saml2aws icon indicating copy to clipboard operation
saml2aws copied to clipboard
verified publisher icon Versent

error authenticating to IdP: error verifying MFA: The provided key handle is not present on the device, or was created with a different application parameter.

Open carloshmiranda opened this issue 5 years ago • 8 comments

Started to get this error after changing to a new laptop, has this happened to some else?

We use Okta as an IDP and Yubikeys for FIDO.

carloshmiranda avatar Feb 22 '21 14:02 carloshmiranda

This is happening to a few different folks in our company; anyone else seeing this?

cdchris12 avatar Mar 01 '21 17:03 cdchris12

Ran into this issue in my org when we have users with multiple FIDO keys configured.

If anyone wants to test this https://github.com/Versent/saml2aws/pull/649/files

sriram-clever avatar Apr 07 '21 03:04 sriram-clever

We tested this in our organization, and it appeared to be fixed with https://github.com/Versent/saml2aws/pull/630 . We've not had any further issues since the release of v2.28.4.

cdchris12 avatar Apr 07 '21 04:04 cdchris12

Interesting for us v2.28.4 ended up introducing this issue for users, especially if the first FIDO key registered happened to be the one they normally use. The pull request addresses what looks like a bug in the new code.

sriram-clever avatar Apr 07 '21 04:04 sriram-clever

@sriram-clever Yes, #630 introduced it for me as well (linux client) and precisely I realized when updating an older PR fixing u2f usb detection in linux with that change and testing that I had the same issue given that I use multiple keys and the first one (and only connected) was being escaped. I had not seen your PR until just now, but followed the issue and found the same change (only reversed for clarity) fixed it, so I added it along multiple other changes I did to update and make my fix to usb detection acceptable. The line with my version of the change is this one.

ocraviotto avatar Apr 10 '21 16:04 ocraviotto

We just setup saml2aws and our entire team is getting this issue. We all have n+1 Yubikeys configured to access Okta. I did setup a temporary MFA setup with Google Authenticator and it worked, so the problem is down to just the Yubikeys.

The Yubi keys works when we access Okta in the web browser, it pops up asking you to tap it. Not sure if there is some other configuration required.

❯ saml2aws --version
2.33.0

❯ saml2aws --verbose -a redacted login --force
DEBU[0000] Running                                       command=login
DEBU[0000] Check if creds exist.                         command=login
DEBU[0000] Expand                                        name=/Users/justin/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink                                name=/Users/justin/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists                            filename=/Users/justin/.aws/credentials pkg=awsconfig
Using IdP Account redacted to access Okta https://auth.redacted.network/home/amazon_aws/dfgdfgdfbdfbbfgnfgbfgb/272
DEBU[0000] Get credentials                               helper=osxkeychain serverURL="https://auth.redacted.network/home/amazon_aws/dfgdfgdfbdfbbfgnfgbfgb/272"
DEBU[0000] Get credentials                               helper=osxkeychain user=justin
DEBU[0000] Get credentials                               helper=osxkeychain serverURL="https://auth.redacted.network/home/amazon_aws/dfgdfgdfbdfbbfgnfgbfgb/272/sessionCookie"
DEBU[0000] Get credentials                               helper=osxkeychain user=justin
To use saved password just hit enter.
? Username
? Password

DEBU[0004] building provider                             command=login idpAccount="account {\n  DisableSessions: true\n  DisableRememberDevice: true\n  URL: https://auth.redacted.network/home/amazon_aws/dfgdfgdfbdfbbfgnfgbfgb/272\n  Username: justin\n  Provider: Okta\n  MFA: Auto\n  SkipVerify: false\n  AmazonWebservicesURN: urn:amazon:webservices\n  SessionDuration: 3600\n  Profile: redacted\n  RoleARN: \n  Region: us-gov-west-1\n}"
DEBU[0004] okta | disableSessions: true                  provider=okta
DEBU[0004] okta | rememberDevice: false                  provider=okta
Authenticating as justin ...
DEBU[0004] HTTP Req                                      URL="https://auth.redacted.network/api/v1/authn" http=client method=POST
DEBU[0004] HTTP Res                                      Status="200 OK" http=client
? Select which MFA option to use FIDO WebAuthn MFA authentication
DEBU[0006] MFA                                           factorID=fdff4fdfdffdfdfdf mfaIdentifer="FIDO WEBAUTHN" oktaVerify="https://auth.redacted.network/api/v1/authn/factors/fdff4fdfdffdfdfdf/verify" provider=okta
DEBU[0006] HTTP Req                                      URL="https://auth.redacted.network/api/v1/authn/factors/fdff4fdfdffdfdfdf/verify" http=client method=POST
DEBU[0006] HTTP Res                                      Status="200 OK" http=client
The provided key handle is not present on the device, or was created with a different application parameter.
tried all MFA options
github.com/versent/saml2aws/v2/pkg/provider/okta.fidoWebAuthn
	github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:1136
github.com/versent/saml2aws/v2/pkg/provider/okta.verifyMfa
	github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:1096
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
	github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:479
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
	github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:105
main.main
	github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:187
runtime.main
	runtime/proc.go:255
runtime.goexit
	runtime/asm_amd64.s:1581
error verifying MFA
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
	github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:481
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
	github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:105
main.main
	github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:187
runtime.main
	runtime/proc.go:255
runtime.goexit
	runtime/asm_amd64.s:1581
Error authenticating to IdP.
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
	github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107
main.main
	github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:187
runtime.main
	runtime/proc.go:255
runtime.goexit
	runtime/asm_amd64.s:1581

I confirmed this works if I remove the other yubikey from the account.

jseiser avatar Dec 14 '21 19:12 jseiser

I think this PR should also fix the "multiple Yubikey" error: https://github.com/Versent/saml2aws/pull/745/files

alsmola avatar Dec 30 '21 01:12 alsmola

I currently use saml2aws with Okta and have 4 yubikeys configured with my account. I've run into this issue in the current saml2aws version 2.34.0 where it seems like it pinned the MFA factorID regardless of which yubikey I had inserted into my device.

A workaround that seemed to work for me was to:

  1. remove the last added yubikey from my Okta account
  2. then re-auth with saml2aws using the yubikey I first registered with Okta
  3. then re-add my last added yubikey back to Okta

Once completed, I could use any of my yubikey devices again.

rkialashaki avatar Mar 23 '22 05:03 rkialashaki