Giters

Versent / saml2aws

CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP

Home Page:https://github.com/Versent/saml2aws

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

AzureAD login with authenticator in outlook gets in loop before going to SAS/BeginAuth

kubinks opened this issue · comments

commented

When trying to authenticate with AzureAD towards the account which uses "Microsoft Authenticator - Outlook Mobile", I am not receiving authorization code (but the prompt to enter it on mobile phone arrives) - according to verbose logs, saml2aws gets stuck right before this action.

saml2aws login -a <redacted>-test --verbose
DEBU[0000] Running                                       command=login
DEBU[0000] Check if creds exist.                         command=login
DEBU[0000] Expand                                        name=/Users/<redacted>/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink                                name=/Users/<redacted>/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists                            filename=/Users/<redacted>/.aws/credentials pkg=awsconfig
Using IdP Account <redacted>-test to access AzureAD https://account.activedirectory.windowsazure.com/
DEBU[0000] Get credentials                               helper=osxkeychain serverURL="https://account.activedirectory.windowsazure.com"
DEBU[0000] Get credentials                               helper=osxkeychain user=<redacted>@<redacted>.com
To use saved password just hit enter.
? Username <redacted>@<redacted>.com
? Password

 

DEBU[0000] building provider                             command=login idpAccount="account {\n  AppID: <redacted>\n  URL: https://account.activedirectory.windowsazure.com\n  Username: <redacted>@<redacted>.com\n  Provider: AzureAD\n  MFA: PhoneAppNotification\n  SkipVerify: false\n  AmazonWebservicesURN: urn:amazon:webservices\n  SessionDuration: 14400\n  Profile: <redacted>-test\n  RoleARN: \n  Region: eu-central-1\n}"
Authenticating as <redacted>@<redacted>.com ...
DEBU[0001] processing ConvergedSignIn                    provider=AzureAD
DEBU[0001] HTTP Req                                      URL="[https://login.microsoftonline.com/common/GetCredentialType?mkt=en-US"](https://login.microsoftonline.com/common/GetCredentialType?mkt=en-US%22) http=client method=POST
DEBU[0002] HTTP Res                                      Status="200 OK" http=client
DEBU[0002] HTTP Req                                      URL="[https://login.microsoftonline.com/common/login"](https://login.microsoftonline.com/common/login%22) http=client method=POST
DEBU[0002] HTTP Res                                      Status="200 OK" http=client
DEBU[0002] processing ConvergedProofUpRedirect           provider=AzureAD
DEBU[0002] processing ConvergedProofUpRedirect           provider=AzureAD
DEBU[0002] processing ConvergedProofUpRedirect           provider=AzureAD
DEBU[0002] processing ConvergedProofUpRedirect           provider=AzureAD
DEBU[0002] processing ConvergedProofUpRedirect           provider=AzureAD

and this lasts indefinitely until t/o...

  • tested on saml2aws 2.36.6 and 2.36.10 on mac
  • tested on saml2aws 2.36.6 and 2.36.10 on windows 10
  • tested with mfa = Auto and mfa = PhoneAppNotification
  • Default sign-in method (Preview) in AzureAD set up to Microsoft Authenticator notification

The problem goes away as soon as "typical" Microsoft Authenticator gets onboarded. So it occurs to me, that saml2aws clearly has an issue with authenticator in outlook.

commented

I saw the same issue, and I figured out saml2aws ignored sErrorCode on processConvergedProofUpRedirect. In this case, we got sErrorCode=502031.

Error Code 502031
Message User has not registered the authenticator app and registration is required.

https://login.microsoftonline.com/error?code=502031