[aad] Adding support for conditional MFA

[missingcharacter]

Trying to close #628
I tested locally and works for me (user with conditional MFA) and a co-worker (user without conditional MFA)

The biggest changes are:

1. Extracted MFA logic into its own function called processAuth.
2. Now we call processAuth twice, after each time mfa was skipped

[eliasericsson]

Getting the following error when running:

error authenticating to IdP: error retrieving form: Get "https://account.activedirectory.windowsazure.com/applications/redirecttofederatedapplication.aspx?Operation=LinkedSignIn&applicationId=********-****-****-****-************": dial tcp: lookup account.activedirectory.windowsazure.com on 172.17.160.1:53: read udp 172.17.175.179:57299->172.17.160.1:53: i/o timeout

Not sure if it is relevant, but perhaps you would like to know.

[missingcharacter]

@eliasericsson I believe these IPs are private https://www.rfc-editor.org/rfc/rfc1918.txt

• 172.17.160.1
• 172.17.175.179
• 172.17.160.1

Are you behind a proxy?
On a VPN?
Office Network?
or something like that?

I'm asking because the error seems to be coming at the beginning of the Authenticate function

[eliasericsson]

Nope, not on any VPN.

I'm on Ubuntu 20.04.2 LTS through WSL2 (Windows Subsystem for Linux). Could that be an issue?

[missingcharacter]

@eliasericsson WSL2 configuration could be the culprit, I see port 53 a couple of times here: 172.17.160.1:53: read udp 172.17.175.179:57299->172.17.160.1:53: i/o timeout could be DNS within WSL2 is not getting a result for account.activedirectory.windowsazure.com

Please try running each of these:

• nslookup account.activedirectory.windowsazure.com
• nslookup account.activedirectory.windowsazure.com 8.8.8.8

to see if you get different results

Note: if you don't have nslookup installed you can also use:

• dig +short account.activedirectory.windowsazure.com
• dig +short account.activedirectory.windowsazure.com @8.8.8.8

[eliasericsson]

Looks very similar to me

❯ nslookup account.activedirectory.windowsazure.com
Server:         172.17.160.1
Address:        172.17.160.1#53

Non-authoritative answer:
account.activedirectory.windowsazure.com        canonical name = na.privatelink.msidentity.com.
na.privatelink.msidentity.com   canonical name = prdf.aadg.msidentity.com.
prdf.aadg.msidentity.com        canonical name = www.tm.f.prd.aadg.akadns.net.
Name:   www.tm.f.prd.aadg.akadns.net
Address: 40.126.32.70
Name:   www.tm.f.prd.aadg.akadns.net
Address: 20.190.160.66
Name:   www.tm.f.prd.aadg.akadns.net
Address: 20.190.160.65
Name:   www.tm.f.prd.aadg.akadns.net
Address: 40.126.32.2


❯ nslookup account.activedirectory.windowsazure.com 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
account.activedirectory.windowsazure.com        canonical name = na.privatelink.msidentity.com.
na.privatelink.msidentity.com   canonical name = prdf.aadg.msidentity.com.
prdf.aadg.msidentity.com        canonical name = www.tm.f.prd.aadg.akadns.net.
Name:   www.tm.f.prd.aadg.akadns.net
Address: 40.126.32.2
Name:   www.tm.f.prd.aadg.akadns.net
Address: 20.190.160.66
Name:   www.tm.f.prd.aadg.akadns.net
Address: 20.190.160.65
Name:   www.tm.f.prd.aadg.akadns.net
Address: 40.126.32.70

[missingcharacter]

@eliasericsson if you try running saml2aws again, do you get the same error?

[eliasericsson]

First error occurs on line 787 due to SAMLRequestURL == "", but bypassing that by setting it to SAMLRequestURL = "https://*-**********.awsapps.com/start" I still get an error on line 748 due to authSubmitURL == ""

[eliasericsson]

Different error, yes. Guessing the previous error was intermittent.

[missingcharacter]

@eliasericsson that's weird, your SAMLRequestURL should be something like https://login.microsoftonline.com/<Directory (Tenant) ID>/saml2?SAMLRequest=<SAMLRequestValue>

You can see your Directory (tenant) ID in Azure AD -> Enterprise applications -> Amazon Web Services or whatever name you gave to this Azure App

[eliasericsson]

Well, writing out the oidcResponse to a file and grep'ing it shows no "SAMLRequest=" at all.

So I cannot construct the URL above. I know the tenant ID, but not the SAMLRequestValue.

[missingcharacter]

@eliasericsson SAMLRequestValue is generated by the identity provider (Azure AD in this case) for this request and it is short lived.

I'm starting to think our problems are different since you are going from Azure AD -> AWS SSO described:

• https://docs.aws.amazon.com/singlesignon/latest/userguide/azure-ad-idp.html
• https://aws.amazon.com/blogs/aws/the-next-evolution-in-aws-single-sign-on/

While I am going from Azure AD -> IAM SAML provider https://signin.aws.amazon.com/saml as described here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html

[eliasericsson]

Yep, that seems to be it!

[missingcharacter]

@eliasericsson As far as I know (which is not a lot), you should be able to use awscli without saml2aws according to

• https://docs.aws.amazon.com/singlesignon/latest/userguide/azure-ad-idp.html
• https://docs.aws.amazon.com/singlesignon/latest/userguide/integrating-aws-cli.html
• https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html

[missingcharacter]

@eliasericsson please, let me know if awscli worked for you

[missingcharacter]

@wolfeidau is there something I should add/modify in this PR to facilitate being merged?

[eliasericsson]

@missingcharacter yes awscli sso worked fine!