No Roles to assume with JumpCloud

[PanadeEdu]

I try to connect JumpCloud idp with saml2aws as described in this documentation. https://github.com/Versent/saml2aws/tree/master/doc/provider/jumpcloud

The connection works, I can utilize the SSO and access roles via the web interface. When I try to configure saml2aws, it looks to me that the Authentication works, but the roles are not fetched correctly. I experimented a lot with the config, but I cannot find an error. Is this an issue with saml2aws and JumpCloud or did I still get something wrong here.

Thank you in advance.

Here is the config and a verbose log. I redacted some parts with <> brackets.

[<profile_name>]
url                     = https://sso.jumpcloud.com/saml2/<my-sso-app>
username                = <[email protected]>
provider                = JumpCloud
mfa                     = Auto
skip_verify             = false
timeout                 = 0
region                  = eu-central-1
aws_urn                 = urn:amazon:webservices
aws_session_duration    = 3600
aws_profile             = DAccess
saml_cache              = false
disable_remember_device = false
disable_sessions        = false

~ ᐅ saml2aws list-roles -a <profile_name> --verbose
DEBU[0000] Running                                       command=list-roles
Using IdP Account <profile_name> to access JumpCloud https://sso.jumpcloud.com/saml2/<my-sso-app>
DEBU[0000] Get credentials                               helper=osxkeychain serverURL="https://sso.jumpcloud.com/saml2/<my-sso-app>"
To use saved password just hit enter.
? Username
? Password ***********************************

DEBU[0009] building provider                             command=list idpAccount="account {\n  URL: https://sso.jumpcloud.com/saml2/<my-sso-app>\n  Username: <[email protected]>\n  Provider: JumpCloud\n  MFA: Auto\n  SkipVerify: false\n  AmazonWebservicesURN: urn:amazon:webservices\n  SessionDuration: 3600\n  Profile: DAccess\n  RoleARN: \n  Region: eu-central-1\n}"
DEBU[0009] HTTP Req                                      URL="https://console.jumpcloud.com/userconsole/auth" http=client method=POST
DEBU[0010] HTTP Res                                      Status="200 OK" http=client
DEBU[0011] delete of existing keychain entry failed      error="The specified item could not be found in the keychain. (-25300)" helper=osxkeychain
No roles to assume

[sjsadowski]

Hopping on because this is still open and I'm running into the same issue.

[<profile>]
url                     = https://sso.jumpcloud.com/saml2/aws-sso
username                = <my_jc_username>
provider                = JumpCloud
mfa                     = Auto
skip_verify             = false
timeout                 = 0
aws_urn                 = urn:amazon:webservices
aws_session_duration    = 3600
aws_profile             = saml
resource_id             =
subdomain               =
role_arn                =
region                  = us-west-2
http_attempts_count     =
http_retry_delay        =
credentials_file        =
saml_cache              = false
saml_cache_file         =
target_url              =
disable_remember_device = false
disable_sessions        = false

$ saml2aws list-roles --verbose
DEBU[0000] Running                                       command=list-roles
Using IdP Account default to access JumpCloud https://sso.jumpcloud.com/saml2/aws-sso
To use saved password just hit enter.
? Username 
? Password 

DEBU[0001] building provider                             command=list idpAccount="account {\n  URL: https://sso.jumpcloud.com/saml2/aws-sso\n  Username: <my_jc_username>\n  Provider: JumpCloud\n  MFA: Auto\n  SkipVerify: true\n  AmazonWebservicesURN: urn:amazon:webservices\n  SessionDuration: 3600\n  Profile: saml\n  RoleARN: \n  Region: us-west-2\n}"
DEBU[0001] HTTP Req                                      URL="https://console.jumpcloud.com/userconsole/auth" http=client method=POST
DEBU[0001] HTTP Res                                      Status="401 Unauthorized" http=client
? MFA Token 655772
DEBU[0007] HTTP Req                                      URL="https://console.jumpcloud.com/userconsole/auth" http=client method=POST
DEBU[0007] HTTP Res                                      Status="200 OK" http=client
No roles to assume

If I'm missing something here, please let me know, happy to help troubleshoot this.

[sjsadowski]

I've resolved this issue; it requires following this article at jumpcloud: https://support.jumpcloud.com/support/s/article/Configuring-AWS-Roles-in-JumpCloud-Using-Constant-Attributes

[effelow]

Hey there, I am having the same issue with MS Azure IDP. "No roles to assume". Similar as above the SSO and access roles via the web interface works. Looking at the resolution for JumpCloud, I have not been able to transfer the fix to Azure AD Enterprise Applications. 😞 Happy for any kind of help.

[madhifallah]

Adding my 2 cents to what sjsadowski reported. Ones actually need to add an attribute : "https://aws.amazon.com/SAML/Attributes/Role" with a value like "arn:aws:iam::YOUR_AWS_ACCOUNT_NUMBER:role/ROLE_NAME,arn:aws:iam::YOUR_AWS_ACCOUNT_NUMBER:saml-provider/JumpCloud"

where arn:aws:iam::YOUR_AWS_ACCOUNT_NUMBER:role/ROLE_NAME is the role that you need saml2aws to assume.

Having done the above, saml2aws was able at this point to get the role to assume (check the line starting with "Selected role:"):

saml2aws login --verbose
DEBU[0000] Running                                       command=login
DEBU[0000] Check if creds exist.                         command=login
DEBU[0000] Expand                                        name=/home/dali/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink                                name=/home/dali/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists                            filename=/home/dali/.aws/credentials pkg=awsconfig
Using IdP Account default to access JumpCloud https://sso.jumpcloud.com/saml2/aws-sso
To use saved password just hit enter.
? Username REDACTED
? Password **********

DEBU[0005] building provider                             command=login idpAccount="account {\n  URL: https://sso.jumpcloud.com/saml2/aws-sso\n  Username: REDACTED\n  Provider: JumpCloud\n  MFA: TOTP\n  SkipVerify: false\n  AmazonWebservicesURN: urn:amazon:webservices\n  SessionDuration: 3600\n  Profile: sre_sso\n  RoleARN: \n  Region: \n}"
Authenticating as REDACTED ...
DEBU[0005] HTTP Req                                      URL="https://console.jumpcloud.com/userconsole/auth" http=client method=POST
DEBU[0005] HTTP Res                                      Status="401 Unauthorized" http=client
? MFA Token 688854
DEBU[0011] HTTP Req                                      URL="https://console.jumpcloud.com/userconsole/auth" http=client method=POST
DEBU[0012] HTTP Res                                      Status="200 OK" http=client
Selected role: arn:aws:iam::3210123123:role/sre
Requesting AWS credentials using SAML assertion.
InvalidIdentityToken: Issuer not present in specified provider (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlInvalidSamlResponseException; Request ID: XX; Proxy: null)
	status code: 400, request id: XX
Error retrieving STS credentials using SAML.
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.loginToStsUsingRole
	github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:331
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
	github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:138
main.main
	./main.go:188
runtime.main
	runtime/proc.go:250
runtime.goexit
	runtime/asm_amd64.s:1571
Error logging into AWS role using SAML assertion.
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
	github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:140
main.main
	./main.go:188
runtime.main
	runtime/proc.go:250
runtime.goexit
	runtime/asm_amd64.s:1571

I am currently looking for a way to dump saml response to continue the troubleshoot (if any one knows how to do it..)