Setup for Spoke/Hub Model

[joaquinrinaudo-olx]

Hello, I wanted to ask if this tool supports Spoke/Hub model?

When pointing OKTA_AWS_APP_URL, OKTA_ORG to the HUB, it works.When changing this variables to the Spoke I get:
16:55:28.957 [main] ERROR com.okta.tools.awscli - You do not have access to AWS through Okta. Please contact your administrator.

AWS Application nevertheless is working on fine in the Browser.

Best regards, Joaquín

[joelfranusic-okta]

Interesting. Have you verified that the OKTA_AWS_APP_URL is correct for the spoke? I would suggest reaching out to developers@okta.com for support on this, since helping you get this working will likely involve looking at settings on your Okta orgs, which isn't really appropriate for a public forum.

[joaquinrinaudo-olx]

Hello, I've reached them about this. In the Spoke model, When using ORG_TO_ORG link in the OKTA_AWS_APP_URL then we have problems with this line https://github.com/oktadeveloper/okta-aws-cli-assume-role/blob/4dbfb4a7d7ddfb85e5567781d55e3736421c9282/src/main/java/com/okta/tools/awscli.java#L344 because there's already a RelayState paremeter in the URL.

Tried using a one time session token and then using curl to https://ORG.okta.com/app/okta_org2org/HASH/sso/ saml?RelayState=/home/amazon_aws/HASH/ID&onetimetoken=TOKEN https://olx-central.okta.com/app/okta_org2org/HASH/sso/saml?RelayState=/home/amazon_aws/HASH2/272. When doing this, the SAMLResponse doesn't have any AWS keywords.

Best regards,

On Tue, Feb 7, 2017 at 12:11 AM, Joël Franusic notifications@github.com wrote:

Interesting. Have you verified that the OKTA_AWS_APP_URL is correct for the spoke? I would suggest reaching out to developers@okta.com for support on this, since helping you get this working will likely involve looking at settings on your Okta orgs, which isn't really appropriate for a public forum.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/oktadeveloper/okta-aws-cli-assume-role/issues/24#issuecomment-277844945, or mute the thread https://github.com/notifications/unsubscribe-auth/AQ5nlJ3n-XJqI9803lgSO4P67T8QZGCHks5rZ6iagaJpZM4L0CoU .

--

Joaquin Rinaudo Information Security Head Central Infrastructure Team Berlin - Germany Mobile: +49-17-4341-3815 Skype: jmrinaudo1 E-mail: joaquin.rinaudo@olx.com namelastname@olx.com

[gandhes]

I am having the same issue. Was there a fix?

[anjumr]

Hello,

I'm getting the same problem while implementing it on my laptop (Win 10). Can someone please assist me?

---

java -classpath oktaawscli.jar;../lib/aws-java-sdk-1.11.141.jar com.okta.tools.awscli Username: razique.anjum Password: 12:00:58 [main] ERROR com.okta.tools.awscli - You do not have access to AWS through Okta. Please contact your administrator.

OKTA_AWS_APP_URL is also correct and having the access and no issue while accessing it on browser.

Thanks, Razique

[etendards]

I am now getting this error as well. Is there a fix? What URL should I be using? We have a single AWS cred account and a single Okta app.

[AlainODea]

@etendards

I suspect, you have no AWS roles assigned to you in your Amazon Web Services Okta app.

You should make sure:

1. provisioning is enabled on your Amazon Web Services Okta app
2. the IAM credentials it has can read your AWS account’s IAM Roles
3. your AWS account’s IAM Roles have a trust relationship allowing your Okta Identity Provider to use them
4. your AWS account’s IAM Roles have a policy allowing them to assumeRole on themselves (strange, but true)

You should use the App Embed URL.

It might be worth stepping through the setup instructions for the Amazon Web Services Okta app provided on its sign-in tab in the admin console.

[etendards]

Our Okta Admin turned on App level MFA and that is why my script broke. This app only seems to work with Global MFA in Okta.

[AlainODea]

@etendards I’ll give app-level MFA a try in oktapreview and see if I can fix this. Thank you for the update 😊

[AlainODea]

I wasn't able to figure this out. I can't find docs on this, so I've reach out to Okta Developers list for support. I'll keep you posted.

[mmahadevan-okta]

AFAIK, There is currently no support for App-Level MFA policies via the API only the global one. Now, I think it may change with the OIDC flow. Will need one of the other experts to chime in here...

[AlainODea]

Thank you, @mmahadevan-okta. That seems to be what I've discovered after some troubleshooting. The App Embed Link presents a org signin form. I'm going to consider this unsolvable for the moment and pause it :)

[etendards]

Thank you all for looking into this. If anyone finds a way to do this with Okta MFA at the App level, please share. So far Okta has no solutions for this need.

[AlainODea]

@joaquinrinaudo-olx for hub and spoke with Amazon Web Services apps in the spokes, I think you would need to add novel support to this code base. It would be non-trivial to say the least.

There wouldn't be a single Amazon Web Services app, but many. This tool is only designed to support a single Amazon Web Services app. It's conceivable that setting the OKTA_AWS_APP_URL to the Okta2Okta (or other app you are using between hub and spokes) and adding a fromURI query param on it with the URL encoded path of the downstream Amazon Web Services app. Even then, this would still only support a single spoke.

I think it would be better for you to put a single Amazon Web Services app in the Hub org and grant access to distinct AWS accounts and roles by Okta Group or Active Directory Group. You don't lose precision of access, but you do wind up losing granularity of Okta administration of the Amazon Web Services app, if that was a design goal for your Hub/Spoke arrangement.

[AlainODea]

Once there is a release based on #109, you should be (in principle at least) able to get hub/spoke use of this working by setting OKTA_BROWSER_AUTH to true and OKTA_AWS_APP_URL to your hub Okta IdP URL assuming you have configured or appended the RelayState to it correctly.

[msvechla]

@AlainODea do you have an example on how to configure / append the RelayState correctly?

[AlainODea]

This is an analysis I did to tease apart how RelayState and fromURI work in Okta: https://gist.github.com/AlainODea/d92edeab5edc9eaa4be83fa4cf540267

[AlainODea]

FYI, please don’t @ me in general as I’m off this project now. https://github.com/oktadeveloper/okta-aws-cli-assume-role/issues/292