Closed jnewbigin closed 3 months ago
Travis seems to be failing because of some gpg issues
Good morning. Our org transitioned our LastPass setup to use federated Okta SSO and one of our teams is now having a large issue because they cannot authenticate to the CLI. Do we have any update on this, or is there anything I can help you test on my end? This issue was not documented anywhere on the upgrade documentation or the LastPass-CLI docs, so we are kind of dead in the water currently. I saw you made a commit that may help solve this specific issue and I'd be happy to help with any testing or troubleshooting if you have some time to push this to a branch today. Thanks for your help, and let me know what you need to launch a few tests.
@araff-r7 I have invited you to try my GUI client which works with this PR to enable Okta federated login
Hey, sorry for the delay. Let me spin this up and give it a try. Thanks so much for the response!
Hi @jnewbigin , I had some time to test your changes this morning. I'm documenting the installation process for you guys so hopefully the next person who needs this doesn't have the same issues I did. I'll make a PR with the docs I wrote once I get the CLI fully working.
So right now I installed version LastPass CLI v1.3.3.GIT via your SSO branch here: https://github.com/jnewbigin/lastpass-cli/tree/sso. I see the new --sso
option, but it keeps giving me: Error: HTTP response code said error.
when I try to log in. I made sure to export the pinentry path.
I'm on a Mac and due to SIP Make couldn't write to the directory your Make file was trying to install the CLI tool in. If remember correctly it was originally set to /usr/bin
but I was able to at least get your new SSO branch installed when I used the command cmake -DCMAKE_INSTALL_PREFIX:PATH=/usr/local
.
I got the LaughPass Electron app installed and when I run it with npm start
the window pops up and redirects me to Okta after I enter my email address, so I'm confident that part is working, but when I try lpass login --sso email_address@whatever.com
it gives me the above error without opening the Electron app at all.
Let me know if you want to see my installation steps so far. I'm going to keep playing with it for a bit, but if you have any idea why I'm getting that error, any advice would be appreciated. Thanks!
@jnewbigin I'm also interested in your electron partner app navigating the enterprise login flow. Do you have the repo available anywhere?
@nottwo I have invited you to see the (currently private) repo
Sorry @jnewbigin
The link expired by the time I saw the email notification. Please resend?
maybe this is obvious to you all, but from where could I pick up the hidden master password ?
maybe this is obvious to you all, but from where could I pick up the hidden master password ?
Well my understanding is that you can't. Read starting the end of page 12 "Lastpass federated login services" https://assets.cdngetgo.com/aa/97/5ec2619b46349dc3eb3212a37b11/lastpass-technical-whitepaper.pdf.
@jnewbigin seems to be trying to solve the login process with separate electron client dealing with the missing part of login(what he call login flow).
BTW my company uses On-Premise IdP.
In order for the lastpass-cli to work for SSO/federated users, the hidden master password is required (as described in the lastpass-technical-whitepaper). This can be entered into lastpass-cli as the master password.
Additionally, a fragment_id from the SSO flow is required.
This patch enables supplying the required fragment via pinentry and then including the fragment in the login request. With this patch, it is possible to use the lastpass-cli and authenticate with SSO (tested with Okta type: 3 accounts)
A separate electron client can perform the login flow and make the password and fragment available to a pinentry shim (which I have almost ready to publish)