aws-adfs icon indicating copy to clipboard operation
aws-adfs copied to clipboard
verified publisher icon venth

Support for LinOTP MFA, some issues

Open dimitrigeo opened this issue 8 years ago • 6 comments

Hi, we have ADFS v4 and LINOTP MFA integration, We have been previously using a version of the AWS Tool that i modified to submit the challenge response token, but it has broken since the update to ADFS 4.

Some questions,

  1. has anyone used ADFS v4 and LinOTP MFA? I read somewhere here you can just pass the token the same time as the password, like [password,token]?
  2. I am unable to even get to the login submit, am i doing something really basically wrong?, error below:-

$# aws-adfs -v login --adfs-host=https://federation.blabla.com --provider-id urn:amazon:webservices 2018-03-16 10:16:08,815 [session session.py:get_config_variable] [85-MainProcess] [140514959558400-MainThread] - DEBUG: Loading variable profile from instance vars with value 'default123'. 2018-03-16 10:16:08,816 [session session.py:get_config_variable] [85-MainProcess] [140514959558400-MainThread] - DEBUG: Loading variable config_file from defaults. 2018-03-16 10:16:08,820 [session session.py:get_config_variable] [85-MainProcess] [140514959558400-MainThread] - DEBUG: Loading variable credentials_file from defaults. 2018-03-16 10:16:08,822 [session session.py:get_config_variable] [85-MainProcess] [140514959558400-MainThread] - DEBUG: Loading variable profile from instance vars with value 'default'. 2018-03-16 10:16:08,822 [session session.py:get_config_variable] [85-MainProcess] [140514959558400-MainThread] - DEBUG: Loading variable config_file from defaults. 2018-03-16 10:16:08,823 [session session.py:get_config_variable] [85-MainProcess] [140514959558400-MainThread] - DEBUG: Loading variable credentials_file from defaults. 2018-03-16 10:16:08,825 [session session.py:get_config_variable] [85-MainProcess] [140514959558400-MainThread] - DEBUG: Loading variable profile from defaults. 2018-03-16 10:16:08,826 [session session.py:get_config_variable] [85-MainProcess] [140514959558400-MainThread] - DEBUG: Loading variable config_file from defaults. 2018-03-16 10:16:08,827 [session session.py:get_config_variable] [85-MainProcess] [140514959558400-MainThread] - DEBUG: Loading variable credentials_file from defaults. 2018-03-16 10:16:08,835 [session session.py:get_config_variable] [85-MainProcess] [140514959558400-MainThread] - DEBUG: Loading variable region from defaults. 2018-03-16 10:16:08,836 [session session.py:get_config_variable] [85-MainProcess] [140514959558400-MainThread] - DEBUG: Loading variable profile from defaults. 2018-03-16 10:16:08,837 [session session.py:get_config_variable] [85-MainProcess] [140514959558400-MainThread] - DEBUG: Loading variable region from defaults. 2018-03-16 10:16:08,847 [session session.py:get_config_variable] [85-MainProcess] [140514959558400-MainThread] - DEBUG: Loading variable profile from defaults. 2018-03-16 10:16:08,848 [session session.py:get_config_variable] [85-MainProcess] [140514959558400-MainThread] - DEBUG: Loading variable credentials_file from defaults. 2018-03-16 10:16:08,855 [session session.py:get_config_variable] [85-MainProcess] [140514959558400-MainThread] - DEBUG: Loading variable config_file from defaults. 2018-03-16 10:16:08,860 [html_roles_fetcher html_roles_fetcher.py:fetch_html_encoded_roles] [85-MainProcess] [140514959558400-MainThread] - DEBUG: Attempt to load authentication cookies into session failed. Re-authentication will be performed. The error: 2018-03-16 10:16:08,870 [connectionpool connectionpool.py:_new_conn] [85-MainProcess] [140514959558400-MainThread] - DEBUG: Starting new HTTPS connection (1): https Traceback (most recent call last): File "/usr/local/bin/aws-adfs", line 9, in load_entry_point('aws-adfs==0.8.0', 'console_scripts', 'aws-adfs')() File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 722, in call return self.main(*args, **kwargs) File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 697, in main rv = self.invoke(ctx) File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 1066, in invoke return _process_result(sub_ctx.command.invoke(sub_ctx)) File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 895, in invoke return ctx.invoke(self.callback, **ctx.params) File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 535, in invoke return callback(*args, **kwargs) File "/usr/local/lib/python2.7/dist-packages/aws_adfs/login.py", line 108, in login principal_roles, assertion, aws_session_duration = authenticator.authenticate(config) File "/usr/local/lib/python2.7/dist-packages/aws_adfs/authenticator.py", line 19, in authenticate password=password, File "/usr/local/lib/python2.7/dist-packages/aws_adfs/html_roles_fetcher.py", line 76, in fetch_html_encoded_roles data=data File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 555, in post return self.request('POST', url, data=data, json=json, **kwargs) File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 508, in request resp = self.send(prep, **send_kwargs) File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 618, in send r = adapter.send(request, **kwargs) File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 508, in send raise ConnectionError(e, request=request) requests.exceptions.ConnectionError: HTTPSConnectionPool(host='https', port=443): Max retries exceeded with url: //federation.blabla.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fcc280a6d50>: Failed to establish a new connection: [Errno -2] Name or service not known',))

dimitrigeo avatar Mar 16 '18 09:03 dimitrigeo

just wanted to update this, ive managed to see the error in my ways and get past the connection errors above by properly formatting my command, but im still stuck on the LinOTP 2FA part... can anyone help? is there a particular way to pass the token? ive tried adding it like "password,token" but no luck

2018-03-20 09:30:39,853 [authenticator authenticator.py:authenticate] [4876-MainProcess] [140089741334336-MainThread] - ERROR: Cannot extract saml assertion. Re-authentication needed? 2018-03-20 09:30:39,853 [authenticator authenticator.py:authenticate] [4876-MainProcess] [140089741334336-MainThread] - DEBUG: Roles along with principals found after authentication: None

dimitrigeo avatar Mar 20 '18 08:03 dimitrigeo

Could we schedule a talk over hangouts? What do you think?

venth avatar Mar 20 '18 11:03 venth

perfect! im PM you

dimitrigeo avatar Mar 20 '18 12:03 dimitrigeo

ok, looks like i cant PM here anymore, how can i contact you?

dimitrigeo avatar Mar 20 '18 13:03 dimitrigeo

artur(dot)krysiak(dot)warszawa(at)gmail(dot)com

venth avatar Mar 20 '18 15:03 venth

How integrate LinOTP with AD FS V4.0 and aws you have some doc can help me plz ?

kanijoo avatar May 17 '19 11:05 kanijoo