New-PASSession return 'page cannot be displayed' error while work with SAML verify (okta)

[aitayi1982]

Describe the issue Use New-PASSession to auth with saml , but command return error:

PS C:\Documents> $cred=Get-Credential cmdlet Get-Credential at command pipeline position 1 Supply values for the following parameters: Credential PS C:\Documents> New-PASSession -Credential $cred -BaseURI https://pvwa-xx -type RADIUS -OTPMode Challenge Invoke-PASRestMethod : The page cannot be displayed because an internal server error has occurred At line:510 char:19

• $PASSession = Invoke-PASRestMethod @LogonRequest

• 
  + CategoryInfo          : NotSpecified: (The page cannot...r has occurred.:ErrorRecord) [Invoke-PASRestMethod], Ex
  ception
  + FullyQualifiedErrorId : 500,Invoke-PASRestMethod

To Reproduce Steps to reproduce the behavior:

1. issue New-PASSession, returned errors.

Expected behavior Expect message from server to require to enter one-time passcode.

Screenshots & Console Output

Console Output Code Block:

Invoke-PASRestMethod : The page cannot be displayed because an internal server error has occurred
At line:510 char:19
+                 $PASSession = Invoke-PASRestMethod @LogonRequest
+                               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (The page cannot...r has occurred.:ErrorRecord) [Invoke-PASRestMethod], Ex
   ception
    + FullyQualifiedErrorId : 500,Invoke-PASRestMethod

Your Environment Include relevant details about your environment

• PowerShell Version: 5.1.14409.1018
• psPAS Version: 5.1.37
• CyberArk Version:10.5 With Okta Verify

Additional context Add any other context about the problem here.

[aitayi1982]

Addition message : Get-Module returned psPas version is 5.1.37. But Get-Command -Module psPAS show all command version is 3.2.37

Get-Module -ListAvailable psPAS

Directory: C:\Users\E015576\Documents\WindowsPowerShell\Modules

ModuleType Version Name ExportedCommands

---

Script 5.1.37 psPAS {New-PASSession, Close-PASSession, Add-PASPublicSSHKey, Ge...

================== PS C:\Users\E015576\Documents> Get-Command -Module psPAS

CommandType Name Version Source

---

Function Add-PASAccount 3.2.37 psPAS Function Add-PASAccountACL 3.2.37 psPAS Function Add-PASAccountGroupMember 3.2.37 psPAS Function Add-PASApplication 3.2.37 psPAS Function Add-PASApplicationAuthenticationMethod 3.2.37 psPAS Function Add-PASDirectory 3.2.37 psPAS Function Add-PASDiscoveredAccount 3.2.37 psPAS Function Add-PASGroupMember 3.2.37 psPAS Function Add-PASPendingAccount 3.2.37 psPAS Function Add-PASPolicyACL 3.2.37 psPAS Function Add-PASPTARule 3.2.37 psPAS Function Add-PASPublicSSHKey 3.2.37 psPAS Function Add-PASSafe 3.2.37 psPAS Function Add-PASSafeMember 3.2.37 psPAS Function Approve-PASRequest 3.2.37 psPAS Function Close-PASSession 3.2.37 psPAS Function Connect-PASPSMSession 3.2.37 psPAS Function Deny-PASRequest 3.2.37 psPAS Function Export-PASPlatform 3.2.37 psPAS Function Export-PASPSMRecording 3.2.37 psPAS

[pspete]

You're specifying RADIUS parameters, not SAML.

https://pspas.pspete.dev/commands/New-PASSession#example-20

[aitayi1982]

Thanks for quick response. How can I do to work with SAML. It will be an great help if you can provide sample code.eg. In normal case, I have to open browser to go to “https://mycyberark.com/“ than use my I’d/password to login,after login. The page show me an button witch need click to send request To my phone .After click the button on this page,I get my phone (Okta verify App on iPhone, or just an message which contain passcode)received Some message. I have to verify this message and do some action(Click “yes,It is me” button on Okta verify app from my iPhone, or fill the passcode received from message on the web pages) to confirm the login action is triggered by myself. Than I can successful login to CyberArk. How to implement this login by poweshell? And get the login session. . Thanks in advance .

[aitayi1982]

Just append the screen shot below

1. Open Browser, Go to https://pvwa-xxx.biz, then redirected to xxx.okta.com

2.Click 'Next',will redirect to https://xxx.okta.com/signin/verify/okta/password, After input my passwod below, click 'Verify'.

3.Page was redirected to https://xxx.okta.com/signin/verify/okta/push (In the page ,can also select an enter code / passcode) I chose 'Send Push' to click.

4. My Phone (iPhone 6SPlus) app(Called the "Okta Verify") received an message, which need my action to confirm 'Yes,It's Me', then I click this button to confirm the action was raised by myself.

5. The reponse was send successful:

6. Then I can login to CyberArk:

[pspete]

Hi @aitayi1982 - psPAS is based on the API documentation for CyberArk PAS only; Okta is obviously a completely separate technology/company/process. Perhaps you can request & share code or instructions from Okta on how to authenticate to their solution programmatically using PowerShell in order to get the SAMLResponse value?

[allynl93]

Hi @aitayi1982,

Check out: https://github.com/allynl93/PS-SAML-Interactive

From reading this thread, it sounds like what you're looking for? It's a PS Module that will display a web form, allow you to do your SAML Authentication and return the response for use in the psPAS module.

Prerequisites from a CyberArk perspective, add EnableIdPInitiatedSso to the PVWA config. Details can be found at: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20INST/SAML-Authentication.htm?Highlight=EnableIdPInitiatedSso

Once that's enabled, grab the "Embed Link" from your OKTA app console. You'll need to pass this to the New-SAMLInteractive function.

Example:

import-module -name 'C:\PS-SAML-Interactive.psm1'

$loginURL = 'https://company.okta.com/home/app1/0oa11xddwdzhvlbiZ5d7/aln1k2HsUl5d7'
$baseURL = 'https://pvwa.mycompany.com'

$loginResponse = New-SAMLInteractive -LoginIDP $loginURL

New-PASSession -SAMLAuth -concurrentSession $true -BaseURI $baseURL -SAMLResponse $loginResponse 

Hope this helps.

[pspete]

Check out: https://github.com/allynl93/PS-SAML-Interactive

Fantastic work @allynl93 - this is a great solution 👍🏼

Hope you don't mind if I add links to this tool in the psPAS documentation 😄 !?

[allynl93]

@pspete Of course not, please feel free! Hopefully help many others looking for a similar solution.

[aitayi1982]

Thank for your help. But seams this not work for me. After execute New-SAMLInteractive -LoginIDP $loginURL, I get popup windows show below message,

then after 3s, the page turned to be blank page, nothing showed. PS : Will check with CyberArk server side to confirm if EnableIdPInitiatedSso is enabled.

[pspete]

@aitayi1982 - please also confirm what okta suggest as the solution for your configuration.

[aitayi1982]

Hi Team

I can get SAML response now, but I run psPAS command will get some error, which can not get any result:

$loginURL='https://pvwa-xxx.biz' PS C:> $loginResponse = New-SAMLInteractive -LoginIDP $loginURL I input id/password and send push to CyberArk/Okta form inner windows.

PS C:> $baseURL = 'https://pvwa-xxx.biz' PS C:> New-PASSession -SAMLAuth -concurrentSession $true -BaseURI $baseURL -SAMLResponse $loginResponse PS C:> Write-Host $loginResponse

PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIERlc3RpbmF0aW9uxxx....

PS C:> Get-PASLoggedOnUser Invoke-WebRequest : Specified value has invalid CRLF characters. Parameter name: value At line:216 char:19

• ... $APIResponse = Invoke-WebRequest @PSBoundParameters -ErrorAction Stop

• 
  + CategoryInfo          : NotSpecified: (:) [Invoke-WebRequest], ArgumentException
  + FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

[pspete]

So no error returned from New-PASSession? Do you see an authorisation header included in the output of Get-PASSession? Does it contain "invalid CRLF characters" as the error suggests?

[pspete]

Also, you've noted the version requirements for SAML authentication via REST API? https://pspas.pspete.dev/commands/New-PASSession#-samlauth

11.4 is required as this is when SAML authentication was reintroduced as an API authentication option: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/11.4/en/Content/Release%20Notes/RN-WhatsNew11-4.htm#SAMLAuthenticationusingRESTAPI

You may have some luck using the Gen1API: https://pspas.pspete.dev/commands/New-PASSession#example-21

[aitayi1982]

Hi @pspete Both of below New-PASSession have no error, and successfully returned. Please check my screenshot below: New-PASSession -SAMLAuth -concurrentSession $true -BaseURI $baseURL -SAMLResponse $loginResponse New-PASSession -BaseURI $baseURL -SAMLResponse $loginResponse

But below command with Gen1API will get error. New-PASSession -SAMLResponse $loginResponse -UseGen1API -BaseURI $baseURL

[pspete]

Already highlighted that 10.5 is lower than the 11.4 version requirement for the second command in your screenshot. Have you investigated the "500 Server Error" when specifying -UseGen1API? There are numerous other issues you can refer to on this, usually resolved by the troubleshooting steps in the CyberArk docs: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/WebServices/Implementing%20Privileged%20Account%20Security%20Web%20Services%20.htm?tocpath=Developer%7CREST%20APIs%7C_____0#rest api-does-not-work

[aitayi1982]

Is there any old psPAS version can fix our 10.5 CyberArk ? Thanks in advance.

[pspete]

thats not really how it works Each PAS version has different capabilities around the api. psPAS just sends requests. did you check the https bindings in web.config?

[aitayi1982]

Thank you. Our vender is working on CyberArk upgrade to V12. Will update if psPAS SMAL will work for me, once we have upgrade to V12.

[pspete]

closing as no update for a number of months.