="https://api-redacted.duosecurity.com/frame/prompt" http=client method=POST
DEBU[0011] HTTP Res                                      Status="200 OK" http=client
error authenticating mfa device
github.com/versent/saml2aws/v2/pkg/provider/okta.verifyMfa
    /Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:552
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
    /Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:144
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
    /Users/markw/Code/notgopath/saml2aws/cmd/saml2aws/commands/login.go:70
main.main
    /Users/markw/Code/notgopath/saml2aws/cmd/saml2aws/main.go:163
runtime.main
    /usr/local/Cellar/go/1.15/libexec/src/runtime/proc.go:204
runtime.goexit
    /usr/local/Cellar/go/1.15/libexec/src/runtime/asm_amd64.s:1374
error verifying MFA
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
    /Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:146
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
    /Users/markw/Code/notgopath/saml2aws/cmd/saml2aws/commands/login.go:70
main.main
    /Users/markw/Code/notgopath/saml2aws/cmd/saml2aws/main.go:163
runtime.main
    /usr/local/Cellar/go/1.15/libexec/src/runtime/proc.go:204
runtime.goexit
    /usr/local/Cellar/go/1.15/libexec/src/runtime/asm_amd64.s:1374
error authenticating to IdP
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
    /Users/markw/Code/notgopath/saml2aws/cmd/saml2aws/commands/login.go:72
main.main
    /Users/markw/Code/notgopath/saml2aws/cmd/saml2aws/main.go:163
runtime.main
    /usr/local/Cellar/go/1.15/libexec/src/runtime/proc.go:204
runtime.goexit
    /usr/local/Cellar/go/1.15/libexec/src/runtime/asm_amd64.s:1374

Using

$ saml2aws --version
2.27.0

Seems related to

jfrantz1-r7 commented 4 years ago

Same here! Logs are exactly the same, both push and passcode fail with Duo

theorlandog commented 3 years ago

Still seems to be an active issue.

segabor commented 2 years ago

Still an issue in macOS. saml2aws version 2.34.0 MFA is set to PUSH.

UPDATE

I fixed it by setting the right ULR. In our case the AWS app in Okta UI.