Auth and/or connectivity problems with ADFS 2016?

[synergiator]

With the latest version of aws-adfs, 1.12.3, and ADFS2016, I get the following output.

(enter credentials)

2019-02-15 13:57:41,649 [authenticator authenticator.py:authenticate] [16078-MainProcess] [140431552173888-MainThread] - ERROR: Cannot extract saml assertion. Re-authentication needed?

This account does not have access to any roles

On the server side, there are no logs; "normal" UI account login works well and display available AWS roles.

Is it possible to enable some a verbose debug mode for aws-adfs to better understand what's exactly happening here?

[Injineers]

I have a similar issue, but using ADFS 3.0 (2012 r2)

I know you can run aws-adfs -v -the rest of your switches

the -v should do a verbose.

[Injineers]

With the latest version of aws-adfs, 1.12.3, and ADFS2016, I get the following output.

(enter credentials)

2019-02-15 13:57:41,649 [authenticator authenticator.py:authenticate] [16078-MainProcess] [140431552173888-MainThread] - ERROR: Cannot extract saml assertion. Re-authentication needed?

This account does not have access to any roles

On the server side, there are no logs; "normal" UI account login works well and display available AWS roles.

Is it possible to enable some a verbose debug mode for aws-adfs to better understand what's exactly happening here?

Also I wanted to ask you 2 things,

1. do you currently have MFA required on the relying party for AWS?
   I have / had it (w/ MFA) working with the browser but decided to remove that variable from the mix as I tested this out, & part of me wonders if me not requiring MFA, but AWS-ADFS IS expecting some form of MFA thus causing my issue...(not sure)

2. how are you connecting your ADFS to AWS? '
   Are you running regex claim rules that match AD groups to AWS accounts/roles as mentioned on:
   https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0/

[torric1]

I'm experiencing the same issues - I have RSA linked to ADFS servers. If I do not force MFA I can login successfully. If I enable MFA i get the error "cannot extract saml assertion, re-authentication needed". It doesn't seem to be triggering or scraping the RSA authentication module.

I ran the command aws-adfs -v login --adfs-host= --role-arn

Any help would be appeciated

[torric1]

Verbose logs, with personal data removed.

aws-adfslog.txt

[kfattig]

@torric1 Try adding '--no-sspi' . A recent change to this option caused a change in the user-agent header.

I should have a fix for this in the coming days.

[torric1]

Thanks for the response. Doesn't work with '--no-sspi' unfortunately.

[scumola]

I'm also having the same issue. --no-sspi doesn't help. Tried with versions 1.16.0 and 1.17.0. Also tried clearing profiles and cookies. Still doesn't work. Web GUI works fine. MFA w/ RSA is enabled on the ADFS server.

[torric1]

A smart AWS consultant fixed this for me: https://github.com/torric1/AWSCLI-MFA-RSAv2/blob/master/ros_aws-cli-py3-adfs3-mfa-securID.txt

[lmayorga1980]

@torric1 I have the same issue with AzureMFA Authentication. I will try your referenced script and tweak it to see if it works.

[torric1]

This is not for Azure MFA it's for RSAv2. I used this for AzureMFA https://medium.com/dtlpub/aws-adding-azure-ad-sso-including-aws-cli-797a537ce038

[lmayorga1980]

@torric1 I thought the script is the same and the only thing it changes is the headers that set the AzureMFA Authentication.

[praveenraghav01]

I am facing the same issue while using ADFS with DUO. Any fix to this?

[lmayorga1980]

@praveenraghav01 I have a fix on my fork but i think I broke sspi. However, I believe the solution in my case is that our ADFS Servers was providing 3 HTML Radiobuttons to select the MFA type and had to add those to the context

[lmayorga1980]

https://github.com/LM3CORP/aws-adfs/blob/662ef799d64b9df82f8e0f29945ba1b314a59c82/aws_adfs/html_roles_fetcher.py#L131-L156

[praveenraghav01]

@lmayorga1980 Thank you for the help '--no-sspi' worked for me :)