saml2aws icon indicating copy to clipboard operation
saml2aws copied to clipboard
verified publisher icon Versent

okta login fails after retrieving SAMLResponse

Open ahvandf opened this issue 5 years ago • 6 comments

I am trying to use saml2aws with my okta account but login fails with the below following error:

cannot find state token
github.com/versent/saml2aws/v2/pkg/provider/okta.getStateTokenFromOktaPageBody
	/Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:238
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).follow
	/Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:212
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).follow
	/Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:230
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
	/Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:164
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).follow
	/Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:217
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
	/Users/markw/Code/notgopath/saml2aws/pkg/provider/okta/okta.go:164
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
	/Users/markw/Code/notgopath/saml2aws/cmd/saml2aws/commands/login.go:70
main.main
	/Users/markw/Code/notgopath/saml2aws/cmd/saml2aws/main.go:163
runtime.main
	/usr/local/Cellar/go/1.15.1/libexec/src/runtime/proc.go:204
runtime.goexit
	/usr/local/Cellar/go/1.15.1/libexec/src/runtime/asm_amd64.s:1374
error retrieving saml response

I can see in the response dump that the saml-response and stateToken both exist and the authentication was handled to final redirection successfully but somehow it fails to get the tokens

<form id="appForm" action="https&#x3a;&#x2f;&#x2f;eu-central-1.signin.aws.amazon.com&#x2f;platform&#x2f;saml&#x2f;acs&#x2f;********" method="POST">
  <input name="SAMLResponse" type="hidden" value="******"/>
  <input name="RelayState" type="hidden" value=""/>
</form>

ahvandf avatar Dec 28 '20 14:12 ahvandf

i am having the same issue, did you manage to solve it ?

SemmiX avatar Jan 05 '21 15:01 SemmiX

I did manage to circumvent this particular exception by adding our url to "pkg/provider/okta. docIsFormRedirectToAWS"

ghost avatar Jan 05 '21 15:01 ghost

For clarification on the configuration for this issue:

  • Okta is configured as the IdP for AWS SSO in an organization management account.
  • The sign in URLs include the region in which SSO was instantiated. The original report has theirs in eu-central-1; our URL for example is https://us-east-1.signin.aws.amazon.com/platform/saml/acs/xxxxxxxx

asaba-vgs avatar Feb 19 '21 15:02 asaba-vgs

Same problem here, unclear how to proceed.

bbakersmith avatar Jun 17 '21 14:06 bbakersmith

For me the issue was using the wrong URL in the configuration. It wants the full https://SOMETHING.okta.com/home/amazon_aws/SOMETHING/SOMETHING

bbakersmith avatar Jun 18 '21 15:06 bbakersmith

I am also getting same error.

error authenticating to IdP: error retrieving saml response: cannot find state token

rajesh6752 avatar Apr 04 '22 09:04 rajesh6752