AzureAD login with authenticator in outlook gets in loop before going to SAS/BeginAuth
kubinks opened this issue · comments
When trying to authenticate with AzureAD towards the account which uses "Microsoft Authenticator - Outlook Mobile", I am not receiving authorization code (but the prompt to enter it on mobile phone arrives) - according to verbose logs, saml2aws gets stuck right before this action.
saml2aws login -a <redacted>-test --verbose
DEBU[0000] Running command=login
DEBU[0000] Check if creds exist. command=login
DEBU[0000] Expand name=/Users/<redacted>/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink name=/Users/<redacted>/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists filename=/Users/<redacted>/.aws/credentials pkg=awsconfig
Using IdP Account <redacted>-test to access AzureAD https://account.activedirectory.windowsazure.com/
DEBU[0000] Get credentials helper=osxkeychain serverURL="https://account.activedirectory.windowsazure.com"
DEBU[0000] Get credentials helper=osxkeychain user=<redacted>@<redacted>.com
To use saved password just hit enter.
? Username <redacted>@<redacted>.com
? Password
DEBU[0000] building provider command=login idpAccount="account {\n AppID: <redacted>\n URL: https://account.activedirectory.windowsazure.com\n Username: <redacted>@<redacted>.com\n Provider: AzureAD\n MFA: PhoneAppNotification\n SkipVerify: false\n AmazonWebservicesURN: urn:amazon:webservices\n SessionDuration: 14400\n Profile: <redacted>-test\n RoleARN: \n Region: eu-central-1\n}"
Authenticating as <redacted>@<redacted>.com ...
DEBU[0001] processing ConvergedSignIn provider=AzureAD
DEBU[0001] HTTP Req URL="[https://login.microsoftonline.com/common/GetCredentialType?mkt=en-US"](https://login.microsoftonline.com/common/GetCredentialType?mkt=en-US%22) http=client method=POST
DEBU[0002] HTTP Res Status="200 OK" http=client
DEBU[0002] HTTP Req URL="[https://login.microsoftonline.com/common/login"](https://login.microsoftonline.com/common/login%22) http=client method=POST
DEBU[0002] HTTP Res Status="200 OK" http=client
DEBU[0002] processing ConvergedProofUpRedirect provider=AzureAD
DEBU[0002] processing ConvergedProofUpRedirect provider=AzureAD
DEBU[0002] processing ConvergedProofUpRedirect provider=AzureAD
DEBU[0002] processing ConvergedProofUpRedirect provider=AzureAD
DEBU[0002] processing ConvergedProofUpRedirect provider=AzureAD
and this lasts indefinitely until t/o...
- tested on saml2aws 2.36.6 and 2.36.10 on mac
- tested on saml2aws 2.36.6 and 2.36.10 on windows 10
- tested with mfa = Auto and mfa = PhoneAppNotification
- Default sign-in method (Preview) in AzureAD set up to Microsoft Authenticator notification
The problem goes away as soon as "typical" Microsoft Authenticator gets onboarded. So it occurs to me, that saml2aws clearly has an issue with authenticator in outlook.
I saw the same issue, and I figured out saml2aws ignored sErrorCode
on processConvergedProofUpRedirect. In this case, we got sErrorCode=502031.
Error Code | 502031 |
---|---|
Message | User has not registered the authenticator app and registration is required. |