saml2aws
saml2aws copied to clipboard
Published
20 hours ago •
Versent
Versent
Authentication on Azure AD with MFA doesn't work, keeps asking MFA code
As per the subject, the authentication with Azure AD with MFA enabled doesn't work, it's asking the MFA code indefinitely. I attach a debug session.
$ saml2aws --version
2.36.6
saml2aws login --verbose
DEBU[0000] Running command=login
DEBU[0000] Check if creds exist. command=login
DEBU[0000] Expand name=/Users/zzzzz/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink name=/Users/zzzzz/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists filename=/Users/zzzzz/.aws/credentials pkg=awsconfig
Using IdP Account default to access AzureAD https://account.activedirectory.windowsazure.com
DEBU[0000] Get credentials helper=osxkeychain serverURL="https://account.activedirectory.windowsazure.com"
DEBU[0000] Get credentials helper=osxkeychain user=zzzzzz
To use saved password just hit enter.
? Username zzzzzz
? Password
DEBU[0001] building provider command=login idpAccount="OMIT"
Authenticating as zzzzzz ...
DEBU[0002] processing ConvergedSignIn provider=AzureAD
DEBU[0002] HTTP Req URL="https://login.microsoftonline.com/common/GetCredentialType?mkt=en-US" http=client method=POST
DEBU[0002] HTTP Res Status="200 OK" http=client
DEBU[0002] HTTP Req URL="https://login.microsoftonline.com/common/login" http=client method=POST
DEBU[0002] HTTP Res Status="200 OK" http=client
DEBU[0002] processing a 'hiddenform' provider=AzureAD
DEBU[0002] HTTP Req URL="https://device.login.microsoftonline.com:443/" http=client method=POST
DEBU[0003] HTTP Res Status="200 OK" http=client
DEBU[0003] processing a 'hiddenform' provider=AzureAD
DEBU[0003] HTTP Req URL="https://login.microsoftonline.com:443/common/DeviceAuthTls/reprocess" http=client method=POST
DEBU[0003] HTTP Res Status="200 OK" http=client
DEBU[0003] processing ConvergedTFA provider=AzureAD
DEBU[0003] HTTP Req URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0004] HTTP Res Status="200 OK" http=client
Phone approval required. Entropy is: 64
DEBU[0004] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0004] HTTP Res Status="200 OK" http=client
DEBU[0005] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0006] HTTP Res Status="200 OK" http=client
DEBU[0007] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0007] HTTP Res Status="200 OK" http=client
DEBU[0008] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0009] HTTP Res Status="200 OK" http=client
DEBU[0010] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0010] HTTP Res Status="200 OK" http=client
DEBU[0011] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0012] HTTP Res Status="200 OK" http=client
DEBU[0013] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0014] HTTP Res Status="200 OK" http=client
DEBU[0015] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0015] HTTP Res Status="200 OK" http=client
DEBU[0016] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0016] HTTP Res Status="200 OK" http=client
DEBU[0017] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0018] HTTP Res Status="200 OK" http=client
DEBU[0019] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0019] HTTP Res Status="200 OK" http=client
DEBU[0020] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0020] HTTP Res Status="200 OK" http=client
DEBU[0020] HTTP Req URL="https://login.microsoftonline.com/common/SAS/ProcessAuth" http=client method=POST
DEBU[0020] HTTP Res Status="200 OK" http=client
DEBU[0021] processing ConvergedTFA provider=AzureAD
DEBU[0021] HTTP Req URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0022] HTTP Res Status="200 OK" http=client
Phone approval required. Entropy is: 13
DEBU[0022] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0023] HTTP Res Status="200 OK" http=client
DEBU[0024] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0025] HTTP Res Status="200 OK" http=client
DEBU[0026] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0026] HTTP Res Status="200 OK" http=client
DEBU[0027] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0028] HTTP Res Status="200 OK" http=client
DEBU[0028] HTTP Req URL="https://login.microsoftonline.com/common/SAS/ProcessAuth" http=client method=POST
DEBU[0028] HTTP Res Status="200 OK" http=client
DEBU[0028] processing ConvergedTFA provider=AzureAD
DEBU[0028] HTTP Req URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0029] HTTP Res Status="200 OK" http=client
Phone approval required. Entropy is: 25
DEBU[0029] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0030] HTTP Res Status="200 OK" http=client
DEBU[0031] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0032] HTTP Res Status="200 OK" http=client
DEBU[0033] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0033] HTTP Res Status="200 OK" http=client
DEBU[0034] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0035] HTTP Res Status="200 OK" http=client
DEBU[0036] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0036] HTTP Res Status="200 OK" http=client
DEBU[0037] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0038] HTTP Res Status="200 OK" http=client
DEBU[0038] HTTP Req URL="https://login.microsoftonline.com/common/SAS/ProcessAuth" http=client method=POST
DEBU[0038] HTTP Res Status="200 OK" http=client
DEBU[0038] processing ConvergedTFA provider=AzureAD
DEBU[0038] HTTP Req URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0039] HTTP Res Status="200 OK" http=client
Phone approval required. Entropy is: 61
DEBU[0039] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0039] HTTP Res Status="200 OK" http=client
After the third MFA code request I stopped, but as you can see, something fails silently in the MFA check, apparently. Unfortunately, I don't have any control on Azure AD configuration, so I can't supply further details on it. Is there a way to gather additional information from my side?
Having the same issue currently. We experienced a different error when using a prior version (2.36.4). Upgraded to 2.36.10 and now the behavior is the same as described. It keeps asking for the code, even after entering a correct code.
Hello,
We've encounter the same problem today in our company. We need to disable the MFA for the enterpriseapp to let the saml2aws continue to work. I think Microsoft change something on their side and the rollout is not the same for all tenants.
Hi there,
We are facing this issue for all users here from today. It seems we already had a few occurences starting 2 weeks ago.
saml2aws up to date ;-)
Having the same issue with the latest 2.36.13 version. It keeps asking for the code after accepting the previous one:
$ saml2aws login --disable-keychain -a ******** --verbose
DEBU[0000] Running command=login
DEBU[0000] Check if creds exist. command=login
DEBU[0000] Expand name=/********/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink name=/********/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists filename=/********/.aws/credentials pkg=awsconfig
Using IdP Account ******** to access AzureAD https://account.activedirectory.windowsazure.com
To use saved password just hit enter.
? Username ********
? Password ********
DEBU[0005] building provider command=login idpAccount="********"
Authenticating as ******** ...
DEBU[0008] processing ConvergedSignIn provider=AzureAD
DEBU[0008] HTTP Req URL="https://login.microsoftonline.com/common/GetCredentialType?mkt=en-US" http=client method=POST
DEBU[0009] HTTP Res Status="200 OK" http=client
DEBU[0010] processing ConvergedTFA provider=AzureAD
DEBU[0010] HTTP Req URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0011] HTTP Res Status="200 OK" http=client
Phone approval required. Entropy is: 31
DEBU[0011] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0011] HTTP Res Status="200 OK" http=client
DEBU[0023] processing ConvergedTFA provider=AzureAD
DEBU[0023] HTTP Req URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0024] HTTP Res Status="200 OK" http=client
Phone approval required. Entropy is: 50
DEBU[0031] HTTP Req URL="https://login.microsoftonline.com/common/SAS/ProcessAuth" http=client method=POST
DEBU[0032] HTTP Res Status="200 OK" http=client
DEBU[0032] processing ConvergedTFA provider=AzureAD
DEBU[0032] HTTP Req URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0033] HTTP Res Status="200 OK" http=client
Phone approval required. Entropy is: 59
DEBU[0033] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0033] HTTP Res Status="200 OK" http=client
^C
Did anyone find a solution to this? Some of us are getting stuck in the same loop, it happens with push authentication as well as TOTP. We can't figure out what the common factor is between us.
Did anyone find a solution to this? Some of us are getting stuck in the same loop, it happens with push authentication as well as TOTP. We can't figure out what the common factor is between us.
On our side, we roll back the conditional access in Azure to standard MFA and not the new MFA level
Looking forward to hearing about the closure of this issue as I really need it.
