Duo Universal Prompt support by saml2aws with Okta provider

Question

Duo Universal Prompt support by saml2aws with Okta provider

zemliany opened this issue 5 months ago · comments

Hey, team! Are there any plans to add Duo Universal Prompt for saml2aws or any workarounds for such methods of authentication? Recently we've faced the issue due to switching Duo Prompt to Duo Universal Prompt saml2aws stopped working

saml2aws verbosity log

NOTE: <app_id>, <factor_id>, <account_id> data was omitted, company name was replaced to pseudo

> saml2aws login --cache-saml --skip-prompt --duo-mfa-option="Duo Push" --verbose
DEBU[0000] Running                                       command=login
DEBU[0000] Check if creds exist.                         command=login
DEBU[0000] Expand                                        name=/Users/zemliany/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink                                name=/Users/zemliany/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists                            filename=/Users/zemliany/.aws/credentials pkg=awsconfig
Using IdP Account default to access Okta https://my.company.okta.com/home/amazon_aws/<app_id>/272
DEBU[0000] Get credentials                               helper=osxkeychain serverURL="https://my.company.okta.com/home/amazon_aws/<app_id>/272"
DEBU[0000] Get credentials                               helper=osxkeychain user=zemliany@my.company.com
DEBU[0000] Get credentials                               helper=osxkeychain serverURL="https://my.company.okta.com/home/amazon_aws/<app_id>/272/sessionCookie"
DEBU[0000] Get credentials                               helper=osxkeychain user=zemliany@my.company.com
DEBU[0000] building provider                             command=login idpAccount="account {\n  DisableSessions: false\n  DisableRememberDevice: false\n  URL: https://my.company.okta.com/home/amazon_aws/<app_id>/272\n  Username: zemliany@my.company.com\n  Provider: Okta\n  MFA: PUSH\n  SkipVerify: false\n  AmazonWebservicesURN: urn:amazon:webservices\n  SessionDuration: 28800\n  Profile: test-aws-profile\n  RoleARN: arn:aws:iam::<account_id>:role/SUPER-ADMIN\n  Region: \n}"
DEBU[0000] okta | disableSessions: false                 provider=okta
DEBU[0000] okta | rememberDevice: true                   provider=okta
DEBU[0000] resolveSymlink                                name=/Users/zemliany/.aws/saml2aws/cache_default pkg=samlcache
DEBU[0000] MFA Token expiry date:2024-02-08T17:30:20Z    Cache_file=/Users/zemliany/.aws/saml2aws/cache_default IdpAccount=default pkg=samlcache
DEBU[0000] Cache is invalid                              command=login
Authenticating as zemliany@my.company.com ...
DEBU[0000] auth with session func called                 provider=okta
DEBU[0000] validate session func called                  provider=okta
DEBU[0000] HTTP Req                                      URL="https://my.company.okta.com/api/v1/sessions/me" http=client method=GET
DEBU[0000] HTTP Res                                      Status="200 OK" http=client
DEBU[0000] okta session established                      provider=okta
DEBU[0000] valid okta session                            provider=okta
DEBU[0000] HTTP Req                                      URL="https://my.company.okta.com/home/amazon_aws/<app_id>/272" http=client method=GET
DEBU[0001] HTTP Res                                      Status="200 OK" http=client
DEBU[0001] follow func called from auth with session func  provider=okta
DEBU[0001] HTTP Req                                      URL="https://my.company.okta.com/home/amazon_aws/<app_id>/272" http=client method=GET
DEBU[0001] HTTP Res                                      Status="200 OK" http=client
DEBU[0001] HTTP Req                                      URL="https://my.company.okta.com/home/amazon_aws/<app_id>/272" http=client method=GET
DEBU[0001] HTTP Res                                      Status="200 OK" http=client
DEBU[0001] HTTP Req                                      URL="https://my.company.okta.com/api/v1/authn" http=client method=POST
DEBU[0002] HTTP Res                                      Status="200 OK" http=client
DEBU[0002] MFA                                           factorID=<factor_id> mfaIdentifer="CUSTOM CLAIMS_PROVIDER" oktaVerify="https://my.company.okta.com/api/v1/authn/factors/<factor_id>/verify?rememberDevice=true" provider=okta
unsupported mfa provider
github.com/versent/saml2aws/v2/pkg/provider/okta.getMfaChallengeContext
  github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:712
github.com/versent/saml2aws/v2/pkg/provider/okta.verifyMfa
  github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:806
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
  github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:481
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).follow
  github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:567
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).authWithSession
  github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:335
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
  github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:463
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
  github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:105
main.main
  github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:191
runtime.main
  runtime/proc.go:267
runtime.goexit
  runtime/asm_amd64.s:1650
error verifying MFA
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
  github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:483
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).follow
  github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:567
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).authWithSession
  github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:335
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
  github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:463
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
  github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:105
main.main
  github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:191
runtime.main
  runtime/proc.go:267
runtime.goexit
  runtime/asm_amd64.s:1650
Error authenticating to IdP.
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
  github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107
main.main
  github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:191
runtime.main
  runtime/proc.go:267
runtime.goexit
  runtime/asm_amd64.s:1650

Also, we found out following article: https://help.duo.com/s/article/6441?language=en_US
As per it, seems DUO Universal Prompt called to fight with third-party / non-recommended tools. Is there any chance to add support for Universal prompt or it's not possible?

I'm running saml2aws on MacOS Ventura 13.6.4

Thanks!

Maksym Zemlianyi · Answer 1 · Fri Feb 09 2024 17:47:28 GMT+0800 (China Standard Time)

e.g for aws-adfs that seems to be support this DUO Universal prompt feature https://github.com/venth/aws-adfs/blob/master/aws_adfs/_duo_universal_prompt_authenticator.py

Maksym Zemlianyi · Answer 2 · Tue Feb 20 2024 22:31:14 GMT+0800 (China Standard Time)

any updates?

bkohrn · Answer 3 · Fri Mar 08 2024 04:51:31 GMT+0800 (China Standard Time)

It sounds like this may be an issue with any use of Duo; not with any single provider. My organization uses Shibboleth, and I'm encountering similar issues after they changed Duo over to the Duo Universal Prompt. In relevant part (starting after I entered my password and it sent the provider command), my verbose log reads:

DEBU[0006] HTTP Req                                      URL="https://idp.u.washington.edu/idp/profile/SAML2/Unsolicited/SSO?execution=e1s1" http=client method=POST
DEBU[0006] HTTP Res                                      Status="200 OK" http=client
panic: runtime error: index out of range [1] with length 0

goroutine 1 [running]:
github.com/versent/saml2aws/v2/pkg/provider/shibboleth.parseTokens({0xc0007ded80, 0xd39})
        github.com/versent/saml2aws/v2/pkg/provider/shibboleth/shibboleth.go:407 +0x239
github.com/versent/saml2aws/v2/pkg/provider/shibboleth.verifyMfa(0xc00022f550, 0xc0004dc000, {0xc0004a4501, 0x1c}, {0xc0007ded80, 0x31})
        github.com/versent/saml2aws/v2/pkg/provider/shibboleth/shibboleth.go:148 +0x5c
github.com/versent/saml2aws/v2/pkg/provider/shibboleth.(*Client).Authenticate(0xc00022f550, 0xc000242240)
        github.com/versent/saml2aws/v2/pkg/provider/shibboleth/shibboleth.go:105 +0x4dd
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login(0xc00022a140)
        github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:105 +0x4da
main.main()
        ./main.go:188 +0x6c48

Edit: I see this on both saml2aws v2.34.0 and on saml2aws v2.36.10 (same behavior, same error, but the version I copied is from 2.34.0).

Maksym Zemlianyi · Answer 4 · Fri Mar 08 2024 05:42:35 GMT+0800 (China Standard Time)

@bkohrn yeah, seems Duo as a provider implements frameless prompt that during the starting auth session redirects to page that hosted on duosecurity.com with random prefix (e.g xxxxx-id.duosecurity.com)

Based on that announcement https://help.duo.com/s/article/6441?language=en_US I think they want to fight with third-party clients, so that’s why they trying to beat all these clients by not allowing to be used with Duo Universal Prompt and new version of frameless WebSDK4, but it doesn't mean that it's not possible to achieve workability of saml2aws with this recent novations. There is an example for gimme-aws-creds cli which supports Okta and Duo Universal Prompt through Okta Classic Nike-Inc/gimme-aws-creds#437

From other side, gimme-aws-creds can be used instead of saml2aws, but gimme-aws-creds has a number of other disadvantages like remember_device feature doesn’t work, tool doesn’t have a SAML caching and many others