saml2aws icon indicating copy to clipboard operation
saml2aws copied to clipboard

Published 20 hours ago verified publisher icon Versent

cannot find state token

Open Yeunkwan opened this issue 3 years ago • 7 comments

Hi,

I am testing this tool, but unfortunately I got stuck now.

After typing the verification code, I got an error message like "cannot find state token" as below. What could be the possible issue with it? If you could help me with this, I would appreciate it

Many thanks, Yeun

###################### cannot find state token github.com/versent/saml2aws/v2/pkg/provider/okta.getStateTokenFromOktaPageBody github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:270 github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).follow github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:244 github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).follow github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:262 github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:196 github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).follow github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:249 github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:196 github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:104 main.main command-line-arguments/main.go:183 runtime.main runtime/proc.go:225 runtime.goexit runtime/asm_amd64.s:1371 error retrieving saml response github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).follow github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:246 github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).follow github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:262 github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:196 github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).follow github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:249 github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:196 github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:104 main.main command-line-arguments/main.go:183 runtime.main runtime/proc.go:225 runtime.goexit runtime/asm_amd64.s:1371 error authenticating to IdP github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:106 main.main command-line-arguments/main.go:183 runtime.main runtime/proc.go:225 runtime.goexit runtime/asm_amd64.s:1371

Yeunkwan avatar May 05 '21 09:05 Yeunkwan

I got this error too, it was due to not using the right URL in the configuration.

bbakersmith avatar Jun 18 '21 15:06 bbakersmith

@Yeunkwan I also ran into this error when I first tried saml2aws. I was able to fix it, as @bbakersmith indicated, by changing the URL in the configuration. As described in the Okta README.md, the correct URL to use is the AWS application URL. This is mentioned in the Okta README.md, but it isn't connected back to the configuration anywhere that I found.

I was able to get the AWS application URL from the application tile in my Okta dashboard. YMMV, of course.

scottslowe avatar Apr 14 '22 22:04 scottslowe

This issue still exists, unable to make it work with okta

pgvishnuram avatar Apr 29 '22 04:04 pgvishnuram

I am having this problem too.

mcgonagle avatar Jul 12 '22 15:07 mcgonagle

My URL is correct, but I'm still blocked by this error.

scentoni avatar Aug 23 '22 18:08 scentoni

One of the common reasons for this error is that Okta is returning a denial page because of a policy like an IP allow-list. If you edit the provider so it logs the full response body and rebuild saml2aws, you'll see something like this:

            <h2 class="o-form-title">App Access Locked</h2>
            <p class="o-form-explain">Access to this application is not allowed at this time due to a policy set by your administrator. If you're wondering why this is happening, please contact your administrator.<br>If it's any consolation, we can take you to <a href="/">your Okta home page</a>.</p>
            <a href="/" class="button tb--button">Go to Homepage</a>

Would it be possible to get some better request/response logging so these things don't have to be done in a bespoke way?

jgoldschrafe avatar Jul 12 '23 18:07 jgoldschrafe

Came here looking for an answer to this error and finally realized that I was using the args incorrectly. The profile arg is non-intuitive and easy to forget for a heavy awscli user:

client desired arg short
awscli --profile -p
saml2aws --idp-account (a.k.a "profile") -a

saml2aws does NOT let you know if you are putting in an incorrect or invalid argument, such as --profile or -p. It instead glosses over the invalid arg(s) and defaults to "default" for --idp-account. It also doesn't let you know if a "default" idp-account config is setup or not... instead, if you don't have a "default" config, it simply exits with: error building login details: failed to validate account: URL empty in idp account or cannot find state token. The error handling and cli validation could possibly be more robust to reduce this kind of confusion.

mijdavis2 avatar Nov 06 '23 14:11 mijdavis2