saml2aws
saml2aws copied to clipboard
Published
20 hours ago •
Versent
Versent
AzureAD: Stuck in loop for PhoneAppNotification even if the code is correct
Hello everyone,
I'm trying to use this tool to get AWS Cli credentials loggin in AzureAD. I reach the moment when the program asks me to confirm the login via phone app but after confirming using the right number it keeps asking me to config again with a new number.
You can see some logs with verbose, I redacted some sensitive information:
DEBU[0005] Running command=login
DEBU[0005] Check if creds exist. command=login
DEBU[0005] Expand name=/home/bozmir/.aws/credentials pkg=awsconfig
DEBU[0005] resolveSymlink name=/mnt/c/Users/mirco.bozzolini/.aws/credentials pkg=awsconfig
DEBU[0005] ensureConfigExists filename=/mnt/c/Users/mirco.bozzolini/.aws/credentials pkg=awsconfig
Using IdP Account default to access AzureAD https://account.activedirectory.windowsazure.com
To use saved password just hit enter.
? Username <REDACTED>
? Password ****************
DEBU[0018] building provider command=login idpAccount="account {\n AppID: <REDACTED>\n URL: https://account.activedirectory.windowsazure.com\n Username: <REDACTED>\n Provider: AzureAD\n MFA: PhoneAppNotification\n SkipVerify: false\n AmazonWebservicesURN: urn:amazon:webservices\n SessionDuration: 3600\n Profile: tep-azure\n RoleARN: \n Region: \n}"
Authenticating as <REDACTED> ...
DEBU[0019] processing ConvergedSignIn provider=AzureAD
DEBU[0019] HTTP Req URL="https://login.microsoftonline.com/common/GetCredentialType?mkt=en-US" http=client method=POST
DEBU[0019] HTTP Res Status="200 OK" http=client
DEBU[0019] HTTP Req URL="https://login.microsoftonline.com/common/login" http=client method=POST
DEBU[0020] HTTP Res Status="200 OK" http=client
DEBU[0020] processing KmsiInterrupt provider=AzureAD
DEBU[0020] HTTP Req URL="https://login.microsoftonline.com/kmsi" http=client method=POST
DEBU[0020] HTTP Res Status="200 OK" http=client
DEBU[0020] processing a 'hiddenform' provider=AzureAD
DEBU[0020] HTTP Req URL="https://account.activedirectory.windowsazure.com/" http=client method=POST
DEBU[0023] HTTP Res Status="200 OK" http=client
DEBU[0024] processing SAMLRequest provider=AzureAD
DEBU[0024] processing ConvergedTFA provider=AzureAD
DEBU[0024] HTTP Req URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0024] HTTP Res Status="200 OK" http=client
Phone approval required. Entropy is: 96
DEBU[0024] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0025] HTTP Res Status="200 OK" http=client
DEBU[0027] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0027] HTTP Res Status="200 OK" http=client
DEBU[0029] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0029] HTTP Res Status="200 OK" http=client
DEBU[0031] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0031] HTTP Res Status="200 OK" http=client
DEBU[0033] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0033] HTTP Res Status="200 OK" http=client
DEBU[0033] HTTP Req URL="https://login.microsoftonline.com/common/SAS/ProcessAuth" http=client method=POST
DEBU[0033] HTTP Res Status="200 OK" http=client
DEBU[0033] processing ConvergedTFA provider=AzureAD
DEBU[0033] HTTP Req URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0034] HTTP Res Status="200 OK" http=client
Phone approval required. Entropy is: 32
DEBU[0034] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0034] HTTP Res Status="200 OK" http=client
DEBU[0036] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0037] HTTP Res Status="200 OK" http=client
DEBU[0039] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0039] HTTP Res Status="200 OK" http=client
DEBU[0041] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0041] HTTP Res Status="200 OK" http=client
DEBU[0041] HTTP Req URL="https://login.microsoftonline.com/common/SAS/ProcessAuth" http=client method=POST
DEBU[0041] HTTP Res Status="200 OK" http=client
DEBU[0041] processing ConvergedTFA provider=AzureAD
DEBU[0041] HTTP Req URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0042] HTTP Res Status="200 OK" http=client
Phone approval required. Entropy is: 91
DEBU[0042] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0042] HTTP Res Status="200 OK" http=client
DEBU[0044] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0044] HTTP Res Status="200 OK" http=client
DEBU[0046] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0046] HTTP Res Status="200 OK" http=client
DEBU[0048] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0049] HTTP Res Status="200 OK" http=client
DEBU[0049] HTTP Req URL="https://login.microsoftonline.com/common/SAS/ProcessAuth" http=client method=POST
DEBU[0049] HTTP Res Status="200 OK" http=client
DEBU[0049] processing ConvergedTFA provider=AzureAD
DEBU[0049] HTTP Req URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
This time I stopped the program after 4 tries.
Looking at the code with some additional logs it seems the process is stuck at the Authenticate function, because it receive the same page before and after the processConvergedTFA.
I know the code I'm sending is correct because the processConvergedTFA returns without errors, but I think there might be a problem with my AD configuration which returns an unexpected page.
I would really appreciate some help 🙏
