joshgch
commented
1 year ago Hey @monde , is this something that will be fixed in the future? This is causing an issue for us as we need both Web and CLI access to support ODT and Phish Resistant factors.
Open monde opened 1 year ago
joshgch
commented
1 year ago Hey @monde , is this something that will be fixed in the future? This is causing an issue for us as we need both Web and CLI access to support ODT and Phish Resistant factors.
stargonautone
commented
1 year ago This is happening even without a Device State requirement (i.e. "AND Device state is" is set to "Any").
stargonautone
commented
1 year ago HTTP 400 errors caused by MFA challenge on our end were due to mismatched policy between Native OIDC app and AWS Account Federation SAML app. Issues were resolved by assigning the same (OIE) Authentication Policy to OIDC intermediary authZ and SAML authN apps.
Need to update the README noting there is not device posture support in AWS Federation App / web SSO token at this time. Therefore it is not possible to achieve this in the okta-aws-cli.
Background notes:
“When device state is required in the authentication policy the processing on the AWS Application will fail to either the catch-all rule or alternative rule preventing aal3+ device trust requirements.”
"We have no means of collecting device posture on the token exchange call, so rules with that condition will not be hit"
"We are planning on greater investments to web_sso_token, expanding it to other use cases"