Duo Universal Prompt support by saml2aws with Okta provider

[zemliany]

Hey, team! Are there any plans to add Duo Universal Prompt for saml2aws or any workarounds for such methods of authentication? Recently we've faced the issue due to switching Duo Prompt to Duo Universal Prompt saml2aws stopped working

saml2aws verbosity log

NOTE: <app_id>, <factor_id>, <account_id> data was omitted, company name was replaced to pseudo

> saml2aws login --cache-saml --skip-prompt --duo-mfa-option="Duo Push" --verbose
DEBU[0000] Running                                       command=login
DEBU[0000] Check if creds exist.                         command=login
DEBU[0000] Expand                                        name=/Users/zemliany/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink                                name=/Users/zemliany/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists                            filename=/Users/zemliany/.aws/credentials pkg=awsconfig
Using IdP Account default to access Okta https://my.company.okta.com/home/amazon_aws/<app_id>/272
DEBU[0000] Get credentials                               helper=osxkeychain serverURL="https://my.company.okta.com/home/amazon_aws/<app_id>/272"
DEBU[0000] Get credentials                               helper=osxkeychain [email protected]
DEBU[0000] Get credentials                               helper=osxkeychain serverURL="https://my.company.okta.com/home/amazon_aws/<app_id>/272/sessionCookie"
DEBU[0000] Get credentials                               helper=osxkeychain [email protected]
DEBU[0000] building provider                             command=login idpAccount="account {\n  DisableSessions: false\n  DisableRememberDevice: false\n  URL: https://my.company.okta.com/home/amazon_aws/<app_id>/272\n  Username: [email protected]\n  Provider: Okta\n  MFA: PUSH\n  SkipVerify: false\n  AmazonWebservicesURN: urn:amazon:webservices\n  SessionDuration: 28800\n  Profile: test-aws-profile\n  RoleARN: arn:aws:iam::<account_id>:role/SUPER-ADMIN\n  Region: \n}"
DEBU[0000] okta | disableSessions: false                 provider=okta
DEBU[0000] okta | rememberDevice: true                   provider=okta
DEBU[0000] resolveSymlink                                name=/Users/zemliany/.aws/saml2aws/cache_default pkg=samlcache
DEBU[0000] MFA Token expiry date:2024-02-08T17:30:20Z    Cache_file=/Users/zemliany/.aws/saml2aws/cache_default IdpAccount=default pkg=samlcache
DEBU[0000] Cache is invalid                              command=login
Authenticating as [email protected] ...
DEBU[0000] auth with session func called                 provider=okta
DEBU[0000] validate session func called                  provider=okta
DEBU[0000] HTTP Req                                      URL="https://my.company.okta.com/api/v1/sessions/me" http=client method=GET
DEBU[0000] HTTP Res                                      Status="200 OK" http=client
DEBU[0000] okta session established                      provider=okta
DEBU[0000] valid okta session                            provider=okta
DEBU[0000] HTTP Req                                      URL="https://my.company.okta.com/home/amazon_aws/<app_id>/272" http=client method=GET
DEBU[0001] HTTP Res                                      Status="200 OK" http=client
DEBU[0001] follow func called from auth with session func  provider=okta
DEBU[0001] HTTP Req                                      URL="https://my.company.okta.com/home/amazon_aws/<app_id>/272" http=client method=GET
DEBU[0001] HTTP Res                                      Status="200 OK" http=client
DEBU[0001] HTTP Req                                      URL="https://my.company.okta.com/home/amazon_aws/<app_id>/272" http=client method=GET
DEBU[0001] HTTP Res                                      Status="200 OK" http=client
DEBU[0001] HTTP Req                                      URL="https://my.company.okta.com/api/v1/authn" http=client method=POST
DEBU[0002] HTTP Res                                      Status="200 OK" http=client
DEBU[0002] MFA                                           factorID=<factor_id> mfaIdentifer="CUSTOM CLAIMS_PROVIDER" oktaVerify="https://my.company.okta.com/api/v1/authn/factors/<factor_id>/verify?rememberDevice=true" provider=okta
unsupported mfa provider
github.com/versent/saml2aws/v2/pkg/provider/okta.getMfaChallengeContext
  github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:712
github.com/versent/saml2aws/v2/pkg/provider/okta.verifyMfa
  github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:806
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
  github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:481
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).follow
  github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:567
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).authWithSession
  github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:335
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
  github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:463
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
  github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:105
main.main
  github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:191
runtime.main
  runtime/proc.go:267
runtime.goexit
  runtime/asm_amd64.s:1650
error verifying MFA
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
  github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:483
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).follow
  github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:567
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).authWithSession
  github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:335
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
  github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:463
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
  github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:105
main.main
  github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:191
runtime.main
  runtime/proc.go:267
runtime.goexit
  runtime/asm_amd64.s:1650
Error authenticating to IdP.
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
  github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107
main.main
  github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:191
runtime.main
  runtime/proc.go:267
runtime.goexit
  runtime/asm_amd64.s:1650 

Also, we found out following article: https://help.duo.com/s/article/6441?language=en_US
As per it, seems DUO Universal Prompt called to fight with third-party / non-recommended tools. Is there any chance to add support for Universal prompt or it's not possible?

I'm running saml2aws on MacOS Ventura 13.6.4

Thanks!

[zemliany]

e.g for aws-adfs that seems to be support this DUO Universal prompt feature https://github.com/venth/aws-adfs/blob/master/aws_adfs/_duo_universal_prompt_authenticator.py

[zemliany]

any updates?

[bkohrn]

It sounds like this may be an issue with any use of Duo; not with any single provider. My organization uses Shibboleth, and I'm encountering similar issues after they changed Duo over to the Duo Universal Prompt. In relevant part (starting after I entered my password and it sent the provider command), my verbose log reads:

DEBU[0006] HTTP Req                                      URL="https://idp.u.washington.edu/idp/profile/SAML2/Unsolicited/SSO?execution=e1s1" http=client method=POST
DEBU[0006] HTTP Res                                      Status="200 OK" http=client
panic: runtime error: index out of range [1] with length 0

goroutine 1 [running]:
github.com/versent/saml2aws/v2/pkg/provider/shibboleth.parseTokens({0xc0007ded80, 0xd39})
        github.com/versent/saml2aws/v2/pkg/provider/shibboleth/shibboleth.go:407 +0x239
github.com/versent/saml2aws/v2/pkg/provider/shibboleth.verifyMfa(0xc00022f550, 0xc0004dc000, {0xc0004a4501, 0x1c}, {0xc0007ded80, 0x31})
        github.com/versent/saml2aws/v2/pkg/provider/shibboleth/shibboleth.go:148 +0x5c
github.com/versent/saml2aws/v2/pkg/provider/shibboleth.(*Client).Authenticate(0xc00022f550, 0xc000242240)
        github.com/versent/saml2aws/v2/pkg/provider/shibboleth/shibboleth.go:105 +0x4dd
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login(0xc00022a140)
        github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:105 +0x4da
main.main()
        ./main.go:188 +0x6c48

Edit: I see this on both saml2aws v2.34.0 and on saml2aws v2.36.10 (same behavior, same error, but the version I copied is from 2.34.0).

[zemliany]

@bkohrn yeah, seems Duo as a provider implements frameless prompt that during the starting auth session redirects to page that hosted on duosecurity.com with random prefix (e.g xxxxx-id.duosecurity.com)

Based on that announcement https://help.duo.com/s/article/6441?language=en_US I think they want to fight with third-party clients, so that’s why they trying to beat all these clients by not allowing to be used with Duo Universal Prompt and new version of frameless WebSDK4, but it doesn't mean that it's not possible to achieve workability of saml2aws with this recent novations. There is an example for gimme-aws-creds cli which supports Okta and Duo Universal Prompt through Okta Classic Nike-Inc/gimme-aws-creds#437

From other side, gimme-aws-creds can be used instead of saml2aws, but gimme-aws-creds has a number of other disadvantages like remember_device feature doesn’t work, tool doesn’t have a SAML caching and many others

[scottyrogers]

We are also facing the same issue with JumpCloud and DUO. We've had conversations with DUO and they are unwilling to support saml2aws or give us an option to role back the Duo Universal Prompt forced migration they made on May 30th which broke saml2aws.