TristanS.20105 (Customer) asked a question.
Hello, we formally used a different IDP and was successful in utilizing the CLI tool "saml2aws" for terminal access to AWS resources. Note this is not IAM Identity Center (formally AWS SSO), but rather this is regular federation via SAML into an IAM role. The saml2aws app would always prompt for MFA when federating into an IAM role.
https://github.com/Versent/saml2aws
Now we are trying to reproduce this functionality on Okta. Saml2aws supports Okta as an option when configuring the tool, but it seems as though authentication is never successful when the app policy requires MFA. The error message is as follows:
Error authenticating to IdP.: error retrieving auth response: request for url: https://{org}.okta.com/api/v1/authn failed status: 401 Unauthorized
Only when the policy is "password only" does the federation complete.
I opened this issue on the app's github page to ask the same question: https://github.com/Versent/saml2aws/issues/1149
Has anybody successfully been able to utilize saml2aws and require MFA every time when federating into an IAM role? Alternatively, are there any other cli tools (MacOS terminal and Windows Powershell compatible) that accomplish this easily?
Hi, @TristanS.20105 (Customer)
Thank you for posting on our Community page!
Here is an useful article on your use case:
https://devforum.okta.com/t/okta-access-token-using-token-endpoint-url-returns-http-401-error/18033/4
https://github.com/Versent/saml2aws/issues/805
Thank you for reaching out to our Community and have a great day!
_____________________________________________________________________________
What you missed: new product releases and other announcements
_____________________________________________________________________________
Community members help others by clicking Like or Select as Best on responses. Try it today.
_____________________________________________________________________________