aws-adfs
aws-adfs copied to clipboard
venth
Failed to authenticate after ADFS upgrade from Ver3.0 to Ver4.0
Python 3.5.2 ADFS version 4.0 Symantec VIP MFA provider
This CLI script has been working seamlessly with Symantec VIP as MFA provider on ADFS version 3.0, unfortunately our recent upgrade of ADFS to version 4.0 seem to have broke the script somewhere.
Current Situation with ADFS version 4.0,
- Access to the AWS management console via web browser works perfectly fine.
- The CLI script works perfectly fine when Symantec VIP is disabled.
- The CLI script fail to return a valid SAML response when Symantec VIP is enabled.
/aws-adfs$ aws-adfs login --adfs-host sts.somehost.com.au --provider-id urn:amazon:webservices2 2018-02-26 11:04:01,562 [authenticator authenticator.py:authenticate] [532-MainProcess] [140508329871104-MainThread] - ERROR: Cannot extract saml assertion. Re-authentication needed? Username [corpad\pa_someuser]: Password: 2018-02-26 11:04:06,978 [authenticator authenticator.py:authenticate] [532-MainProcess] [140508329871104-MainThread] - ERROR: Cannot extract saml assertion. Re-authentication needed? This account does not have access to any roles /aws-adfs$
Has anyone got similar issues?
Hi, no one yet reported it. Would you like to provide anonymized debug output?
Hi Venth,
Apologies for the delay.
Please see below are captures with debug enabled.
webservices2-vip.txt - endpoint with VIP enabled webservices-non-vip.txt - endpoint without VIP enabled
Any feedbacks are appreciated.
Thanks in advance.
Leon
Hi Venth,
The issue is actually within MS MFA Server ADFS Adapter, it doesn't handle cultures that are not associated with an lcid (Windows Language Code Identifier). We've resolved the issue by adding EN-US to the top of the list as advised by MS.
Below is the summary for reference if anyone ever encountered the same issue.
Symptom:
AWS CLI tool unable to obtain SAML response after ADFS upgrade from ver3.0 to ver4.0.
Cause:
MFA Server AD FS Adapter - doesn't handle cultures that are not associated with an lcid (Windows Language Code Identifier)
Solution:
If you are not using the gMSA account as the ADFS service account, please follow the steps below:
• Logon with the Service Account and go to control Panel (Languages) Add EN-US to the top of the list • Extend this to the Advanced Settings • Once done logoff the Service Account • Restart the Process/ADFS Service or reboot the server
Thanks for the help.
Leon
Thanks @leonj for the insight, I would use your description for the known issue section, if I may.
I have the same problem, it only affects Windows. Linux and OSX authenticate without issue. Do you think the solution suggest with the "MS MFA Server ADFS Adapter" still applies?
PS C:\Users\td > aws-adfs login --adfs-host=login.XXXX.edu --profile default --region ap-southeast2 2018-05-04 09:28:24,178 [authenticator authenticator.py:authenticate] [4500-MainProcess] [3856-MainThread] - ERROR: Cannot extract saml assertion. Re-authentication needed? Username: Aborted!
PS C:\Users\td > pip freeze asn1crypto==0.24.0 aws-adfs==0.10.1 awscli==1.15.12 boto3==1.7.12 botocore==1.10.12 certifi==2018.4.16 cffi==1.11.5 chardet==3.0.4 click==6.7 colorama==0.3.7 configparser==3.5.0 cryptography==2.2.2 docutils==0.14 idna==2.6 jmespath==0.9.3 lxml==4.2.1 pyasn1==0.4.2 pycparser==2.18 pyOpenSSL==17.5.0 pypiwin32==223 python-dateutil==2.7.2 pywin32==223 PyYAML==3.12 requests==2.18.4 requests-negotiate-sspi==0.3.4 rsa==3.4.2 s3transfer==0.1.13 six==1.11.0 urllib3==1.22
I just ran into this problem as well. @tdelov did you find the fix, was it the Language settings?
I did not try it, but someone at work updated all the installed modules and it started to work. We have moved to okta, so I no longer use this tool.
@tdelov thanks for replying. Any hints to what he updated?
is it using SymantecVipAdapter still or VIPAuthenticationProviderUPN as the auth method?
There seems to be a solution: https://github.com/venth/aws-adfs/issues/74#issuecomment-376013069
Is anyone still facing this issue?
