saml2aws icon indicating copy to clipboard operation
saml2aws copied to clipboard
verified publisher icon Versent

Caching IDP (Okta) Sessions

Open kaitea opened this issue 5 years ago • 5 comments

When running saml2aws login , it keeps asking for the MFA token for every new login attempt (to a different aws account)

Is there a way to cache the login session to IDP (okta) and not have to enter an MFA token for login attempts to different aws accounts? (Our Okta setup allows for 24hr login session, after password and MFA token entry)

Thanks

kaitea avatar Apr 25 '20 14:04 kaitea

I'd also be interested in this! If there's a clean way of implementing it within the tool is it something you'd take a PR for?

scottgerring avatar Apr 30 '20 09:04 scottgerring

I'd be interested in this as well. okta-aws currently does this, via cached tokens in ~/.okta/cookies.properties

https://github.com/oktadeveloper/okta-aws-cli-assume-role

nickchappell avatar May 01 '20 22:05 nickchappell

This would help out UX immensely. I have an Amazon Web Services "sign on" rule that requires an MFA challenge once per session. It requires an Okta double push which confuses and irritates the end-users.

taylorsmcclure avatar May 11 '20 17:05 taylorsmcclure

My company has it's own, much modified version of https://github.com/RedVentures/oktad that we're trying to get away from, but the caching is a pretty serious need for our workflows. Most of our teams work in 2-5 accounts a day and regularly for-loop auth to them, but having to do the MFA dance on each every account (sometimes as many as a dozen) is exceptionally tedious.

Love this tool otherwise and would love to see this feature.

curator avatar May 15 '20 18:05 curator

I think this is already implemented in the most recent version of this tool? Today I tried it out and it stopped asking me for Okta OTP in my multiple, sequential saml2aws runs.

hoangminhtu-dh avatar Nov 16 '22 09:11 hoangminhtu-dh