-
Notifications
You must be signed in to change notification settings - Fork 563
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[aad] Adding support for conditional MFA #684
[aad] Adding support for conditional MFA #684
Conversation
Getting the following error when running:
Not sure if it is relevant, but perhaps you would like to know. |
@eliasericsson I believe these IPs are private https://www.rfc-editor.org/rfc/rfc1918.txt
Are you behind a proxy? I'm asking because the error seems to be coming at the beginning of the |
Nope, not on any VPN. I'm on Ubuntu 20.04.2 LTS through WSL2 (Windows Subsystem for Linux). Could that be an issue? |
@eliasericsson WSL2 configuration could be the culprit, I see port Please try running each of these:
to see if you get different results Note: if you don't have
|
Looks very similar to me ❯ nslookup account.activedirectory.windowsazure.com
Server: 172.17.160.1
Address: 172.17.160.1#53
Non-authoritative answer:
account.activedirectory.windowsazure.com canonical name = na.privatelink.msidentity.com.
na.privatelink.msidentity.com canonical name = prdf.aadg.msidentity.com.
prdf.aadg.msidentity.com canonical name = www.tm.f.prd.aadg.akadns.net.
Name: www.tm.f.prd.aadg.akadns.net
Address: 40.126.32.70
Name: www.tm.f.prd.aadg.akadns.net
Address: 20.190.160.66
Name: www.tm.f.prd.aadg.akadns.net
Address: 20.190.160.65
Name: www.tm.f.prd.aadg.akadns.net
Address: 40.126.32.2
❯ nslookup account.activedirectory.windowsazure.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
account.activedirectory.windowsazure.com canonical name = na.privatelink.msidentity.com.
na.privatelink.msidentity.com canonical name = prdf.aadg.msidentity.com.
prdf.aadg.msidentity.com canonical name = www.tm.f.prd.aadg.akadns.net.
Name: www.tm.f.prd.aadg.akadns.net
Address: 40.126.32.2
Name: www.tm.f.prd.aadg.akadns.net
Address: 20.190.160.66
Name: www.tm.f.prd.aadg.akadns.net
Address: 20.190.160.65
Name: www.tm.f.prd.aadg.akadns.net
Address: 40.126.32.70 |
@eliasericsson if you try running |
First error occurs on line 787 due to |
Different error, yes. Guessing the previous error was intermittent. |
@eliasericsson that's weird, your SAMLRequestURL should be something like You can see your |
Well, writing out the oidcResponse to a file and grep'ing it shows no "SAMLRequest=" at all. So I cannot construct the URL above. I know the tenant ID, but not the SAMLRequestValue. |
@eliasericsson I'm starting to think our problems are different since you are going from Azure AD -> AWS SSO described:
While I am going from Azure AD -> IAM SAML provider |
Yep, that seems to be it! |
@eliasericsson As far as I know (which is not a lot), you should be able to use |
@eliasericsson please, let me know if |
@wolfeidau is there something I should add/modify in this PR to facilitate being merged? |
@missingcharacter yes |
Trying to close #628
I tested locally and works for me (user with conditional MFA) and a co-worker (user without conditional MFA)
The biggest changes are:
processAuth
.processAuth
twice, after each time mfa was skipped