aflatto
commented
1 year ago I have the same issue.
Open mpietihsm opened 1 year ago
aflatto
commented
1 year ago I have the same issue.
azdanielna
commented
1 year ago Running into same issue here as well.
aflatto
commented
1 year ago Just tried again with V 2.27.1 and still the same error: Phone approval required. error authenticating to IdP: unable to locate SAMLRequest URL
shanukova
commented
1 year ago Any updates on fixing this issue?
wtfiwtz
commented
1 year ago This relates to changes on the Microsoft side for Conditional Access. If you dig into it more, you might find you need to expose a browser window to the user, particularly for things like Client-side certificates.
Have a look at aws-runas version 3.5 and above as an alternative - https://github.com/mmmorris1975/aws-runas
It might take some time to update saml2aws to support this.
Here's some testing I did below... (eventually using Burp Suite as a proxy to review the browser traffic flow setting HTTPS_PROXY=...)
diff --git a/pkg/provider/aad/aad.go b/pkg/provider/aad/aad.go
index 0c26070..34506b1 100644
--- a/pkg/provider/aad/aad.go
+++ b/pkg/provider/aad/aad.go
@@ -681,6 +681,7 @@ func (ac *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error)
return samlAssertion, errors.Wrap(err, "error retrieving login results")
}
passwordLoginRequest.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+ passwordLoginRequest.Header.Add("User-Agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36")
res, err = ac.client.Do(passwordLoginRequest)
if err != nil {
return samlAssertion, errors.Wrap(err, "error retrieving login results")
@@ -696,6 +697,9 @@ func (ac *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error)
*/
isEnabledConditonalAccess := strings.HasPrefix(resBodyStr, "<html><head><title>Working...</title>") && strings.Contains(resBodyStr, "name=\"flowtoken\"")
+ fmt.Printf("isSkippedMFA: %b\n", isSkippedMFA);
+ fmt.Printf("isEnabledConditionalAccess: %b\n", isEnabledConditonalAccess);
+ fmt.Printf("Body:\n\n%s\n\n******\n\n", resBodyStr);
if isSkippedMFA || isEnabledConditonalAccess {
// require reprocess
if strings.Contains(resBodyStr, "<form") {
@@ -745,6 +749,7 @@ func (ac *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error)
authSubmitURL = action
})
+ fmt.Printf("authSubmitURL: %s\n", authSubmitURL);
if authSubmitURL == "" {
return samlAssertion, fmt.Errorf("unable to locate IDP oidc form submit URL")
}
@@ -755,6 +760,7 @@ func (ac *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error)
}
req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+ req.Header.Add("User-Agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36")
ac.client.EnableFollowRedirect()
res, err = ac.client.Do(req)
@@ -772,6 +778,7 @@ func (ac *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error)
// data is embedded javascript
// window.location = 'https:/..../?SAMLRequest=......'
+ fmt.Printf("oidcResponseStr: %s\n", oidcResponseStr);
oidcResponseList := strings.Split(oidcResponseStr, ";")
var SAMLRequestURL string
for _, v := range oidcResponseList {
christianmeyer
commented
1 year ago check the fix in #795, I remember having that fixed back then - we use the patched version in production since >2y without (new) issues (https://github.com/christianmeyer/saml2aws/releases)
aflatto
commented
1 year ago I just tried it with you older version and still getting the error:
DEBU[0045] reached an unknown page within the authentication process provider=AzureAD failed get SAMLAssertion github.com/versent/saml2aws/v2/pkg/provider/aad.(*Client).Authenticate github.com/versent/saml2aws/v2/pkg/provider/aad/aad.go:221 github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:105 main.main github.com/versent/saml2aws/cmd/saml2aws/main.go:188 runtime.main runtime/proc.go:255 runtime.goexit runtime/asm_amd64.s:1581 Error authenticating to IdP. github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107 main.main github.com/versent/saml2aws/cmd/saml2aws/main.go:188 runtime.main runtime/proc.go:255 runtime.goexit runtime/asm_amd64.s:1581
gbarna-bd
commented
1 year ago Similarly, I get reached an unknown page within the authentication process.
Using saml2aws 2.36.6.
johnniee
commented
1 year ago Facing the same issue here as well.
djtecha
commented
1 year ago Same issue here. Not sure if it helps but we are using a tenant ID
username = meee@{tenant_id}.companyname.com
githublloyd
commented
2 months ago issue still present I believe.
SAML2AWS version: 2.36.8
Testing my Azure Enterprise Application Single Sign On via Azure console is successful. The certificate is also Active and the XML metadata uploaded the the AWS IAM Identity Provider SAML type.
Thanks.
`DEBU[0000] Running command=login
DEBU[0000] Check if creds exist. command=login
DEBU[0000] Expand name=/home/user/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink name=/home/user/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists filename=/home/user/.aws/credentials pkg=awsconfig
Using IdP Account default to access AzureAD https://account.activedirectory.windowsazure.com
To use saved password just hit enter.
? Username username@email.com
? Password *********
DEBU[0003] building provider command=login idpAccount="account {\n AppID: XXXXXXXXX-64f6-4929-85e8-XXXXXXXXXXXX\n URL: https://account.activedirectory.windowsazure.com\n Username: username@email.com\n Provider: AzureAD\n MFA: PhoneAppOTP\n SkipVerify: false\n AmazonWebservicesURN: urn:amazon:webservices\n SessionDuration: 3600\n Profile: default\n RoleARN: \n Region: \n}"
Authenticating as username@email.com ...
DEBU[0004] HTTP Req URL="https://login.microsoftonline.com/common/login" http=client method=POST
DEBU[0004] HTTP Res Status="200 OK" http=client
DEBU[0004] HTTP Req URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0004] HTTP Res Status="200 OK" http=client
? Enter verification code 794437
DEBU[0014] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0014] HTTP Res Status="200 OK" http=client
DEBU[0014] HTTP Req URL="https://login.microsoftonline.com/common/SAS/ProcessAuth" http=client method=POST
DEBU[0014] HTTP Res Status="200 OK" http=client
DEBU[0014] HTTP Req URL="https://login.microsoftonline.com/kmsi" http=client method=POST
DEBU[0014] HTTP Res Status="200 OK" http=client
DEBU[0014] HTTP Req URL="https://launcher.myapps.microsoft.com/api/signin-oidc" http=client method=POST
DEBU[0016] HTTP Res Status="200 OK" http=client
unable to locate SAMLRequest URL
Error authenticating to IdP.
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107
main.main
./main.go:188
runtime.main
runtime/proc.go:255
runtime.goexit
runtime/asm_amd64.s:1581`
I have tried setting up saml2aws with Azure AD as the IdP according to the instructions here, to no avail.
My config is listed below, with some sensitive details ***ed out.
account { AppID: ********-****-****-****-da8b60c0d592 URL: https://account.activedirectory.windowsazure.com Username: ****@***.com Provider: AzureAD MFA: PhoneAppNotification SkipVerify: false AmazonWebservicesURN: urn:amazon:webservices SessionDuration: 3600 Profile: saml2aws_test RoleARN: Region: }I get the MFA prompt on my phone and everything appears to be moving along, but then I get the error "error authenticating to IdP: unable to locate SAMLRequest URL"
I am on the latest version of saml2aws (2.36.2), but have also tried reverting to previous versions to no avail. Here is the output of verbose logging: