aws-adfs
aws-adfs copied to clipboard
Auth and/or connectivity problems with ADFS 2016?
With the latest version of aws-adfs, 1.12.3, and ADFS2016, I get the following output.
(enter credentials)
2019-02-15 13:57:41,649 [authenticator authenticator.py:authenticate] [16078-MainProcess] [140431552173888-MainThread] - ERROR: Cannot extract saml assertion. Re-authentication needed?
This account does not have access to any roles
On the server side, there are no logs; "normal" UI account login works well and display available AWS roles.
Is it possible to enable some a verbose debug mode for aws-adfs to better understand what's exactly happening here?
I have a similar issue, but using ADFS 3.0 (2012 r2)
I know you can run aws-adfs -v -the rest of your switches
the -v should do a verbose.
With the latest version of aws-adfs, 1.12.3, and ADFS2016, I get the following output.
(enter credentials)
2019-02-15 13:57:41,649 [authenticator authenticator.py:authenticate] [16078-MainProcess] [140431552173888-MainThread] - ERROR: Cannot extract saml assertion. Re-authentication needed? This account does not have access to any roles
On the server side, there are no logs; "normal" UI account login works well and display available AWS roles.
Is it possible to enable some a verbose debug mode for aws-adfs to better understand what's exactly happening here?
Also I wanted to ask you 2 things,
-
do you currently have MFA required on the relying party for AWS? I have / had it (w/ MFA) working with the browser but decided to remove that variable from the mix as I tested this out, & part of me wonders if me not requiring MFA, but AWS-ADFS IS expecting some form of MFA thus causing my issue...(not sure)
-
how are you connecting your ADFS to AWS? ' Are you running regex claim rules that match AD groups to AWS accounts/roles as mentioned on: https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0/
I'm experiencing the same issues - I have RSA linked to ADFS servers. If I do not force MFA I can login successfully. If I enable MFA i get the error "cannot extract saml assertion, re-authentication needed". It doesn't seem to be triggering or scraping the RSA authentication module.
I ran the command aws-adfs -v login --adfs-host=
Any help would be appeciated
@torric1 Try adding '--no-sspi' . A recent change to this option caused a change in the user-agent header.
I should have a fix for this in the coming days.
Thanks for the response. Doesn't work with '--no-sspi' unfortunately.
I'm also having the same issue. --no-sspi doesn't help. Tried with versions 1.16.0 and 1.17.0. Also tried clearing profiles and cookies. Still doesn't work. Web GUI works fine. MFA w/ RSA is enabled on the ADFS server.
A smart AWS consultant fixed this for me: https://github.com/torric1/AWSCLI-MFA-RSAv2/blob/master/ros_aws-cli-py3-adfs3-mfa-securID.txt
@torric1 I have the same issue with AzureMFA Authentication. I will try your referenced script and tweak it to see if it works.
This is not for Azure MFA it's for RSAv2. I used this for AzureMFA https://medium.com/dtlpub/aws-adding-azure-ad-sso-including-aws-cli-797a537ce038
@torric1 I thought the script is the same and the only thing it changes is the headers that set the AzureMFA Authentication.
I am facing the same issue while using ADFS with DUO. Any fix to this?
@praveenraghav01 I have a fix on my fork but i think I broke sspi
. However, I believe the solution in my case is that our ADFS Servers was providing 3 HTML Radiobuttons to select the MFA type and had to add those to the context
https://github.com/LM3CORP/aws-adfs/blob/662ef799d64b9df82f8e0f29945ba1b314a59c82/aws_adfs/html_roles_fetcher.py#L131-L156
@lmayorga1980 Thank you for the help '--no-sspi' worked for me :)