saml2aws
saml2aws copied to clipboard
Versent
AzureAD compliant device conditional access policy not working
Hi Team,
Would you consider supporting sending the device compliance status with the authentication to AzureAD. We have a conditional access policy setup in AzureAD that requires the device to be compliant to be able to access any AzureAD SSO federated app. Saml2aws is not currently working with this setup as it is not able to pass the compliance state of the machine to AzureAD and access is therefor denied with a "Error authenticating to IdP.: failed get SAMLAssertion" Error . Normally passing the compliance state is done through the browser. Edge works out of the box but with Chrome you need to add the "Windows Accounts" extension from the Chrome app store. Is this something you could please look into integrating into saml2aws?
Regards Jacob
I'm running into this same error as described above:
$ saml2aws login --verbose
DEBU[0000] Running command=login
DEBU[0000] Check if creds exist. command=login
DEBU[0000] Expand name=/home/<username>/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink name=/home/<username>/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists filename=/home/<username>/.aws/credentials pkg=awsconfig
Using IdP Account default to access AzureAD https://account.activedirectory.windowsazure.us/
To use saved password just hit enter.
? Username <username@domain>
? Password ******************
DEBU[0001] building provider command=login idpAccount="account {\n AppID: <App ID>\n URL: https://account.activedirectory.windowsazure.us/\n Username: <username@domain>\n Provider: AzureAD\n MFA: Auto\n SkipVerify: false\n AmazonWebservicesURN: urn:amazon:webservices\n SessionDuration: 3600\n Profile: aad\n RoleARN: arn:aws:iam::<ARN/Role>\n Region: us-east-1\n}"
Authenticating as <username@domain> ...
DEBU[0003] processing ConvergedSignIn provider=AzureAD
DEBU[0003] HTTP Req URL="https://login.microsoftonline.us/common/GetCredentialType?mkt=en-US" http=client method=POST
DEBU[0003] HTTP Res Status="200 OK" http=client
DEBU[0003] HTTP Req URL="https://login.microsoftonline.us/common/login" http=client method=POST
DEBU[0004] HTTP Res Status="200 OK" http=client
DEBU[0004] unknown process step found:ConvergedConditionalAccess provider=AzureAD
failed get SAMLAssertion
github.com/versent/saml2aws/v2/pkg/provider/aad.(*Client).Authenticate
github.com/versent/saml2aws/v2/pkg/provider/aad/aad.go:222
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:105
main.main
./main.go:191
runtime.main
runtime/proc.go:250
runtime.goexit
runtime/asm_amd64.s:1598
Error authenticating to IdP.
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107
main.main
./main.go:191
runtime.main
runtime/proc.go:250
runtime.goexit
runtime/asm_amd64.s:1598
I've started seeing this issue more and more - exactly the same error as @srepetsk above.
We had to create our own version of saml2aws to get this to work.
https://github.com/chansen-p44/saml2aws
It would be nice if that could be merged into the official version.
@jjensenp44 I'm not totally against that idea. Are you able to make a PR and we could go from there?
I had a quick look at the code, there is a few things that came to mind
- Are there any code written?
- Are there anyway to decouple the changes you made in Chromium launch settings in the browser.go, like a flag to isolate this feature with the rest?
Sorry. I am not a developer so cannot answer your question. This version was made by one of the engineers that are no longer with the company so this is what it is.