Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

saml2aws doesn't appear to support pin entry with FIDO2/Okta #1382

Open
cdoughty-r7 opened this issue Jan 17, 2025 · 0 comments
Open

saml2aws doesn't appear to support pin entry with FIDO2/Okta #1382

cdoughty-r7 opened this issue Jan 17, 2025 · 0 comments

Comments

@cdoughty-r7
Copy link

Description:

We're setting up FIDO2 yubikeys with okta and found that even though okta will prompt in the UI for pin, saml2aws will not.

Details:

  • MacOS 14.7.2 (23H311)
  • Okta: [Version 2025.01.0 E]
  • saml2aws: 2.36.18

When enforcing, the following stacktrace is thrown:

✗ saml2aws login --force --verbose
DEBU[0000] Running                                       command=login
DEBU[0000] Check if creds exist.                         command=login
DEBU[0000] Expand                                        name=<REDACTED> pkg=awsconfig
DEBU[0000] resolveSymlink                                name=<REDACTED> pkg=awsconfig
DEBU[0000] ensureConfigExists                            filename=<REDACTED> pkg=awsconfig
Using IdP Account default to access Okta <REDACTED>
DEBU[0000] Get credentials                               helper=osxkeychain serverURL="<REDACTED>"
DEBU[0000] Get credentials                               helper=osxkeychain user=<REDACTED>
DEBU[0000] Get credentials                               helper=osxkeychain serverURL="<REDACTED>"
DEBU[0000] Get credentials                               helper=osxkeychain user=<REDACTED>
To use saved password just hit enter.
? Username <REDACTED>
? Password

DEBU[0001] building provider                             command=login idpAccount="account {\n  DisableSessions: false\n  DisableRememberDevice: false\n  URL: <REDACTED>\n  Username: <REDACTED>\n  Provider: Okta\n  MFA: FIDO\n  SkipVerify: false\n  AmazonWebservicesURN: urn:amazon:webservices\n  SessionDuration: 3600\n  Profile: default\n  RoleARN: \n  Region: <REDACTED>\n}"
DEBU[0001] okta | disableSessions: false                 provider=okta
DEBU[0001] okta | rememberDevice: true                   provider=okta
Authenticating as <REDACTED> ...
DEBU[0001] auth with session func called                 provider=okta
DEBU[0001] validate session func called                  provider=okta
DEBU[0001] HTTP Req                                      URL="<REDACTED>" http=client method=GET
DEBU[0002] HTTP Req                                      URL="<REDACTED>" http=client method=POST
DEBU[0003] HTTP Res                                      Status="200 OK" http=client
DEBU[0003] MFA                                           factorID=<REDACTED> mfaIdentifer="FIDO WEBAUTHN" oktaVerify="<REDACTED>" provider=okta
DEBU[0003] HTTP Req                                      URL="<REDACTED>?rememberDevice=true" http=client method=POST
DEBU[0003] HTTP Res                                      Status="200 OK" http=client
Touch the flashing U2F device to authenticate...
  ==> Touch accepted. Proceeding with authentication
DEBU[0005] HTTP Req                                      URL="<REDACTED>" http=client method=POST
request for url: <REDACTED> failed status: 400 Bad Request
github.com/versent/saml2aws/v2/pkg/provider.SuccessOrRedirectResponseValidator
	github.com/versent/saml2aws/v2/pkg/provider/http.go:168
github.com/versent/saml2aws/v2/pkg/provider.(*HTTPClient).Do
	github.com/versent/saml2aws/v2/pkg/provider/http.go:113
github.com/versent/saml2aws/v2/pkg/provider/okta.fidoWebAuthn
	github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:1403
github.com/versent/saml2aws/v2/pkg/provider/okta.verifyMfa
	github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:1311
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
	github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:483
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).authWithSession
	github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:302
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
	github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:465
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
	github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107
main.main
	github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:197
runtime.main
	runtime/proc.go:272
runtime.goexit
	runtime/asm_amd64.s:1700
error retrieving verify response
github.com/versent/saml2aws/v2/pkg/provider/okta.fidoWebAuthn
	github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:1405
github.com/versent/saml2aws/v2/pkg/provider/okta.verifyMfa
	github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:1311
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
	github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:483
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).authWithSession
	github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:302
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
	github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:465
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
	github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107
main.main
	github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:197
runtime.main
	runtime/proc.go:272
runtime.goexit
	runtime/asm_amd64.s:1700
error verifying MFA
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
	github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:485
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).authWithSession
	github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:302
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
	github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:465
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
	github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107
main.main
	github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:197
runtime.main
	runtime/proc.go:272
runtime.goexit
	runtime/asm_amd64.s:1700
Error authenticating to IdP.
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
	github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:109
main.main
	github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:197
runtime.main
	runtime/proc.go:272
runtime.goexit
	runtime/asm_amd64.s:1700

Work around

You can set the provider to "Browser" and then use --download-browser-driver at login but launching a browser is a less than ideal method of authenticating a command line tool that has options to support pin entry.

Would love to know if there's a work around, patch or path we're missing. Thanks.

Related to: #419 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cdoughty-r7