failure to gain credentials from Azure when it is the Saml source for multiple AWS accounts

[aflatto]

I am working with Azure AD ad the SSO SAML authentication for multiple AWS accounts. I do not see an option to specify which role and account i want to gain the credentials to. Without it the tool is unable to determine which account to generate the key pair:

./saml2aws list-roles --verbose DEBU[0000] Running command=list-roles Using IdP Account default to access AzureAD https://account.activedirectory.windowsazure.com To use saved password just hit enter. ? Username assaf@xxxxxxxio ? Password ***************

DEBU[0009] building provider command=list idpAccount="account {\n AppID: XXXXXXXXX-5XXb-4XX-9XXX-XXXXXXXXXXXX\n URL: https://account.activedirectory.windowsazure.com\n Username: [email protected]\n Provider: AzureAD\n MFA: PhoneAppNotification\n SkipVerify: false\n AmazonWebservicesURN: urn:amazon:webservices\n SessionDuration: 3600\n Profile: saml\n RoleARN: \n Region: \n}" DEBU[0010] processing ConvergedSignIn provider=AzureAD DEBU[0010] HTTP Req URL="https://login.microsoftonline.com/common/GetCredentialType?mkt=en-US" http=client method=POST DEBU[0010] HTTP Res Status="200 OK" http=client DEBU[0010] HTTP Req URL="https://login.microsoftonline.com/common/login" http=client method=POST DEBU[0011] HTTP Res Status="200 OK" http=client DEBU[0011] processing ConvergedTFA provider=AzureAD DEBU[0011] HTTP Req URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST DEBU[0012] HTTP Res Status="200 OK" http=client Phone approval required. Entropy is: XX DEBU[0012] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST DEBU[0034] HTTP Res Status="200 OK" http=client DEBU[0034] processing KmsiInterrupt provider=AzureAD DEBU[0034] HTTP Req URL="https://login.microsoftonline.com/kmsi" http=client method=POST DEBU[0034] HTTP Res Status="200 OK" http=client DEBU[0034] processing a 'hiddenform' provider=AzureAD DEBU[0034] HTTP Req URL="https://launcher.myapps.microsoft.com/api/signin-oidc" http=client method=POST DEBU[0035] HTTP Res Status="404 Not Found" http=client DEBU[0035] reached an unknown page within the authentication process provider=AzureAD failed get SAMLAssertion github.com/versent/saml2aws/v2/pkg/provider/aad.(*Client).Authenticate github.com/versent/saml2aws/v2/pkg/provider/aad/aad.go:221 github.com/versent/saml2aws/v2/cmd/saml2aws/commands.ListRoles github.com/versent/saml2aws/v2/cmd/saml2aws/commands/list_roles.go:66 main.main ./main.go:203 runtime.main runtime/proc.go:271 runtime.goexit runtime/asm_amd64.s:1695 error authenticating to IdP github.com/versent/saml2aws/v2/cmd/saml2aws/commands.ListRoles github.com/versent/saml2aws/v2/cmd/saml2aws/commands/list_roles.go:68 main.main ./main.go:203 runtime.main runtime/proc.go:271 runtime.goexit runtime/asm_amd64.s:1695

The application should have an option to specify the aws account ID to assign the token for ./saml2aws --role=XXXX --region=us-east-1 --accountid=123456789

[aflatto]

I noticed i forgot to mention the version so: ./saml2aws --version 2.36.18

[lukashov-org]

Hey, I also need this feature works.