search

pspete / psPAS

PowerShell module for CyberArk Privileged Access Security REST API
https://pspas.pspete.dev
MIT License
291 stars 91 forks source link

CyberArk SAML Authentication with Microsoft MFA #329

Closed derrickberg-dev closed 3 years ago

derrickberg-dev commented 3 years ago

Describe the issue When attempting to perform SAML authentication using Microsoft MFA, I am unable to authenticate.

To Reproduce Steps to reproduce the behavior:

  1. Setup CyberArk with SAML authentication using Microsoft's MFA with mobile device prompt method
  2. Attempt to authenticate using the SAML method
  3. Error is thrown "Failed to get SAMLResponse"

Expected behavior The SAML authentication to work with Microsoft's MFA but I can tell by looking at the code that it wouldn't. I tried to do it manually with powershell, but i couldn't get powershell to hold more than 1 cookie from the session.

It seems that when authenticating with Microsoft's MFA, using the option for an authentication prompt to popup on your mobile device, there is an embedded form being refreshed in the browser until you have accepted the prompt. I also have the option to use a OTP token which I think I would much rather do then try to figure out how to get powershell to work with Microsoft's MFA unless there is a powershell module that microsoft has for this, but I couldn't find it. I can't figure out how I would cause Microsoft's MFA to go to OTP mode from CyberArk when its defaulting to the prompt on a mobile device.

Environment

Additional context I've been using radius authentication but the cyberark admin wants to switch to SAML.

pspete commented 3 years ago

Thanks for the report @derrickberg-dev – I’ll need to create a new dev environment to look at this (so any fix may take some time).

If you want to/are able to assist/contribute to development/testing it would be most welcome. The issue-329 branch has been created for this purpose.

The current SAML auth code included in the module is based on this gist.

pspete commented 3 years ago

An issue in the module which raised an error when attempting SAML authentication has been resolved. SAML auth under conditions where SSO using the default credentials to the IdP is possible now functions. Tested against ADFS on Server 2019.

A new "SAMLResponse" parameter has been added, this allows a user to provide their own saml response to the module for use in the authentication flow; if needed, your own custom code can now be used to authenticate to Saml provider where additional logic or credentials & 2FA are required to achieve this.

Changes currently present in the Dev branch, and will be released in the next published version of the module

aitayi1982 commented 3 years ago

Hi Team. Good News for SAML auth. Could you please advice when we can use this new function, or is there any beta version which we can use to test saml. Thanks.