failure to gain credentials from Azure when it is the Saml source for multiple AWS accounts #1367
Comments
|
I noticed i forgot to mention the version so: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am working with Azure AD ad the SSO SAML authentication for multiple AWS accounts.
I do not see an option to specify which role and account i want to gain the credentials to.
Without it the tool is unable to determine which account to generate the key pair:
./saml2aws list-roles --verbose
DEBU[0000] Running command=list-roles
Using IdP Account default to access AzureAD https://account.activedirectory.windowsazure.com
To use saved password just hit enter.
? Username assaf@xxxxxxxio
? Password ***************
DEBU[0009] building provider command=list idpAccount="account {\n AppID: XXXXXXXXX-5XXb-4XX-9XXX-XXXXXXXXXXXX\n URL: https://account.activedirectory.windowsazure.com\n Username: [email protected]\n Provider: AzureAD\n MFA: PhoneAppNotification\n SkipVerify: false\n AmazonWebservicesURN: urn:amazon:webservices\n SessionDuration: 3600\n Profile: saml\n RoleARN: \n Region: \n}"
DEBU[0010] processing ConvergedSignIn provider=AzureAD
DEBU[0010] HTTP Req URL="https://login.microsoftonline.com/common/GetCredentialType?mkt=en-US" http=client method=POST
DEBU[0010] HTTP Res Status="200 OK" http=client
DEBU[0010] HTTP Req URL="https://login.microsoftonline.com/common/login" http=client method=POST
DEBU[0011] HTTP Res Status="200 OK" http=client
DEBU[0011] processing ConvergedTFA provider=AzureAD
DEBU[0011] HTTP Req URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0012] HTTP Res Status="200 OK" http=client
Phone approval required. Entropy is: XX
DEBU[0012] HTTP Req URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0034] HTTP Res Status="200 OK" http=client
DEBU[0034] processing KmsiInterrupt provider=AzureAD
DEBU[0034] HTTP Req URL="https://login.microsoftonline.com/kmsi" http=client method=POST
DEBU[0034] HTTP Res Status="200 OK" http=client
DEBU[0034] processing a 'hiddenform' provider=AzureAD
DEBU[0034] HTTP Req URL="https://launcher.myapps.microsoft.com/api/signin-oidc" http=client method=POST
DEBU[0035] HTTP Res Status="404 Not Found" http=client
DEBU[0035] reached an unknown page within the authentication process provider=AzureAD
failed get SAMLAssertion
github.com/versent/saml2aws/v2/pkg/provider/aad.(*Client).Authenticate
github.com/versent/saml2aws/v2/pkg/provider/aad/aad.go:221
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.ListRoles
github.com/versent/saml2aws/v2/cmd/saml2aws/commands/list_roles.go:66
main.main
./main.go:203
runtime.main
runtime/proc.go:271
runtime.goexit
runtime/asm_amd64.s:1695
error authenticating to IdP
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.ListRoles
github.com/versent/saml2aws/v2/cmd/saml2aws/commands/list_roles.go:68
main.main
./main.go:203
runtime.main
runtime/proc.go:271
runtime.goexit
runtime/asm_amd64.s:1695
The application should have an option to specify the aws account ID to assign the token for
./saml2aws --role=XXXX --region=us-east-1 --accountid=123456789
The text was updated successfully, but these errors were encountered: