Cannot authenticate with Okta & Okta Verify (Push or TOTP)

[aaronpollock]

When attempting to sign in to AWS using Okta on a policy that requires "Allowed with password + another factor", sign in fails with the following error:

Error authenticating to IdP.: error retrieving auth response: request for url: https://company.okta.com/api/v1/authn failed status: 401 Unauthorized

If a temporary policy is applied specifically to AWS and excludes the second factor, only requiring a password, saml2aws works perfectly.

Configuring MFA as "Auto", "PUSH", "TOTP" makes no difference, the error is always the same.

We allow multiple types of authenticators - interestingly when configuring the policy to require password + Okta Verify only, the result in saml2aws is the same 401 error, but the device receives three push notifications to accept access. (Which do nothing since it's already failed with the error)

Checking to see if there are any known issues or special configurations we should be using, as I've tried every combination of settings I can think of and the only method to make this work is to remove MFA entirely, which we cannot do.

Verbose output:

`user@computer:~$ saml2aws --verbose login DEBU[0000] Running command=login DEBU[0000] Check if creds exist. command=login DEBU[0000] Expand name=/home/user/.aws/credentials pkg=awsconfig DEBU[0000] resolveSymlink name=/home/user/.aws/credentials pkg=awsconfig DEBU[0000] ensureConfigExists filename=/home/user/.aws/credentials pkg=awsconfig Using IdP Account default to access Okta https://company.okta.com/home/app/abc123abc123/123456 To use saved password just hit enter. ? Username user@email.com ? Password ****

DEBU[0003] building provider command=login idpAccount="account {\n DisableSessions: false\n DisableRememberDevice: false\n URL: https://company.okta.com/home/app/abc123abc123/123456\n Username: user@email.com\n Provider: Okta\n MFA: Auto\n SkipVerify: false\n AmazonWebservicesURN: urn:amazon:webservices\n SessionDuration: 28800\n Profile: xxx\n RoleARN: arn:aws:iam::xxxxxxx\n Region: xxxx\n}" DEBU[0003] okta | disableSessions: false provider=okta DEBU[0003] okta | rememberDevice: true provider=okta Authenticating as user@company.com ... DEBU[0003] HTTP Req URL="https://company.okta.com/api/v1/authn" http=client method=POST DEBU[0004] HTTP Res Status="200 OK" http=client DEBU[0004] create session func called provider=okta DEBU[0004] HTTP Req URL="https://company.okta.com/api/v1/sessions" http=client method=POST DEBU[0005] HTTP Res Status="200 OK" http=client DEBU[0005] okta session expires at: 2022-07-29T19:27:37.000Z provider=okta DEBU[0005] okta session established provider=okta DEBU[0005] auth with session func called provider=okta DEBU[0005] validate session func called provider=okta DEBU[0005] HTTP Req URL="https://company.okta.com/api/v1/sessions/me" http=client method=GET DEBU[0005] HTTP Res Status="200 OK" http=client DEBU[0005] okta session established provider=okta DEBU[0005] valid okta session provider=okta DEBU[0005] HTTP Req URL="https://company.okta.com/home/amazon_aws/0oa1lo93dnHUHcPQk697/272" http=client method=GET DEBU[0006] HTTP Res Status="200 OK" http=client DEBU[0006] follow func called from auth with session func provider=okta DEBU[0006] HTTP Req URL="https://company.okta.com/home/amazon_aws/0oa1lo93dnHUHcPQk697/272" http=client method=GET DEBU[0007] HTTP Res Status="200 OK" http=client DEBU[0007] HTTP Req URL="https://company.okta.com/home/amazon_aws/0oa1lo93dnHUHcPQk697/272" http=client method=GET DEBU[0007] HTTP Res Status="200 OK" http=client DEBU[0007] HTTP Req URL="https://company.okta.com/api/v1/authn" http=client method=POST request for url: https://company.okta.com/api/v1/authn failed status: 401 Unauthorized github.com/versent/saml2aws/v2/pkg/provider.SuccessOrRedirectResponseValidator github.com/versent/saml2aws/v2/pkg/provider/http.go:168 github.com/versent/saml2aws/v2/pkg/provider.(HTTPClient).Do github.com/versent/saml2aws/v2/pkg/provider/http.go:113 github.com/versent/saml2aws/v2/pkg/provider/okta.(Client).primaryAuth github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:424 github.com/versent/saml2aws/v2/pkg/provider/okta.(Client).Authenticate github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:472 github.com/versent/saml2aws/v2/pkg/provider/okta.(Client).follow github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:575 github.com/versent/saml2aws/v2/pkg/provider/okta.(Client).authWithSession github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:333 github.com/versent/saml2aws/v2/pkg/provider/okta.(Client).Authenticate github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:513 github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:105 main.main ./main.go:188 runtime.main runtime/proc.go:250 runtime.goexit runtime/asm_amd64.s:1571 error retrieving auth response github.com/versent/saml2aws/v2/pkg/provider/okta.(Client).primaryAuth github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:426 github.com/versent/saml2aws/v2/pkg/provider/okta.(Client).Authenticate github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:472 github.com/versent/saml2aws/v2/pkg/provider/okta.(Client).follow github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:575 github.com/versent/saml2aws/v2/pkg/provider/okta.(Client).authWithSession github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:333 github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:513 github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:105 main.main ./main.go:188 runtime.main runtime/proc.go:250 runtime.goexit runtime/asm_amd64.s:1571 Error authenticating to IdP. github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107 main.main ./main.go:188 runtime.main runtime/proc.go:250 runtime.goexit runtime/asm_amd64.s:1571`

[amasses]

I added some debug logging to a local build and got the following output:

POST /api/v1/authn HTTP/1.1
Host: sso.myorg.com
User-Agent: saml2aws/1.0 (darwin arm64) Versent
Content-Length: 92
Accept: application/json
Content-Type: application/json
Accept-Encoding: gzip

{"username":"","password":"","stateToken":"02.id.vWjmMCPnQ9uFeEn8wDkBmba_EmfB43oLTHN1Eovr"}

Error response:  {"errorCode":"E0000011","errorSummary":"Invalid token provided","errorLink":"E0000011","errorId":"oae0CGtIKR2RlOfscGGLqKtfQ","errorCauses":[]}
request for url: https://sso.myorg.com/api/v1/authn failed status: 401 Unauthorized
github.com/versent/saml2aws/v2/pkg/provider.SuccessOrRedirectResponseValidator
    github.com/versent/saml2aws/v2/pkg/provider/http.go:168

Looking at the output when DUMP_CONTENT=true is set, I can see that this matches, so I am not 100% sure what is going on here. I am going to raise a support ticket with Okta to see if they can explain it at all, as it sounds like something is maybe broken in our org configuration (maybe a switch needs to be toggled or something)

[amasses]

So I had a chat with Okta about this, and we were scheduling a time to investigate this, and then the next time I tested the process worked for me without any changes 🤔

I'd suggest maybe this was a transient issue, but if others are having the issue try raising a support ticket with Okta and maybe it will be magically fixed 🤷🏻

[marcelobartsch-jt]

just another user here, but we saw something similar when okta fastpass was enabled, we had to disabled as saml2aws didn't support it :(

[QuentinBtd]

Hello,

I spoke with Okta in June, they are aware of the problem due to an update of their application engine. It should be fixed in the third quarter of this year... If what they told me is right 😅

[kirinnee]

any workaround on this?

[QuentinBtd]

any workaround on this?

For my part, I created a policy to allow connection to AWS with password and without MFA for certains IP (ex; VPN IP, office IPs...)

[QuentinBtd]

I thought that was enough, but no...

Sometimes we have to use --disable-sessions option to make it work.

[amasses]

We had this issue start to happen again. I engaged Okta support and ran through some testing with them, and determined that there is a scenario where saml2aws does the initial authentication, the MFA step, and then requests the URL for the SSO App, which redirects a few times until finally it gets to the saml/login page, however the hidden form with the SAMLResponse is missing, so saml2aws retries it a few times - finally after the third try, it attempts to re-auth, but the session token it found in the last page is no longer valid for this process.

When I discussed this with Okta they said the reason why the auth attempt was throwing up a Challenge response was possibly due to Device fingerprint risk rules.

Unfortunately the issue magically resolved its self (again!) when we went to re-test this with Okta, however my plan for the next time this happens is to disable device profiles in behaviour detection, and see if that helps: https://help.okta.com/en-us/Content/Topics/Security/behavior-detection/manage-behavior-detection.htm

[amasses]

As an aside I've also requested that Okta consider an API to get the SAMLResponse instead of this Rube Goldberg machine of authenticating the user via API and then pretending to be a browser and looking for a hidden form to get the SAML Response - if people could vote on this to indicate support it would be helpful: https://ideas.okta.com/app/#/case/162909

[jeffreymlewis]

Good call @amasses, I voted for your Okta feature request. :-)

I've run into this sporadically with a new Okta tenant. Disabling MFA via an Authentication policy allows me to complete the SAML flow and get aws creds, but this isn't a viable solution.

I don't see Security > Behavior Detection in my Okta tenant, so I guess we just don't have that feature. Not sure what else to try, without really digging into this code and troubleshooting live with Okta support (which I don't have time for right now, unfortunately).

I've started looking at okta-aws-cli as an alternative, but it doesn't have an 'exec' subcommand ....