okta login fails after retrieving SAMLResponse

ghost commented 3 years ago

I am trying to use saml2aws with my okta account but login fails with the below following error:

cannot find state token
github.com/versent/saml2aws/v2/pkg/provider/okta.getStateTokenFromOktaPageBody
    /Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:238
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).follow
    /Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:212
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).follow
    /Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:230
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
    /Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:164
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).follow
    /Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:217
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
    /Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:164
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
    /Users/markw/Code/notgopath/saml2aws/cmd/saml2aws/commands/login.go:70
main.main
    /Users/markw/Code/notgopath/saml2aws/cmd/saml2aws/main.go:163
runtime.main
    /usr/local/Cellar/go/1.15.1/libexec/src/runtime/proc.go:204
runtime.goexit
    /usr/local/Cellar/go/1.15.1/libexec/src/runtime/asm_amd64.s:1374
error retrieving saml response

I can see in the response dump that the saml-response and stateToken both exist and the authentication was handled to final redirection successfully but somehow it fails to get the tokens

<form id="appForm" action="https&#x3a;&#x2f;&#x2f;eu-central-1.signin.aws.amazon.com&#x2f;platform&#x2f;saml&#x2f;acs&#x2f;********" method="POST">
   <input name="SAMLResponse" type="hidden" value="******"/>
   <input name="RelayState" type="hidden" value=""/>
</form>

Semmix commented 3 years ago

i am having the same issue, did you manage to solve it ?

ghost commented 3 years ago

I did manage to circumvent this particular exception by adding our url to "pkg/provider/okta. docIsFormRedirectToAWS"

asaba-vgs commented 3 years ago

For clarification on the configuration for this issue:

Okta is configured as the IdP for AWS SSO in an organization management account.
The sign in URLs include the region in which SSO was instantiated. The original report has theirs in eu-central-1; our URL for example is https://us-east-1.signin.aws.amazon.com/platform/saml/acs/xxxxxxxx

bbakersmith commented 3 years ago

Same problem here, unclear how to proceed.

bbakersmith commented 3 years ago

For me the issue was using the wrong URL in the configuration. It wants the full https://SOMETHING.okta.com/home/amazon_aws/SOMETHING/SOMETHING

rajesh6752 commented 2 years ago

I am also getting same error.

error authenticating to IdP: error retrieving saml response: cannot find state token

Versent / saml2aws

okta login fails after retrieving SAMLResponse #588