Support for Okta to "amazon_aws_sso"

AlexMichaelJonesNC commented 2 years ago

I'm encountering an error where I have a working SSO solution between okta and the "Amazon Single sign-on" service that AWS provides. I wanted to use saml2aws to be able to get API keys, but I'm repeatedly hitting an issue where saml2aws fails out with an error: error authenticating to IdP: error retrieving saml response: cannot find state token. Digging deep into this, the aws single sign-on integration does not appear to have a state token like the older aws integration that saml2aws appears to support.

I've attached a verbose log below, with company information removed. a CONTENT_DUMP=true can be provided if helpful, but I've already confirmed var stateToken is not present the response from https://company.okta.com/home/amazon_aws_sso/*******/*******

DEBU[0000] Running                                       command=login
DEBU[0000] check if Creds Exist                          command=login
DEBU[0000] Expand                                        name=~/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink                                name=~/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists                            filename=~/.aws/credentials pkg=awsconfig
Using IDP Account default to access Okta https://company.okta.com/home/amazon_aws_sso/*******/*******
DEBU[0000] Get credentials                               helper=osxkeychain serverURL="https://company.okta.com/home/amazon_aws_sso/*******/*******"
DEBU[0000] Get credentials                               helper=osxkeychain user=ajones@company.com
DEBU[0000] Get credentials                               helper=osxkeychain serverURL="https://company.okta.com/home/amazon_aws_sso/*******/*******/sessionCookie"
DEBU[0000] Get credentials                               helper=osxkeychain user=ajones@company.com
To use saved password just hit enter.
? Username
? Password

DEBU[0003] building provider                             command=login idpAccount="account {\n  DisableSessions: false\n  DisableRememberDevice: false\n  URL: https://company.okta.com/home/amazon_aws_sso/*******/*******\n  Username: ajones@company.com\n  Provider: Okta\n  MFA: Auto\n  SkipVerify: false\n  AmazonWebservicesURN: urn:amazon:webservices\n  SessionDuration: 3600\n  Profile: companydev\n  RoleARN: \n  Region: \n}"
DEBU[0003] okta | disableSessions: false                 provider=okta
DEBU[0003] okta | rememberDevice: true                   provider=okta
Authenticating as ajones@company.com ...
DEBU[0003] auth with session func called                 provider=okta
DEBU[0003] validate session func called                  provider=okta
DEBU[0003] HTTP Req                                      URL="https://company.okta.com/api/v1/sessions/me" http=client method=GET
DEBU[0003] HTTP Res                                      Status="200 OK" http=client
DEBU[0003] okta session established                      provider=okta
DEBU[0003] valid okta session                            provider=okta
DEBU[0003] HTTP Req                                      URL="https://company.okta.com/home/amazon_aws_sso/*******/*******" http=client method=GET
DEBU[0005] HTTP Res                                      Status="200 OK" http=client
DEBU[0005] follow func called from auth with session func  provider=okta
DEBU[0005] HTTP Req                                      URL="https://company.okta.com/home/amazon_aws_sso/*******/*******" http=client method=GET
DEBU[0006] HTTP Res                                      Status="200 OK" http=client
DEBU[0006] doc detect                                    provider=okta type=resume
DEBU[0006] follow func called from auth with session func  provider=okta
DEBU[0006] HTTP Req                                      URL="https://us-west-2.signin.aws.amazon.com/platform/saml/acs/d9516f7b-8760-413c-90cc-5c31a367df44" http=client method=POST
DEBU[0007] HTTP Res                                      Status="200 OK" http=client
DEBU[0007] HTTP Req                                      URL="https://company.okta.com/home/amazon_aws_sso/*******/*******" http=client method=GET
DEBU[0008] HTTP Res                                      Status="200 OK" http=client
cannot find state token
github.com/versent/saml2aws/v2/pkg/provider/okta.getStateTokenFromOktaPageBody
    github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:596
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).follow
    github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:570
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).follow
    github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:588
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).authWithSession
    github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:333
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
    github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:461
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
    github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:105
main.main
    github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:187
runtime.main
    runtime/proc.go:225
runtime.goexit
    runtime/asm_amd64.s:1371
error retrieving saml response
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).follow
    github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:572
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).follow
    github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:588
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).authWithSession
    github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:333
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
    github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:461
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
    github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:105
main.main
    github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:187
runtime.main
    runtime/proc.go:225
runtime.goexit
    runtime/asm_amd64.s:1371
error authenticating to IdP
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
    github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107
main.main
    github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:187
runtime.main
    runtime/proc.go:225
runtime.goexit
    runtime/asm_amd64.s:1371

IngussNeilands commented 2 years ago

any update on this ?

evanandrews-xrd commented 2 years ago

I believe I'm also running into this issue. The problem is in this code:

https://github.com/Versent/saml2aws/blob/3f8a009442a580436517b4cc15d64303266897d3/pkg/provider/okta/okta.go#L628-L646

It's specifically only looking for https://signin.aws.amazon.com/saml, but it looks like the above trace has configured https://us-west-2.signin.aws.amazon.com/saml.

Once that check fails, the code incorrectly decides the response is of type "resume":

https://github.com/Versent/saml2aws/blob/3f8a009442a580436517b4cc15d64303266897d3/pkg/provider/okta/okta.go#L538-L553

Using DUMP_CONTENT=true helped me to diagnose this issue.

See here for more info on regional SAML endpoints: https://aws.amazon.com/blogs/security/how-to-use-regional-saml-endpoints-for-failover/

Note that https://signin.aws.amazon.com/saml is actually just us-east-1.

Versent / saml2aws

Support for Okta to "amazon_aws_sso" #735