search

arthepsy / pan-globalprotect-okta

PaloAlto Networks GlobalProtect VPN (integrated with OKTA) command-line client
101 stars 42 forks source link

OKTA not sending SMS #10

Closed ffainelli closed 5 years ago

ffainelli commented 5 years ago

I have OKTA configured to send me SMS for the challenge, and had to add the following to make the code accept it as a totp_factors:

diff --git a/gp-okta.py b/gp-okta.py
index 99b165bdac83..dfd88cf8fa76 100755
--- a/gp-okta.py
+++ b/gp-okta.py
@@ -278,7 +278,7 @@ def okta_mfa(conf, s, j):
             return u2f_resp

     totp_factors = [
-        x for x in factors if x.get('type') == 'token:software:totp'
+        x for x in factors if x.get('type') == 'token:software:totp' or x.get('type') == 'sms'
     ]
     dbg(conf.get('debug'), 'totp_factors', totp_factors)
     if len(totp_factors) == 0:

Though for some reason that does not trigger OKTA to send a SMS, any clues what could be missing? Enabling OKTA verify is an option, though some other people my prefer using SMS (e.g: traveling etc.).

arthepsy commented 5 years ago

I currently don't have access to enable SMS verification in my OKTA and therefore it's hard to answer and code the solution. Will try to think of something.

arthepsy commented 5 years ago

Ok, I resolved the issue of access to SMS factor. Will try to figure out work-flow and implement it.

arthepsy commented 5 years ago

@ffainelli I've implemented SMS verification. To use it, add sms.okta = 1 in Your configuration file, before totp.xxx lines (it defines priority).

I made successful connection with SMS verification, but, please, test it and give feedback.

ffainelli commented 5 years ago

@arthepsy thanks, this works great, now I back to where I was before with the following:

# mfa.response:
200
{"expiresAt":"2019-01-23T04:46:28.000Z","status":"SUCCESS","sessionToken":"20111tQ3vqjgLMGq7GDAmz3U6w-Q65xM-yghBnnAStRvo_zEmpE4GLl","_embedded":{"user":{"id":"00u40napl4brrxRCi0x7","profile":{"login":"username@Company.net","firstName":"Florian","lastName":"Fainelli","locale":"en","timeZone":"America/Los_Angeles"}}}}
---
[INFO] sessionToken: 20111tQ3vqjgLMGq7GDAmz3U6w-Q65xM-yghBnnAStRvo_zEmpE4GLl
[INFO] okta redirect request
# redirect.response:
200
<!DOCTYPE html>
<!--[if IE 7]><html class="lt-ie10 lt-ie9 lt-ie8"><![endif]-->
<!--[if IE 8]><html class="lt-ie10 lt-ie9"> <![endif]-->
<!--[if IE 9]><html class="lt-ie10"><![endif]-->
<!--[if gt IE 9]><html><![endif]-->
<!--[if !IE]><!--><html><!--<![endif]-->
<head>

    <script>if (typeof module === 'object') {window.module = module; module = undefined;}</script>

    <title>Company Inc. - Extra Verification</title>
        <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta name="robots" content="none" />

    <link href="https://company.okta.com/assets/loginpage/css/okta-login-page.min.c2335d687406691ab0663072de302c86.css" type="text/css" rel="stylesheet"/><script>
        var okta = {
            locale: 'en',
            deployEnv: 'PROD'
        };
    </script>
    <script>window.okta || (window.okta = {}); okta.cdnUrlHostname = ""; okta.cdnPerformCheck = true; okta.cdnPerformCheckHostname = "//ok6static.oktacdn.com";</script><script>window.okta || (window.okta = {});window.okta.mixpanel = true;window.okta.mixpanelTrackingSamplingFactors = {"_DEFAULT":1.0};</script><script>if (window.module) module = window.module;</script>

</head>
<body class="auth okta-container">

<!--[if gte IE 8]>
  <![if lte IE 9]>

    <style>
    .unsupported-browser-banner-wrap {
      padding: 20px;
      border: 1px solid #ddd;
      background-color: #f3fbff;
    }
    .unsupported-browser-banner-inner {
      position: relative;
      width: 735px;
      margin: 0 auto;
      text-align: left;
    }
    .unsupported-browser-banner-inner .icon {
      vertical-align: top;
      margin-right: 20px;
      display: inline-block;
      position: static !important;
    }
    .unsupported-browser-banner-inner a {
      text-decoration: underline;
    }
    </style>

    <div class="unsupported-browser-banner-wrap">
      <div class="unsupported-browser-banner-inner">
        <span class="icon icon-16 icon-only warning-16-yellow"></span>You are using an unsupported browser. For the best experience, update to <a href="https://support.okta.com/help/articles/Knowledge_Article/24532952-Platforms---Browser-and-OS-Support">a supported browser</a>.</div>
    </div>

  <![endif]>
<![endif]-->
<!--[if IE 8]> <div id="login-bg-image-ie8" class="login-bg-image" data-se="login-bg-image"></div> <![endif]-->
<!--[if (gt IE 8)|!(IE)]><!--> <div id="login-bg-image" class="login-bg-image" data-se="login-bg-image"></div> <!--<![endif]-->

<!-- hidden form for reposting fromURI for X509 auth -->
<form action="/login/cert" method="post" id="x509_login" name="x509_login" style="display:none;">
    <input type="hidden" class="hide" name="_xsrfToken" value="d8da98c20e4a639dcb544261167c29e6672283c768b63a54d528b7343e723d5f"/><input type="hidden" id="fromURI" name="fromURI" class="hidden" value="&#x2f;app&#x2f;panw_globalprotect&#x2f;exk2jo2uafxlvaNue2p7&#x2f;sso&#x2f;saml&#x3f;SAMLRequest&#x3d;PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vcG9ydGFsLnZwbi5icm9hZGNvbS5jb206NDQzL1NBTUwyMC9TUC9BQ1MiIERlc3RpbmF0aW9uPSJodHRwczovL2Jyb2FkY29tLm9rdGEuY29tL2FwcC9wYW53X2dsb2JhbHByb3RlY3QvZXhrMmpvMnVhZnhsdmFOdWUycDcvc3NvL3NhbWwiIElEPSJfM2FhZjM4MWI0M2Y5OTQzNTYwYTg1OTRjMGU1OGNjNWUiIElzc3VlSW5zdGFudD0iMjAxOS0wMS0yM1QwNDo0MTowOFoiIFByb3RvY29sQmluZGluZz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmJpbmRpbmdzOkhUVFAtUE9TVCIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI&#x25;2BaHR0cHM6Ly9wb3J0YWwudnBuLmJyb2FkY29tLmNvbTo0NDMvU0FNTDIwL1NQPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KPGRzOlNpZ25lZEluZm8&#x25;2BCjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8&#x25;2BCjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KPGRzOlJlZmVyZW5jZSBVUkk9IiNfM2FhZjM4MWI0M2Y5OTQzNTYwYTg1OTRjMGU1OGNjNWUiPgo8ZHM6VHJhbnNmb3Jtcz4KPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8&#x25;2BCjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KPC9kczpUcmFuc2Zvcm1zPgo8ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz4KPGRzOkRpZ2VzdFZhbHVlPjJDOG5oK2VQYmZMMFlYVGhMWE1Dand2aDdSRT08L2RzOkRpZ2VzdFZhbHVlPgo8L2RzOlJlZmVyZW5jZT4KPC9kczpTaWduZWRJbmZvPgo8ZHM6U2lnbmF0dXJlVmFsdWU&#x25;2BcWxkbDI5WnV4OWF6aGZNUTFvUmlXSU81aXEyK3lVQWlyblNoV0pvVkpOVmtkZXkxeEFwL09aUFVpeURJS2pWRAo1cVU4ZU9sbEpGaWF3ZW5oS3RLSVhicG4yOVUwQVZxTGxXaUpYRlZUbW1IU0l0WG9wU2FyM1lBQTFNRUNYUFpxCk5iOE9xSWVnZm5yeVdSaVdBTUNPZU1CSTlXSG52YWVNNGkxZUNrVnl4ZWNrbGp6SndPTEhGT1I4ZXQ5Rzgzb28KRHVpVFdHMkVGVEU4N1dZbUtvRE15QW4vZ2UvamdrWmsyUzJXUFlIN0x0QUFmOWtNdW1WT3pDSERwSXdWYkxwSQpuYlJsbjFtdmY5U0dQOTI5dnJwS3MrbHVpTWEyVW03OTEyN3N3ZWpLU0pKM3VwQ05XV1BBWkdkbjIzSjE5citKCnVVUEZrUjRiYWgwSERBaXZqNEtwc3c9PTwvZHM6U2lnbmF0dXJlVmFsdWU&#x25;2BCjxkczpLZXlJbmZvPjxkczpLZXlOYW1lPioudnBuLmJyb2FkY29tLmNvbTwvZHM6S2V5TmFtZT48ZHM6WDUwOURhdGE&#x25;2BPGRzOlg1MDlTdWJqZWN0TmFtZT5DTj0qLnZwbi5icm9hZGNvbS5jb20sT1U9SVQsTz1Ccm9hZGNvbSBJbmMsTD1TYW4gSm9zZSxTVD1DYWxpZm9ybmlhLEM9VVM8L2RzOlg1MDlTdWJqZWN0TmFtZT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUdwekNDQlkrZ0F3SUJBZ0lRRGlwekd1TzhXMDJDYmVxanVxWHI4ekFOQmdrcWhraUc5dzBCQVFzRkFEQk4KTVFzd0NRWURWUVFHRXdKVlV6RVZNQk1HQTFVRUNoTU1SR2xuYVVObGNuUWdTVzVqTVNjd0pRWURWUVFERXg1RQphV2RwUTJWeWRDQlRTRUV5SUZObFkzVnlaU0JUWlhKMlpYSWdRMEV3SGhjTk1UZ3hNREk1TURBd01EQXdXaGNOCk1qQXhNREk1TVRJd01EQXdXakIyTVFzd0NRWURWUVFHRXdKVlV6RVRNQkVHQTFVRUNCTUtRMkZzYVdadmNtNXAKWVRFUk1BOEdBMVVFQnhNSVUyRnVJRXB2YzJVeEZUQVRCZ05WQkFvVERFSnliMkZrWTI5dElFbHVZekVMTUFrRwpBMVVFQ3hNQ1NWUXhHekFaQmdOVkJBTU1FaW91ZG5CdUxtSnliMkZrWTI5dExtTnZiVENDQVNJd0RRWUpLb1pJCmh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTktZVnRBeEtxWXo0WDJFYXl6eDg1U20yeEN0SzdXbGRIQUkKMSs2ZTEyVytRbXd3VUpWbTBDeTQ1SHc0Q051RGpibE92WmVPTFY5dXRzUTRIR3hiRi81akNvN1NrcExldmVDSgpnN0YwU3l5Z3oveGRoOWg2bU1IcjhoSUJuNEZoVFpCdHJxMS9DQ0VkTEFOYlRxbkpzSEdrNm5rNDdibmd5NEhpClNPanJUSXBCNjc5L1ZKbFpyUDF1OVE1akFlV3VURGlFNFNCdk43NWhoUzl4dHZ0TWlRSGppam9UVjBXYXgzcDYKdUliaVc0SFRqRFppY2Y1RHV2ZC84VzVFVTFpRnptOGNaL3hQalZKbExLT3YxelhjYzgvdkNGcHg1L2pocTlsagordGppRk8rWDgzN3I1L2Y0MTZDQlR3MjhPYXdEdE5SM1RCc3JVN1dib2FUYmxzQlN2NXNDQXdFQUFhT0NBMWd3CmdnTlVNQjhHQTFVZEl3UVlNQmFBRkErQVlSeUNNV0hWTHlqbmpVWTR0Q3poeHRuaU1CMEdBMVVkRGdRV0JCVGoKTjZsTDJnbmpmblR4RVYyWDNpVlp6K21sbWpBZEJnTlZIUkVFRmpBVWdoSXFMblp3Ymk1aWNtOWhaR052YlM1agpiMjB3RGdZRFZSMFBBUUgvQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNECkFqQnJCZ05WSFI4RVpEQmlNQytnTGFBcmhpbG9kSFJ3T2k4dlkzSnNNeTVrYVdkcFkyVnlkQzVqYjIwdmMzTmoKWVMxemFHRXlMV2MyTG1OeWJEQXZvQzJnSzRZcGFIUjBjRG92TDJOeWJEUXVaR2xuYVdObGNuUXVZMjl0TDNOegpZMkV0YzJoaE1pMW5OaTVqY213d1RBWURWUjBnQkVVd1F6QTNCZ2xnaGtnQmh2MXNBUUV3S2pBb0JnZ3JCZ0VGCkJRY0NBUlljYUhSMGNITTZMeTkzZDNjdVpHbG5hV05sY25RdVkyOXRMME5RVXpBSUJnWm5nUXdCQWdJd2ZBWUkKS3dZQkJRVUhBUUVFY0RCdU1DUUdDQ3NHQVFVRkJ6QUJoaGhvZEhSd09pOHZiMk56Y0M1a2FXZHBZMlZ5ZEM1agpiMjB3UmdZSUt3WUJCUVVITUFLR09taDBkSEE2THk5allXTmxjblJ6TG1ScFoybGpaWEowTG1OdmJTOUVhV2RwClEyVnlkRk5JUVRKVFpXTjFjbVZUWlhKMlpYSkRRUzVqY25Rd0NRWURWUjBUQkFJd0FEQ0NBWDRHQ2lzR0FRUUIKMW5rQ0JBSUVnZ0Z1QklJQmFnRm9BSFlBcExrSmtMUVlXQlNIdXhPaXpHZHdDancxbUFUNUc5KzQ0M2ZORHNnTgozQkFBQUFGbXYvS2JmZ0FBQkFNQVJ6QkZBaUJYd3dIMXA3ZEZlZlduSngzMkxLSldNSnFtY1ZLY0dnR1Q5OVJzClJYTzFuQUloQU1BbGoxNVJVb3BYZ2pvcGZJRk44RHZ3QnBxSTdBOVNpKzQ0UXVmRFlxbWZBSFVBaDNXLzUxbDgKK0l4RG1WKzk4MjcvVm8xSFZqYi9TclZnd2JUcS8xNmdndzhBQUFGbXYvS2NZQUFBQkFNQVJqQkVBaUJVTGFIWQoxczhudC9LOWtzZTRnQVVXM2NEdkxCNnVPbzhWZVpFM1IwMUNDQUlnVjUyTjJXakRtSXJHd2VmSFV3SVBBWVpPCngzem1ySFNNNVhhRnRLMFBFZVVBZHdDNzJkKzhINHB4dFpPVUk1ZXFrbnRIT0ZlVkNxdFM2QnFRbG1RMmpoN1IKaFFBQUFXYS84cHV4QUFBRUF3QklNRVlDSVFDckxOK1ZDQU1nbTNIK21JZTE5Tkpwc3R2eEtCQjJwNFhzZzJvRgpYV25CdFFJaEFOcGh0cHdHWlUwS2UvZzIvdG9nSG40QzN4UzRHM2RsbjhEZHJHcngvZmlPTUEwR0NTcUdTSWIzCkRRRUJDd1VBQTRJQkFRQ1J1cTk3anY5L0pwUnJYYjFGYU5tN2x3ck9EOVRlYVJEbzNNUkV6cW83Z1BBV1V2Y3oKMHE5MUsyZnFTWUZ1cnVBN0F2eEZDUlNPc2x0akdnRC9YVzd3dW41U2xyWVl3R3Z1UFdwbndOSnY0Sm1qdzhXMwpTb2NuTWpDUlNxdVNKUkZIV0xWT1k2SHZUSTQ4Zk11ZCtvYUlYTFZXUmZ5MUhUSkhLYnJoOUd2V25BM1ZyRHNhClg1SDBnS3h3NXdvYXhVWHZOandNZ2VBK1A0SS9rTFNVZ2h4QzFROGF5eFRUTXZ6Z0JkVEI4bzlVMEY5alR2VmIKSjFtZmRvRmxRaDlrcjhzaDF4QkpFNElzc3pJTVI1c3Z3ZjR5bjlqdVRhY2pTbjRRWDU0OGlXQWEzYlQ4bUZlQwpwNXM5NmNoSmt6NEhRZUgybnpjUHZFNkE2Z1JuZ2hoRE8yelMKPC9kczpYNTA5Q2VydGlmaWNhdGU&#x25;2BPC9kczpYNTA5RGF0YT48L2RzOktleUluZm8&#x25;2BPC9kczpTaWduYXR1cmU&#x25;2BPC9zYW1scDpBdXRoblJlcXVlc3Q&#x25;2B&amp;RelayState&#x3d;4rYAAG9l9Vs0MWUxYWY2ZDQyMTZiYTZiZDNjNjAwMzlhMDI1NGM5Yg&#x25;3D&#x25;3D&amp;OKTA_INVALID_SESSION_REPOST&#x3d;true&amp;fromLoginToken&#x3d;hhSaAPQYFlhwwoCOwRg2VV1oBUfZwaNeR2BjSsLJuJeSOk8OFC9SE8TJRu5df-l_mN049rX3oUsptY1clG3acWYNmXcrQIgSC2qNBIgKl8f0CaRjsRGsDWBA4CMtqItOY3n0HRG6sL85SXuVfcpkWQq1t2vZK0elJVN2pS_mwkec5egiPm6bTa_I2pkPPQQWCXEhgg4PPdCj7DygoIRLZ-g2GRqezPFP82btxuXZxnyRUKUo-KFNBpvHxaqsBgoTkBeCRWrKoTdD1PUlD1vCpjH1v_zdhdt-4X4-uzMFrjH0P0r3F-MJ9LJ1Kw33Yfw7nC57qtUNFpAV3roaAyeUaA"/>
</form>

<div class="content">
  <div class="applogin-banner">
          <div class="applogin-background"></div>
          <div class="applogin-container">
              <h1>
                Connecting to<div class="applogin-app-logo">
                      <img src="https://company.okta.com/bc/globalFileStoreRecord?id=gfs2aomnpmwwyiQMu2p7" alt="GP&#x20;VPN&#x20;-&#x20;LVN&#x20;&#x28;Hidden&#x29;" class="logo panw_globalprotect"/></div>
              </h1>
              <p>Sign-in with your Company Inc. account to access GP VPN - LVN (Hidden)</p>
          </div>
      </div>
  <style type="text/css">
    .noscript-msg {
        background-color: #fff;
        border-color: #ddd #ddd #d8d8d8;
        box-shadow:0 2px 0 rgba(175, 175, 175, 0.12);
        text-align: center;
        width: 398px;
        min-width: 300px;
        margin: 200px auto;
        border-radius: 3px;
        border-width: 1px;
        border-style: solid;
    }

    .noscript-content {
        padding: 42px;
    }

    .noscript-content h2 {
        padding-bottom: 20px;
    }

    .noscript-content h1 {
        padding-bottom: 25px;
    }

    .noscript-content a {
        background: transparent;
        box-shadow: none;
        display: table-cell;
        vertical-align: middle;
        width: 314px;
        height: 50px;
        line-height: 36px;
        color: #fff;
        background: linear-gradient(#007dc1, #0073b2), #007dc1;
        border: 1px solid;
        border-color: #004b75;
        border-bottom-color: #00456a;
        box-shadow: rgba(0, 0, 0, 0.15) 0 1px 0, rgba(255, 255, 255, 0.1) 0 1px 0 0 inset;
        -webkit-border-radius: 3px;
        border-radius: 3px;
    }

    .noscript-content a:hover {
        background: #007dc1;
        cursor: hand;
        text-decoration: none;
    }
</style>
<noscript>
    <div id="noscript-msg" class="noscript-msg">
        <div class="noscript-content">
            <h2>Javascript is required</h2>
            <h1>Javascript is disabled on your browser.&nbspPlease enable Javascript and refresh this page.</h1>
            <a href=".">Refresh</a>
        </div>
    </div>
</noscript>
<div id="signin-container"></div>
  <div id="okta-sign-in" class="auth-container main-container" style="display:none">
      <div id="unsupported-onedrive" class="unsupported-message" style="display:none">
        <h2 class="o-form-head">Your OneDrive version is not supported</h2>
        <p>Upgrade now by installing the OneDrive for Business Next Generation Sync Client to login to Okta</p>
        <a class="button button-primary" target="_blank" href="https://support.okta.com/help/articles/Knowledge_Article/Upgrading-to-OneDrive-for-Business-Next-Generation-Sync-Client">
          Learn how to upgrade</a>
      </div>
      <div id="unsupported-cookie" class="unsupported-message" style="display:none">
          <h2 class="o-form-head">Cookies are required</h2>
          <p>Cookies are disabled on your browser. Please enable Cookies and refresh this page.</p>
          <a class="button button-primary" target="_blank" href=".">
              Refresh</a>
      </div>
  </div>
</div>

<div class="footer">
  <div class="footer-container clearfix">
    <p class="copyright">Powered by <a href="http://www.okta.com/" class="inline-block notranslate">Okta</a></p>
        <p class="privacy-policy"><a href="/privacy" target="_blank" class="inline-block margin-l-10">Privacy Policy</a></p>
    </div>
</div>

<script type="text/javascript">function runLoginPage (fn) {var mainScript = document.createElement('script');mainScript.src = 'https://company.okta.com/assets/js/mvc/loginpage/initLoginPage.pack.28480ea192eb1871ce16e253fbd87728.js?v=1';document.getElementsByTagName('head')[0].appendChild(mainScript);fn && mainScript.addEventListener('load', function () { setTimeout(fn, 1) });}</script><script type="text/javascript">
(function(){

  var baseUrl = 'https\x3A\x2F\x2Fcompany.okta.com';
  var suppliedRedirectUri = '';
  var repost = true;
  var stateToken = '00atCW5r3LY0XKIs\x2D9fCclZNcinELsTZXtFcrDKB23';
  var fromUri = '\x2Fapp\x2Fpanw_globalprotect\x2Fexk2jo2uafxlvaNue2p7\x2Fsso\x2Fsaml\x3FSAMLRequest\x3DPHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vcG9ydGFsLnZwbi5icm9hZGNvbS5jb206NDQzL1NBTUwyMC9TUC9BQ1MiIERlc3RpbmF0aW9uPSJodHRwczovL2Jyb2FkY29tLm9rdGEuY29tL2FwcC9wYW53X2dsb2JhbHByb3RlY3QvZXhrMmpvMnVhZnhsdmFOdWUycDcvc3NvL3NhbWwiIElEPSJfM2FhZjM4MWI0M2Y5OTQzNTYwYTg1OTRjMGU1OGNjNWUiIElzc3VlSW5zdGFudD0iMjAxOS0wMS0yM1QwNDo0MTowOFoiIFByb3RvY29sQmluZGluZz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmJpbmRpbmdzOkhUVFAtUE9TVCIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI\x252BaHR0cHM6Ly9wb3J0YWwudnBuLmJyb2FkY29tLmNvbTo0NDMvU0FNTDIwL1NQPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KPGRzOlNpZ25lZEluZm8\x252BCjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8\x252BCjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KPGRzOlJlZmVyZW5jZSBVUkk9IiNfM2FhZjM4MWI0M2Y5OTQzNTYwYTg1OTRjMGU1OGNjNWUiPgo8ZHM6VHJhbnNmb3Jtcz4KPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8\x252BCjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KPC9kczpUcmFuc2Zvcm1zPgo8ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz4KPGRzOkRpZ2VzdFZhbHVlPjJDOG5oK2VQYmZMMFlYVGhMWE1Dand2aDdSRT08L2RzOkRpZ2VzdFZhbHVlPgo8L2RzOlJlZmVyZW5jZT4KPC9kczpTaWduZWRJbmZvPgo8ZHM6U2lnbmF0dXJlVmFsdWU\x252BcWxkbDI5WnV4OWF6aGZNUTFvUmlXSU81aXEyK3lVQWlyblNoV0pvVkpOVmtkZXkxeEFwL09aUFVpeURJS2pWRAo1cVU4ZU9sbEpGaWF3ZW5oS3RLSVhicG4yOVUwQVZxTGxXaUpYRlZUbW1IU0l0WG9wU2FyM1lBQTFNRUNYUFpxCk5iOE9xSWVnZm5yeVdSaVdBTUNPZU1CSTlXSG52YWVNNGkxZUNrVnl4ZWNrbGp6SndPTEhGT1I4ZXQ5Rzgzb28KRHVpVFdHMkVGVEU4N1dZbUtvRE15QW4vZ2UvamdrWmsyUzJXUFlIN0x0QUFmOWtNdW1WT3pDSERwSXdWYkxwSQpuYlJsbjFtdmY5U0dQOTI5dnJwS3MrbHVpTWEyVW03OTEyN3N3ZWpLU0pKM3VwQ05XV1BBWkdkbjIzSjE5citKCnVVUEZrUjRiYWgwSERBaXZqNEtwc3c9PTwvZHM6U2lnbmF0dXJlVmFsdWU\x252BCjxkczpLZXlJbmZvPjxkczpLZXlOYW1lPioudnBuLmJyb2FkY29tLmNvbTwvZHM6S2V5TmFtZT48ZHM6WDUwOURhdGE\x252BPGRzOlg1MDlTdWJqZWN0TmFtZT5DTj0qLnZwbi5icm9hZGNvbS5jb20sT1U9SVQsTz1Ccm9hZGNvbSBJbmMsTD1TYW4gSm9zZSxTVD1DYWxpZm9ybmlhLEM9VVM8L2RzOlg1MDlTdWJqZWN0TmFtZT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUdwekNDQlkrZ0F3SUJBZ0lRRGlwekd1TzhXMDJDYmVxanVxWHI4ekFOQmdrcWhraUc5dzBCQVFzRkFEQk4KTVFzd0NRWURWUVFHRXdKVlV6RVZNQk1HQTFVRUNoTU1SR2xuYVVObGNuUWdTVzVqTVNjd0pRWURWUVFERXg1RQphV2RwUTJWeWRDQlRTRUV5SUZObFkzVnlaU0JUWlhKMlpYSWdRMEV3SGhjTk1UZ3hNREk1TURBd01EQXdXaGNOCk1qQXhNREk1TVRJd01EQXdXakIyTVFzd0NRWURWUVFHRXdKVlV6RVRNQkVHQTFVRUNCTUtRMkZzYVdadmNtNXAKWVRFUk1BOEdBMVVFQnhNSVUyRnVJRXB2YzJVeEZUQVRCZ05WQkFvVERFSnliMkZrWTI5dElFbHVZekVMTUFrRwpBMVVFQ3hNQ1NWUXhHekFaQmdOVkJBTU1FaW91ZG5CdUxtSnliMkZrWTI5dExtTnZiVENDQVNJd0RRWUpLb1pJCmh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTktZVnRBeEtxWXo0WDJFYXl6eDg1U20yeEN0SzdXbGRIQUkKMSs2ZTEyVytRbXd3VUpWbTBDeTQ1SHc0Q051RGpibE92WmVPTFY5dXRzUTRIR3hiRi81akNvN1NrcExldmVDSgpnN0YwU3l5Z3oveGRoOWg2bU1IcjhoSUJuNEZoVFpCdHJxMS9DQ0VkTEFOYlRxbkpzSEdrNm5rNDdibmd5NEhpClNPanJUSXBCNjc5L1ZKbFpyUDF1OVE1akFlV3VURGlFNFNCdk43NWhoUzl4dHZ0TWlRSGppam9UVjBXYXgzcDYKdUliaVc0SFRqRFppY2Y1RHV2ZC84VzVFVTFpRnptOGNaL3hQalZKbExLT3YxelhjYzgvdkNGcHg1L2pocTlsagordGppRk8rWDgzN3I1L2Y0MTZDQlR3MjhPYXdEdE5SM1RCc3JVN1dib2FUYmxzQlN2NXNDQXdFQUFhT0NBMWd3CmdnTlVNQjhHQTFVZEl3UVlNQmFBRkErQVlSeUNNV0hWTHlqbmpVWTR0Q3poeHRuaU1CMEdBMVVkRGdRV0JCVGoKTjZsTDJnbmpmblR4RVYyWDNpVlp6K21sbWpBZEJnTlZIUkVFRmpBVWdoSXFMblp3Ymk1aWNtOWhaR052YlM1agpiMjB3RGdZRFZSMFBBUUgvQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNECkFqQnJCZ05WSFI4RVpEQmlNQytnTGFBcmhpbG9kSFJ3T2k4dlkzSnNNeTVrYVdkcFkyVnlkQzVqYjIwdmMzTmoKWVMxemFHRXlMV2MyTG1OeWJEQXZvQzJnSzRZcGFIUjBjRG92TDJOeWJEUXVaR2xuYVdObGNuUXVZMjl0TDNOegpZMkV0YzJoaE1pMW5OaTVqY213d1RBWURWUjBnQkVVd1F6QTNCZ2xnaGtnQmh2MXNBUUV3S2pBb0JnZ3JCZ0VGCkJRY0NBUlljYUhSMGNITTZMeTkzZDNjdVpHbG5hV05sY25RdVkyOXRMME5RVXpBSUJnWm5nUXdCQWdJd2ZBWUkKS3dZQkJRVUhBUUVFY0RCdU1DUUdDQ3NHQVFVRkJ6QUJoaGhvZEhSd09pOHZiMk56Y0M1a2FXZHBZMlZ5ZEM1agpiMjB3UmdZSUt3WUJCUVVITUFLR09taDBkSEE2THk5allXTmxjblJ6TG1ScFoybGpaWEowTG1OdmJTOUVhV2RwClEyVnlkRk5JUVRKVFpXTjFjbVZUWlhKMlpYSkRRUzVqY25Rd0NRWURWUjBUQkFJd0FEQ0NBWDRHQ2lzR0FRUUIKMW5rQ0JBSUVnZ0Z1QklJQmFnRm9BSFlBcExrSmtMUVlXQlNIdXhPaXpHZHdDancxbUFUNUc5KzQ0M2ZORHNnTgozQkFBQUFGbXYvS2JmZ0FBQkFNQVJ6QkZBaUJYd3dIMXA3ZEZlZlduSngzMkxLSldNSnFtY1ZLY0dnR1Q5OVJzClJYTzFuQUloQU1BbGoxNVJVb3BYZ2pvcGZJRk44RHZ3QnBxSTdBOVNpKzQ0UXVmRFlxbWZBSFVBaDNXLzUxbDgKK0l4RG1WKzk4MjcvVm8xSFZqYi9TclZnd2JUcS8xNmdndzhBQUFGbXYvS2NZQUFBQkFNQVJqQkVBaUJVTGFIWQoxczhudC9LOWtzZTRnQVVXM2NEdkxCNnVPbzhWZVpFM1IwMUNDQUlnVjUyTjJXakRtSXJHd2VmSFV3SVBBWVpPCngzem1ySFNNNVhhRnRLMFBFZVVBZHdDNzJkKzhINHB4dFpPVUk1ZXFrbnRIT0ZlVkNxdFM2QnFRbG1RMmpoN1IKaFFBQUFXYS84cHV4QUFBRUF3QklNRVlDSVFDckxOK1ZDQU1nbTNIK21JZTE5Tkpwc3R2eEtCQjJwNFhzZzJvRgpYV25CdFFJaEFOcGh0cHdHWlUwS2UvZzIvdG9nSG40QzN4UzRHM2RsbjhEZHJHcngvZmlPTUEwR0NTcUdTSWIzCkRRRUJDd1VBQTRJQkFRQ1J1cTk3anY5L0pwUnJYYjFGYU5tN2x3ck9EOVRlYVJEbzNNUkV6cW83Z1BBV1V2Y3oKMHE5MUsyZnFTWUZ1cnVBN0F2eEZDUlNPc2x0akdnRC9YVzd3dW41U2xyWVl3R3Z1UFdwbndOSnY0Sm1qdzhXMwpTb2NuTWpDUlNxdVNKUkZIV0xWT1k2SHZUSTQ4Zk11ZCtvYUlYTFZXUmZ5MUhUSkhLYnJoOUd2V25BM1ZyRHNhClg1SDBnS3h3NXdvYXhVWHZOandNZ2VBK1A0SS9rTFNVZ2h4QzFROGF5eFRUTXZ6Z0JkVEI4bzlVMEY5alR2VmIKSjFtZmRvRmxRaDlrcjhzaDF4QkpFNElzc3pJTVI1c3Z3ZjR5bjlqdVRhY2pTbjRRWDU0OGlXQWEzYlQ4bUZlQwpwNXM5NmNoSmt6NEhRZUgybnpjUHZFNkE2Z1JuZ2hoRE8yelMKPC9kczpYNTA5Q2VydGlmaWNhdGU\x252BPC9kczpYNTA5RGF0YT48L2RzOktleUluZm8\x252BPC9kczpTaWduYXR1cmU\x252BPC9zYW1scDpBdXRoblJlcXVlc3Q\x252B\x26RelayState\x3D4rYAAG9l9Vs0MWUxYWY2ZDQyMTZiYTZiZDNjNjAwMzlhMDI1NGM5Yg\x253D\x253D\x26OKTA_INVALID_SESSION_REPOST\x3Dtrue\x26fromLoginToken\x3DhhSaAPQYFlhwwoCOwRg2VV1oBUfZwaNeR2BjSsLJuJeSOk8OFC9SE8TJRu5df\x2Dl_mN049rX3oUsptY1clG3acWYNmXcrQIgSC2qNBIgKl8f0CaRjsRGsDWBA4CMtqItOY3n0HRG6sL85SXuVfcpkWQq1t2vZK0elJVN2pS_mwkec5egiPm6bTa_I2pkPPQQWCXEhgg4PPdCj7DygoIRLZ\x2Dg2GRqezPFP82btxuXZxnyRUKUo\x2DKFNBpvHxaqsBgoTkBeCRWrKoTdD1PUlD1vCpjH1v_zdhdt\x2D4X4\x2DuzMFrjH0P0r3F\x2DMJ9LJ1Kw33Yfw7nC57qtUNFpAV3roaAyeUaA';
  var username = '';
  var rememberMe = true;
  var smsRecovery = true;
  var callRecovery = false;
  var emailRecovery = true;
  var usernameLabel = 'Username';
  var usernameInlineLabel = 'Your\x20Company\x20Inc.\x20AD\x2FNT\x20account';
  var passwordLabel = 'Password';
  var passwordInlineLabel = 'Your\x20Company\x20Inc.\x20AD\x2FNT\x20password';
  var signinLabel = 'Accept\x20Company\x20Inc.\x20Terms\x20\x26\x20Conditions';
  var forgotpasswordLabel = 'Forgot\x20password\x3F';
  var unlockaccountLabel = 'Unlock\x20account\x3F';
  var helpLabel = 'Help';
  var orgSupportPhoneNumber = '';
  var hideSignOutForMFA = true;
  var loginPageUrlRedirect = '';
  var enableUrlFixForEmbeddedBrowsers = false;
  var footerHelpTitle = 'Need\x20help\x20signing\x20in\x3F';
  var recoveryFlowPlaceholder = 'Email\x20or\x20Username';
  var signOutUrl = '';
  var authScheme = 'OAUTH2';

  var securityImage = true;

  var windowsVerify = false;

    windowsVerify = true;

  var selfServiceUnlock = false;

    selfServiceUnlock = true;

  var preventBrowserFromSavingOktaPassword = false;

  var enableMixpanelTracking = false;

  var autoPush = false;

    autoPush = true;

  var publishToAccountChooser = false;
  var accountChooserDiscoveryUrl = null;

    publishToAccountChooser = true;
    accountChooserDiscoveryUrl = 'https://login.okta.com/discovery/iframe.html';

  // In case of custom app login, the uri is already absolute, so we must not attach baseUrl
  var redirectUri;
  if (isAbsoluteUri(fromUri)) {
      redirectUri = fromUri;
  } else {
      redirectUri = baseUrl + fromUri;
  }

  var customButtons;

  var customLinks = [];

    customLinks.push({
      text: 'Terms\x20and\x20Conditions',
      href: 'https\x3A\x2F\x2Fmyportal.company.com\x2Fweb\x2Femployees\x2Fterms\x2Dconditions'
    });

  var linkParams;

  var idpDiscovery;
  var idpDiscoveryRequestContext;

  var hasPasswordlessPolicy = false;

  var showPasswordToggleOnSignInPage = false;

  var hasOAuth2ConsentFeature = false;
  var consentFunc;

  var hasMfaAttestationFeature = false;

  var registration = false;

  var webauthn = false;

  var loginPageConfig = {
    fromUri: fromUri,
    repost: repost,
    redirectUri: redirectUri,
    isMobileClientLogin: false,
    isMobileSSO: false,

    linkParams: linkParams,
    hasChromeOSFeature: false,
    showLinkToAppStore: false,
    publishToAccountChooser: publishToAccountChooser,
    accountChooserDiscoveryUrl: accountChooserDiscoveryUrl,
    preventBrowserFromSavingOktaPassword: preventBrowserFromSavingOktaPassword,
    enableMixpanelTracking: enableMixpanelTracking,
    enableUrlFixForEmbeddedBrowsers: enableUrlFixForEmbeddedBrowsers,
    loginPageUrlRedirect: loginPageUrlRedirect,
    mfaAttestation: hasMfaAttestationFeature,
    signIn: {
      el: '#signin-container',
      baseUrl: baseUrl,
      logo: 'https://company.okta.com/bc/image/fileStoreRecord?id=fs09tph49bX08lpVi0x7',
      logoText: 'Company\x20Inc.',
      helpSupportNumber: orgSupportPhoneNumber,
      stateToken: stateToken,
      username: username,
      signOutLink: signOutUrl,
      consent: consentFunc,
      authScheme: authScheme,
      relayState: fromUri,
      idpDiscovery: {
        requestContext: idpDiscoveryRequestContext
      },
      features: {
        router: true,
        securityImage: securityImage,
        rememberMe: rememberMe,
        autoPush: autoPush,
        webauthn: webauthn,
        smsRecovery: smsRecovery,
        callRecovery: callRecovery,
        emailRecovery: emailRecovery,
        windowsVerify: windowsVerify,
        selfServiceUnlock: selfServiceUnlock,
        multiOptionalFactorEnroll: true,
        deviceFingerprinting: true,
        trackTypingPattern: false,
        hideSignOutLinkInMFA: hideSignOutForMFA,
        customExpiredPassword: true,
        idpDiscovery: idpDiscovery,
        passwordlessAuth: hasPasswordlessPolicy,
        consent: hasOAuth2ConsentFeature,
        showPasswordToggleOnSignInPage: showPasswordToggleOnSignInPage,
        registration: registration
      },

      assets: {
        baseUrl: okta.cdnUrlHostname + '/assets/js/mvc/loginpage/i18n'
      },

      language: okta.locale,
      i18n: {},

      customButtons: customButtons,

      helpLinks: {
        help: 'https\x3A\x2F\x2Fcompanyprd.service\x2Dnow.com\x2Fsp',
        forgotPassword: '',
        unlock: '',
        custom: customLinks
      }
    }
  };

  loginPageConfig.signIn.i18n[okta.locale] = {

    'primaryauth.username.placeholder': usernameLabel,
    'primaryauth.username.tooltip': usernameInlineLabel,
    'primaryauth.password.placeholder': passwordLabel,
    'primaryauth.password.tooltip': passwordInlineLabel,
    'primaryauth.title': signinLabel,
    'forgotpassword': forgotpasswordLabel,
    'unlockaccount': unlockaccountLabel,
    'help': helpLabel,
    'needhelp': footerHelpTitle,
    'password.forgot.email.or.username.placeholder': recoveryFlowPlaceholder,
    'password.forgot.email.or.username.tooltip': recoveryFlowPlaceholder,
    'account.unlock.email.or.username.placeholder': recoveryFlowPlaceholder,
    'account.unlock.email.or.username.tooltip': recoveryFlowPlaceholder
  };

  function isOldWebBrowserControl() {
    // We no longer support IE7. If we see the MSIE 7.0 browser mode, it's a good signal
    // that we're in a windows embedded browser.
    if (navigator.userAgent.indexOf('MSIE 7.0') === -1) {
      return false;
    }

    // Because the userAgent is the same across embedded browsers, we use feature
    // detection to see if we're running on older versions that do not support updating
    // the documentMode via x-ua-compatible.
    return document.all && !window.atob;
  }

  function isAbsoluteUri(uri) {
    var pat = /^https?:\/\//i;
    return pat.test(uri);
  }

  var unsupportedContainer = document.getElementById('okta-sign-in');

  // Old versions of WebBrowser Controls (specifically, OneDrive) render in IE7 browser
  // mode, with no way to override the documentMode. In this case, inform the user they need
  // to upgrade.
  if (isOldWebBrowserControl()) {
    document.getElementById('unsupported-onedrive').removeAttribute('style');
    unsupportedContainer.removeAttribute('style');
  }
  else if (!navigator.cookieEnabled) {
    document.getElementById('unsupported-cookie').removeAttribute('style');
    unsupportedContainer.removeAttribute('style');
  }
  else {
    unsupportedContainer.parentNode.removeChild(unsupportedContainer);
    runLoginPage(function () {
      OktaLogin.initLoginPage(loginPageConfig);
    });
  }

}());
</script>

<script>
  window.addEventListener('load', function(event) {
    function applyStyle(id, style) {
      if (style) {
        var el = document.getElementById(id);
        if (el) {
          el.setAttribute('style', style);
        }
      }
    }
    applyStyle('login-bg-image', "background-image: url('https://company.okta.com/bc/fileStoreRecord?id=fs0cbourux0RANRj00x7')");
    applyStyle('login-bg-image-ie8', "filter: progid:DXImageTransform.Microsoft.AlphaImageLoader(src='https://company.okta.com/bc/fileStoreRecord?id=fs0cbourux0RANRj00x7', sizingMethod='scale')");
  });
</script>

</body>
</html>

---
[INFO] okta redirect form request
Traceback (most recent call last):
  File "./gp-okta.py", line 424, in <module>
    main()
  File "./gp-okta.py", line 387, in main
    saml_username, prelogin_cookie = okta_redirect(conf, s, token, redirect_url)
  File "./gp-okta.py", line 331, in okta_redirect
    r = s.post(url, data=data)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 567, in post
    return self.request('POST', url, data=data, json=json, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 506, in request
    prep = self.prepare_request(req)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 449, in prepare_request
    hooks=merge_hooks(request.hooks, self.hooks),
  File "/usr/lib/python2.7/dist-packages/requests/models.py", line 305, in prepare
    self.prepare_url(url, params)
  File "/usr/lib/python2.7/dist-packages/requests/models.py", line 379, in prepare_url
    raise MissingSchema(error)
requests.exceptions.MissingSchema: Invalid URL '/login/cert': No schema supplied. Perhaps you meant http:///login/cert?
zsh: exit 1     ./gp-okta.py gp-okta.conf
arthepsy commented 5 years ago

Ah, so You were having two different issues, - feature of SMS verification and initial connection failure. For now, You can't even try to get SMS to verify this...

arthepsy commented 5 years ago

Closing, as SMS factor is implemented. Other issue is being discussed in #11.