u8whl (u8whl) asked a question.
We have setup an AWS account federtation app in okta to authenticate sso login through saml2aws. I am able to login successfully from a MAC system and it obtains the role too. But same user trying to login from Windows system, fails login with error: level=debug msg="HTTP Req" URL="https://<org>.okta.com/api/v1/authn" http=client method=POST request for url: https://<org>.okta.com/api/v1/authn failed status: 401 Unauthorized
Saml2aws version: 2.32.0
awscli version: 2.4.8
Windows version: 10 Home edition - 64 bit
Verbose log:
C:\>saml2aws login --profile saml -a saml --verbose --disable-keychain
time="2022-04-21T15:45:18-06:00" level=debug msg=Running command=login
time="2022-04-21T15:45:18-06:00" level=debug msg="check if Creds Exist" command=login
time="2022-04-21T15:45:18-06:00" level=debug msg=Expand name="C:\\Users\\<user>/.aws/credentials" pkg=awsconfig
time="2022-04-21T15:45:18-06:00" level=debug msg=resolveSymlink name="C:\\Users\\<user>\\.aws\\credentials" pkg=awsconfig
time="2022-04-21T15:45:18-06:00" level=debug msg=ensureConfigExists filename="C:\\Users\\<user>\\.aws\\credentials" pkg=awsconfig
Using IDP Account saml to access Okta https://<org>.okta.com/app/amazon_aws/<sso_url>/sso/saml
To use saved password just hit enter.
? Username
? Password ***
time="2022-04-21T15:45:30-06:00" level=debug msg="building provider" command=login idpAccount="account {\n DisableSessions: true\n DisableRememberDevice: true\n URL: https://<org>.okta.com/app/amazon_aws/<sso_url>/sso/saml\n Username: user@<org>.com\n Provider: Okta\n MFA: Auto\n SkipVerify: false\n AmazonWebservicesURN: urn:amazon:webservices\n SessionDuration: 3600\n Profile: saml\n RoleARN: \n Region: us-east-1\n}"
time="2022-04-21T15:45:30-06:00" level=debug msg="okta | disableSessions: true" provider=okta
time="2022-04-21T15:45:30-06:00" level=debug msg="okta | rememberDevice: false" provider=okta
Authenticating as user@<org>.com ...
time="2022-04-21T15:45:30-06:00" level=debug msg="HTTP Req" URL="https://<org>.okta.com/api/v1/authn" http=client method=POST
time="2022-04-21T15:45:31-06:00" level=debug msg="HTTP Res" Status="200 OK" http=client
? Select which MFA option to use TOTP MFA authentication
time="2022-04-21T15:45:35-06:00" level=debug msg=MFA factorID=<ID> mfaIdentifer="GOOGLE TOKEN:SOFTWARE:TOTP" oktaVerify="https://<org>.okta.com/api/v1/authn/factors/<ID>/verify" provider=okta
time="2022-04-21T15:45:35-06:00" level=debug msg="HTTP Req" URL="https://<org>.okta.com/api/v1/authn/factors/<ID>/verify" http=client method=POST
time="2022-04-21T15:45:36-06:00" level=debug msg="HTTP Res" Status="200 OK" http=client
? Enter verification code 479066
time="2022-04-21T15:45:49-06:00" level=debug msg="HTTP Req" URL="https://<org>.okta.com/api/v1/authn/factors/<ID>/verify" http=client method=POST
time="2022-04-21T15:45:50-06:00" level=debug msg="HTTP Res" Status="200 OK" http=client
time="2022-04-21T15:45:50-06:00" level=debug msg="HTTP Req" URL="https://<org>.okta.com/login/sessionCookieRedirect?checkAccountSetupComplete=true&redirectUrl=https%3A%2F%2F<org>.okta.com%2Fapp%2Famazon_aws%2F<sso_url>%2Fsso%2Fsaml&token=20111ZVonzs7r5ZS5qrcnqQB3c0hKewgk4_VlhGVu3E8HbqCaUnMCwM" http=client method=GET
time="2022-04-21T15:45:50-06:00" level=debug msg="HTTP Res" Status="200 OK" http=client
time="2022-04-21T15:45:50-06:00" level=debug msg="HTTP Req" URL="https://<org>.okta.com/app/amazon_aws/<sso_url>/sso/saml" http=client method=GET
time="2022-04-21T15:45:51-06:00" level=debug msg="HTTP Res" Status="200 OK" http=client
time="2022-04-21T15:45:51-06:00" level=debug msg="HTTP Req" URL="https://<org>.okta.com/api/v1/authn" http=client method=POST
request for url: https://<org>.okta.com/api/v1/authn failed status: 401 Unauthorized
github.com/versent/saml2aws/v2/pkg/provider.SuccessOrRedirectResponseValidator
C:/gopath/src/github.com/versent/saml2aws/pkg/provider/http.go:168
github.com/versent/saml2aws/v2/pkg/provider.(*HTTPClient).Do
C:/gopath/src/github.com/versent/saml2aws/pkg/provider/http.go:113
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).primaryAuth
C:/gopath/src/github.com/versent/saml2aws/pkg/provider/okta/okta.go:424
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
C:/gopath/src/github.com/versent/saml2aws/pkg/provider/okta/okta.go:472
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).follow
C:/gopath/src/github.com/versent/saml2aws/pkg/provider/okta/okta.go:575
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
C:/gopath/src/github.com/versent/saml2aws/pkg/provider/okta/okta.go:501
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
C:/gopath/src/github.com/versent/saml2aws/cmd/saml2aws/commands/login.go:105
main.main
C:/gopath/src/github.com/versent/saml2aws/cmd/saml2aws/main.go:187
runtime.main
C:/go/src/runtime/proc.go:203
runtime.goexit
C:/go/src/runtime/asm_amd64.s:1357
error retrieving auth response
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).primaryAuth
C:/gopath/src/github.com/versent/saml2aws/pkg/provider/okta/okta.go:426
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
C:/gopath/src/github.com/versent/saml2aws/pkg/provider/okta/okta.go:472
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).follow
C:/gopath/src/github.com/versent/saml2aws/pkg/provider/okta/okta.go:575
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
C:/gopath/src/github.com/versent/saml2aws/pkg/provider/okta/okta.go:501
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
C:/gopath/src/github.com/versent/saml2aws/cmd/saml2aws/commands/login.go:105
main.main
C:/gopath/src/github.com/versent/saml2aws/cmd/saml2aws/main.go:187
runtime.main
C:/go/src/runtime/proc.go:203
runtime.goexit
C:/go/src/runtime/asm_amd64.s:1357
error authenticating to IdP
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
C:/gopath/src/github.com/versent/saml2aws/cmd/saml2aws/commands/login.go:107
main.main
C:/gopath/src/github.com/versent/saml2aws/cmd/saml2aws/main.go:187
runtime.main
C:/go/src/runtime/proc.go:203
runtime.goexit
C:/go/src/runtime/asm_amd64.s:1357
Any help would be appreciated. Thanks in advance.
https://github.com/Versent/saml2aws/issues/358#:~:text=%40borgstrom-,DUO%20policy%20could%20not%20recognize%20the%20OS%20from%20saml2aws%20so%20by%20default%20it%20was%20blocking%20it.%20I%20had%20to%20override%20that%20default%20behavior%20in%20the%20policy%20and%20it%20worked.,-noahlz
Resolved with the response above