-
Notifications
You must be signed in to change notification settings - Fork 557
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AzureAD: unable to locate SAMLRequest URL, error authenticating to IdP #628
Comments
We are also experiencing this at my company. |
same issue in 2.28.4, however, 2.27.1 works for me, you can have a try |
This is what I get running
|
I'm getting this issue too. saml2aws errors out after hitting https://login.microsoftonline.com:443/common/DeviceAuthTls/reprocess same as #628 (comment) Going by #569 (comment), the
|
Hi, We are facing the exact same issue. In our case the error is linked to our Conditional MFA policy: I agree with @lincheney, this seems to be a regression bug added in version 2.28.0.
|
@rprieto Nice catch! Found this in the Sign-Ins log:
|
Tried to disable KMSI, but that made no difference at all. The error, as far as I can tell, is occuring in this function: saml2aws/pkg/provider/aad/aad.go Lines 974 to 986 in beaaece
My guess is that it is trying to find the part in bold which is the SAML Request URL Sys.Application.add_load( function() { Microsoft.Online.BOX.JS.Shared.CacheContentFile('https://account.activedirectory.windowsazure.com/1.0.0.3740/Unknown/en-US/WebControls/JS/PageLayout.js'); } );Sys.Application.add_load( function() { Microsoft.Online.BOX.JS.Shared.CacheContentFile('https://account.activedirectory.windowsazure.com/1.0.0.3740/Unknown/en-US/Shell/JS/Shell.js'); } );window.location = 'https://X-XXXXXXXXXXX.awsapps.com/start';Sys.Application.add_load( function() { Microsoft.Online.BOX.JS.Shared.CacheContentFile('https://account.activedirectory.windowsazure.com/1.0.0.3740/Unknown/en-US/WebControls/JS/Button.js'); } );$addHandler(window.document.documentElement, 'mouseup', Button.MouseUp); Sys.Application.add_init(Button.ResizeButtons);var DialogManager = new BOX.JS.DialogManager(); This however results in new errors further down the line if I just write it explicitly:
In the browser is would yield this result, which allows fetching the keys. I assume saml2aws does the same thing: |
Hi. We might be having different issues. For us, the 2.28.0 issue doesn't seem related to KMSI, since the crash happens before MFA. Since 2.28.0, it crashes as soon as we enables the conditional device state check (and works again when we disable the check, i.e. aways require MFA). |
Perhaps, I've tried device state on my end, on both 2.27.1 and 2.30.0 with the same result. So we seem to hit different road blocks 😄
|
The primary issue that saml2aws is unable to acquire the SAMLRequestURL. Circumventing that by hardcoding it to saml2aws/pkg/provider/aad/aad.go Lines 1084 to 1105 in beaaece
Not sure what's happening here, saml2aws tries to find a form in this document? <!DOCTYPE html>
<html>
<head>
<base href=\"/start\" />
<title>Your applications</title>
<link href=\"https://d250zetdqyq0c4.cloudfront.net/assets/Prod/eu-west-1/007be21c04ea87207820a84317c029b6/main.css\"
rel=\"stylesheet\">
<link rel=\"shortcut icon\"
href=\"https://d250zetdqyq0c4.cloudfront.net/assets/Prod/eu-west-1/007be21c04ea87207820a84317c029b6/favicon.ico\">
<meta charset=\"UTF-8\">
<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" />
<meta name=\"region\" content=\"eu-west-1\" />
<meta name=\"stage\" content=\"Prod\" />
</head>
<body>
<app></app>
<script type=\"application/javascript\"
src=\"https://d250zetdqyq0c4.cloudfront.net/assets/Prod/eu-west-1/007be21c04ea87207820a84317c029b6/polyfills.js\"></script>
<script type=\"application/javascript\"
src=\"https://d250zetdqyq0c4.cloudfront.net/assets/Prod/eu-west-1/007be21c04ea87207820a84317c029b6/vendor.js\"></script>
<script type=\"application/javascript\"
src=\"https://d250zetdqyq0c4.cloudfront.net/assets/Prod/eu-west-1/007be21c04ea87207820a84317c029b6/main.js\"></script>
</body>
</html> Looking through the page in the browser there's no form as far as I can see. The |
@eliasericsson could you please try my patch and let me know if it works for you #684 ? |
Hi @eliasericsson , have you had a chance to try my patched version #684 ? |
Tested it and commented on the PR
Thanks,
Elias
… 2 juli 2021 kl. 21:15 skrev Ricardo Rosales ***@***.***>:
Hi @eliasericsson , have you had a chance to try my patched version #684 ?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
@eliasericsson can this be closed now that |
For my personal use case this is no longer an issue.
Den ons 7 juli 2021 kl 16:55 skrev Ricardo Rosales ***@***.***
…:
@eliasericsson <https://github.com/eliasericsson> can this be closed now
that awscli SSO worked?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#628 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAOVUAZD3O3C5YXGO3UTZNDTWRTFHANCNFSM4Y2BUTQQ>
.
|
@eliasericsson : it still doesn't work for me saml2aws --version logs: DEBU[0000] building provider command=login idpAccount="account {\n AppID: cb7ac32d-cdab-4986-89ce-0c93ce122a47\n URL: https://account.activedirectory.windowsazure.com\n Username: michael.fi@bw-robotics.com\n Provider: AzureAD\n MFA: Auto\n SkipVerify: false\n AmazonWebservicesURN: urn:amazon:webservices\n SessionDuration: 3600\n Profile: default\n RoleARN: \n Region: us-east-1\n}" |
@mifitous this should work for you #684 (comment) |
I'm still running into this issue:
|
Ohh I see I was using a version without your fix merged in :( |
@caal-15 not quite, since you are using AWS SSO you may need the below:
|
@missingcharacter - i have a use case where saml2aws functioning for AzureAD (idp) and Amazon SSO (sp) would be useful - we have a mixed environment where some AWS accounts use AWS SSO, and other accounts in AWS GovCloud cannot use AWS SSO because it is not supported in GovCloud. There we are using the traditional AWS SAML 2.0 login scheme with AzureAD as the IDP. If saml2aws could support both then we could have a single CLI login experience for users and it would be very helpful! |
Hello DEBU[0002] building provider command=login idpAccount="account {\n AppID: b9364e2e-588b-4b2d-957d-908bd9746332\n URL: https://account.activedirectory.windowsazure.com\n Username: assaff@2bcloud.io\n Provider: AzureAD\n MFA: Auto\n SkipVerify: false\n AmazonWebservicesURN: urn:amazon:webservices\n SessionDuration: 3600\n Profile: saml\n RoleARN: \n Region: \n}" |
@aflatto have you solved this problem? |
I'm getting the same error with 2.36
|
The error : Which means I would start by confirming you actually get |
Sorry I'm not quite sure how to do that. I see I could add print statements into the snippets linked, but I don't find those go files in my local library. I seem to have the executable on my path, which I assume has been pre-built by brew? What would be the mechanism to test? Do I clone git and run from the repo to get the debug statements? |
short answer: yes
You can start with NOTE: Be careful, do not share sensitive information here NOTE2: Confirm you can actually login to AWS using SAML on a browser, see more details https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/aws-multi-accounts-tutorial#test-sso |
Hi, I am receiving the same error on version
Installed using |
@keshavrathi01 Could you do what was asked in prior comments? |
Hi, I had enabled verbose logs and found the following error after 2FA from the app:
I am able to access the AWS console and all it's functionalities from the console but not CLI |
@keshavrathi01 thst looks pretty similar to what @aflatto and @unlimitedsaml shared, could you please read #628 (comment) and start from there |
@keshavrathi01 also check #628 (comment) |
@missingcharacter How can I verify #628 (comment) ? I don't see Also, today I updated the my
|
@keshavrathi01 yes, you'd need the source code |
A colleague of mine saw this issue on 2.36.0, but when upgrading to 2.36.9 it was fixed. |
For me it looks like it's missing some of the last redirects, because if I'm using the browser it would do few more redirects after the https://mycompany-onmicrosoft-com.access.mcas.ms/aad_login and eventually succeed..
For comparison, here is the browser version of the same auth with saml2aws: |
Configured according to this documentation: aad
I'm trying to authenticate with saml2aws to AzureAD -> AWS SSO. Saml2aws reports that authentication to the identity provider fail, however in Azure AD the login attempts are all successful.
Running Ubuntu 20.04 (WSL2)
Very thankful for any help or suggestions!
The text was updated successfully, but these errors were encountered: