saml2aws
saml2aws copied to clipboard
AzureAD: unable to locate IDP oidc form submit URL
Configured according to documentation: Azure AD
Version: 2.28.4
Config
[default]
app_id = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
url = https://account.activedirectory.windowsazure.com
username = [email protected]
provider = AzureAD
mfa = Auto
skip_verify = false
timeout = 0
aws_urn = urn:amazon:webservices
aws_session_duration = 3600
aws_profile = saml
resource_id =
subdomain =
role_arn =
region =
http_attempts_count =
http_retry_delay =
Name = default
credentials_file =
saml_cache = false
Output
saml2aws login --verbose
time="2021-03-31T17:23:40+11:00" level=debug msg=Running command=login
time="2021-03-31T17:23:40+11:00" level=debug msg="check if Creds Exist" command=login
time="2021-03-31T17:23:40+11:00" level=debug msg=Expand name=/home/teddevaal/.aws/credentials pkg=awsconfig
time="2021-03-31T17:23:40+11:00" level=debug msg=resolveSymlink name=/home/teddevaal/.aws/credentials pkg=awsconfig
time="2021-03-31T17:23:40+11:00" level=debug msg=ensureConfigExists filename=/home/teddevaal/.aws/credentials pkg=awsconfig
Using IDP Account default to access AzureAD https://account.activedirectory.windowsazure.com
To use saved password just hit enter.
Username ([email protected])
Password **********
time="2021-03-31T17:23:47+11:00" level=debug msg="building provider" command=login idpAccount="account {\n AppID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\n URL: https://account.activedirectory.windowsazure.com\n Username: [email protected]\n Provider: AzureAD\n MFA: Auto\n SkipVerify: false\n AmazonWebservicesURN: urn:amazon:webservices\n SessionDuration: 3600\n Profile: saml\n RoleARN: \n Region: \n}"
Authenticating as [email protected] ...
time="2021-03-31T17:23:48+11:00" level=debug msg="HTTP Req" URL="https://login.microsoftonline.com/common/login" http=client method=POST
time="2021-03-31T17:23:49+11:00" level=debug msg="HTTP Res" Status="200 OK" http=client
unable to locate IDP oidc form submit URL
error authenticating to IdP
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:103
main.main
command-line-arguments/main.go:180
runtime.main
runtime/proc.go:225
runtime.goexit
runtime/asm_amd64.s:1371
Observation
When using saml2aws, a POST is made to https://login.microsoftonline.com/common/login
.
However, when using Microsoft My Apps, https://account.activedirectory.windowsazure.com/applications/redirecttoapplication.aspx?Operation=LinkedSignIn&applicationId={app_id}&tenantId={tenant_id}
is redirected to https://login.microsoftonline.com/{tenant_id}/saml2?SAMLRequest={saml_request}
.
Azure AD does not work in 2.30.0
Duplicate with https://github.com/Versent/saml2aws/issues/628
I came across this error today with version 2.35.0, I use Azure AD as identity store It turns out that this is because my password is up for an update and Azure AD is trying to prompt me for a password change. The error message is very confusing. As soon as I change my password, it is working again.