saml2aws icon indicating copy to clipboard operation
saml2aws copied to clipboard
verified publisher icon Versent

ADFS with duo MFA always fails

Open hcsyash opened this issue 4 years ago • 2 comments

Is There a support for ADFS provider along with DUO as an MFA ? Tried alot but always fails with following error :-

"unable to classify response from auth server"

Detailed Logs :- saml2aws login --verbose --duo-mfa-option="Duo Push"

time="2021-05-25T17:11:39+05:30" level=debug msg=Running command=login time="2021-05-25T17:11:39+05:30" level=debug msg="check if Creds Exist" command=login time="2021-05-25T17:11:39+05:30" level=debug msg=Expand name="C:\Users\user/.aws/credentials" pkg=awsconfig time="2021-05-25T17:11:39+05:30" level=debug msg=resolveSymlink name="C:\Users\user\.aws\credentials" pkg=awsconfig time="2021-05-25T17:11:39+05:30" level=debug msg=ensureConfigExists filename="C:\Users\user\.aws\credentials" pkg=awsconfig Using IDP Account default to access ADFS https://sso.company.com To use saved password just hit enter. ? Username ? Password *************

time="2021-05-25T17:11:52+05:30" level=debug msg="building provider" command=login idpAccount="account {\n URL: https://sso.harman.com\n Username: [email protected]\n Provider: ADFS\n MFA: Auto\n SkipVerify: false\n AmazonWebservicesURN: urn:amazon:webservices\n SessionDuration: 3600\n Profile: XXXX27842XXX\n RoleARN: \n Region: us-east-2\n}" Authenticating as [email protected] ... time="2021-05-25T17:11:53+05:30" level=debug msg="HTTP Req" URL="https://sso.company.com:XXX/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn%3Aamazon%3Awebservices&client-request-id=4a86f920-b52e-4d67-ff38-xxxxxxxx" http=client method=POST time="2021-05-25T17:11:54+05:30" level=debug msg="HTTP Res" Status="200 OK" http=client unable to classify response from auth server github.com/versent/saml2aws/v2/pkg/provider/adfs.(*Client).Authenticate C:/gopath/src/github.com/versent/saml2aws/pkg/provider/adfs/adfs.go:144 github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login C:/gopath/src/github.com/versent/saml2aws/cmd/saml2aws/commands/login.go:104 main.main C:/gopath/src/github.com/versent/saml2aws/cmd/saml2aws/main.go:183 runtime.main C:/go/src/runtime/proc.go:203 runtime.goexit C:/go/src/runtime/asm_amd64.s:1357 error authenticating to IdP github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login C:/gopath/src/github.com/versent/saml2aws/cmd/saml2aws/commands/login.go:106 main.main C:/gopath/src/github.com/versent/saml2aws/cmd/saml2aws/main.go:183 runtime.main C:/go/src/runtime/proc.go:203 runtime.goexit C:/go/src/runtime/asm_amd64.s:1357

config:-

name = default app_id = url = https://sso.company.com username = [email protected] provider = ADFS mfa = Auto skip_verify = false timeout = 0 aws_urn = urn:amazon:webservices

hcsyash avatar May 25 '21 11:05 hcsyash

I'm getting the same issue, @hcsyash did you ever get it to work?

WeAreGroot avatar Jul 16 '21 18:07 WeAreGroot

This is because Duo wasn't supported by the ADFS provider (see #36). I've submitted #849 to add this feature. I've also submitted PR's #845 and #847 which address issues that could lead to similar errors.

dboitnot avatar Jul 10 '22 15:07 dboitnot