Handling Device Registration (SCEP)

[ahrenstein]

We're using Okta Verify on our Macs to validate the computer is enrolled in the company MDM (proving it is company hardware). This relies on SCEP between Okta and Jamf Pro to deploy a rotating certificate in macOS Keychain which Okta Verify can detect and then approve using TouchID.

A normal auth flow using example.okta.com in a browser is:

1. Login to Okta
2. Be prompted for YubiKey
3. See Dashboard
4. Click AWS tile
5. Get prompted for Okta Verify if it's a production account
6. TouchID to authenticate Okta Verify
7. Access granted

The issue here is saml2aws fails after the YubiKey is accepted with the following error:

Error authenticating to IdP.: error retrieving auth response: request for url: https://EXAMPLE.okta.com/api/v1/authn failed status: 401 Unauthorized

Is there any configuration we can change to the ~/.saml2aws file to make this work, or is this an unsupported configuration for API access? If this is an unsupported configuration, how can we get CLI API access without providing a less secure path than forcing it to be on company hardware?