Unsupported App sign on rule: 'Prompt for factor

[guillermo-menjivar]

Describe the bug I am mainly asking for guidance on what this exception is - I A clear and concise description of what the bug is. When I run the MFA both SMS and PUSH I get the following exception https://github.com/oktadeveloper/okta-aws-cli-assume-role/blob/master/src/main/java/com/okta/tools/saml/OktaSaml.java#L69

Exception in thread "main" com.okta.tools.saml.OktaSaml$PromptForFactorException: Unsupported App sign on rule: 'Prompt for factor'. 
Please contact your administrator.

I am trying to look for help on what is causing this error To Reproduce Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior A clear and concise description of what you expected to happen.

Screenshots If applicable, add screenshots to help explain your problem.

Additional context Add any other context about the problem here.

[rstuberg-ib]

I had the same problem. I think the error is just non-descriptive.

What I did to resolve this: Set your factor setting in the config.properties. OKTA_MFA_CHOICE=OKTA.push

In Okta as sudo Go to Security -> Authentication Under the Lock and Authentication there should be to windows you can click Password and Sign On. Click Sign On

Add a policy so that a factor is forced.

[bfleming-ciena]

Same problem here for headless environments that don't have a browser. I want this to work from a docker container that doesn't have a browser, or a headless linux VM.

Is this supposed to work without a browser popup?? I set browser mode to false as suggested.

I get prompted from the Okta (for mfa) on my phone app after my creds, but then it dumps out the error below. So it is close to working.

Error is the

Exception in thread "main" com.okta.tools.saml.OktaSaml$PromptForFactorException: Unsupported App sign on rule: 'Prompt for factor'.
Please contact your administrator.
    at com.okta.tools.saml.OktaSaml.getSamlResponseForAwsFromDocument(OktaSaml.java:69)
    at com.okta.tools.saml.OktaSaml.getSamlResponseForAws(OktaSaml.java:55)
    at com.okta.tools.saml.OktaSaml.getSamlResponse(OktaSaml.java:48)
    at com.okta.tools.OktaAwsCliAssumeRole.doRequest(OktaAwsCliAssumeRole.java:132)
    at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:102)
    at com.okta.tools.WithOkta.main(WithOkta.java:30)

[munir131]

@jvanzyl Is anyone looking into this?

[lffmoreira]

Hello, anyone could get the solution for this problem?

[sonal-Kumar22]

@Iffmoreira @bfleming-ciena were you able to resolve this error..?

[bfleming-ciena]

Dont bother with this anymore. Look at aws SSO. It is now available. Use the okta Idp.

[sonal-Kumar22]

@bfleming-ciena I wanted to use aws-cli approach to access my aws account through okta... for which I was getting following error : Token: 189043 Exception in thread "main" com.okta.tools.saml.OktaSaml$PromptForFactorException: Unsupported App sign on rule: 'Prompt for factor'. Please contact your administrator. at com.okta.tools.saml.OktaSaml.getSamlResponseForAwsFromDocument(OktaSaml.java:69) at com.okta.tools.saml.OktaSaml.getSamlResponseForAws(OktaSaml.java:55) at com.okta.tools.saml.OktaSaml.getSamlResponse(OktaSaml.java:48) at com.okta.tools.OktaAwsCliAssumeRole.doRequest(OktaAwsCliAssumeRole.java:132) at com.okta.tools.OktaAwsCliAssumeRole.run(OktaAwsCliAssumeRole.java:102) at com.okta.tools.WithOkta.main(WithOkta.java:28)

So you are suggesting I change the approach..? Can you explain a bit sorry I am a bit new in this...

[bfleming-ciena]

Study aws sso. You can use okta as an identity provider. Aws sso gives you a gui for logging into accounts and u use the aws cli to generate temp creds to eliminate the need of iam users. It will take time to learn. Use okta dev account to test. its free I think.

https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html

[krispharper]

Just in case anyone comes across this discussion like I did, I found that removing ~/.okta/cookies.properties solved the problem for me.

[munir131]

https://github.com/oktadev/okta-aws-cli-assume-role/blob/main/src/main/java/com/okta/tools/saml/OktaSaml.java#L109

[munir131]

@mraible Is okta team aware of this?

[mraible]

@munir131 Probably not. I was one of the last ones watching this project and was let go on Feb 1. You could try the developer forums but you're unlikely to get any help since this is an unsupported project.