saml2aws: AzureAD: unable to locate SAMLRequest URL, error authenticating to IdP

Configured according to this documentation: aad

I’m trying to authenticate with saml2aws to AzureAD -> AWS SSO. Saml2aws reports that authentication to the identity provider fail, however in Azure AD the login attempts are all successful.

DEBU[0000] Running                                       command=login
DEBU[0000] check if Creds Exist                          command=login
DEBU[0000] Expand                                        name=/home/elias/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink                                name=/mnt/c/Users/EliasEricsson-Rydber/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists                            filename=/mnt/c/Users/EliasEricsson-Rydber/.aws/credentials pkg=awsconfig
Using IDP Account default to access AzureAD https://account.activedirectory.windowsazure.com
To use saved password just hit enter.
? Username
? Password ***********

DEBU[0007] building provider                             command=login idpAccount="account {\n  AppID: ********-****-****-****-************\n  URL: https://account.activedirectory.windowsazure.com\n  Username: ***@***\n  Provider: AzureAD\n  MFA: Auto\n  SkipVerify: false\n  AmazonWebservicesURN: urn:amazon:webservices\n  SessionDuration: 3600\n  Profile: saml\n  RoleARN: \n  Region: \n}"
Authenticating as ***@*** ...
DEBU[0008] HTTP Req                                      URL="https://login.microsoftonline.com/common/login" http=client method=POST
DEBU[0008] HTTP Res                                      Status="200 OK" http=client
DEBU[0008] HTTP Req                                      URL="https://login.microsoftonline.com:443/common/DeviceAuthTls/reprocess" http=client method=POST
DEBU[0008] HTTP Res                                      Status="200 OK" http=client
unable to locate SAMLRequest URL
error authenticating to IdP
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
        github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:84
main.main
        command-line-arguments/main.go:177
runtime.main
        runtime/proc.go:225
runtime.goexit
        runtime/asm_amd64.s:1371

Running Ubuntu 20.04 (WSL2)

saml2aws --version
2.28.3

Very thankful for any help or suggestions!

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 6
Comments: 36 (13 by maintainers)

Most upvoted comments

@missingcharacter How can I verify https://github.com/Versent/saml2aws/issues/628#issuecomment-1437663786 ?

I don’t see SAMLRequest=..... in the logs. Do I need to download the source and run the source?

Also, today I updated the my saml2aws version and now I see the following error:

DEBU[0006] processing ConvergedSignIn                    provider=AzureAD
DEBU[0006] HTTP Req                                      URL="https://login.microsoftonline.com/common/GetCredentialType?mkt=en-US" http=client method=POST
DEBU[0007] HTTP Res                                      Status="200 OK" http=client
DEBU[0007] HTTP Req                                      URL="https://login.microsoftonline.com/common/login" http=client method=POST
DEBU[0008] HTTP Res                                      Status="200 OK" http=client
DEBU[0008] processing a 'hiddenform'                     provider=AzureAD
DEBU[0008] HTTP Req                                      URL="https://login.microsoftonline.com:443/common/DeviceAuthTls/reprocess" http=client method=POST
DEBU[0008] HTTP Res                                      Status="200 OK" http=client
DEBU[0008] processing ConvergedTFA                       provider=AzureAD
DEBU[0008] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/BeginAuth" http=client method=POST
DEBU[0009] HTTP Res                                      Status="200 OK" http=client
Phone approval required. Entropy is: 92
DEBU[0009] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0009] HTTP Res                                      Status="200 OK" http=client
DEBU[0010] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0011] HTTP Res                                      Status="200 OK" http=client
DEBU[0012] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0012] HTTP Res                                      Status="200 OK" http=client
DEBU[0013] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0014] HTTP Res                                      Status="200 OK" http=client
DEBU[0015] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0015] HTTP Res                                      Status="200 OK" http=client
DEBU[0016] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/EndAuth" http=client method=POST
DEBU[0016] HTTP Res                                      Status="200 OK" http=client
DEBU[0016] HTTP Req                                      URL="https://login.microsoftonline.com/common/SAS/ProcessAuth" http=client method=POST
DEBU[0017] HTTP Res                                      Status="200 OK" http=client
DEBU[0017] processing a 'hiddenform'                     provider=AzureAD
DEBU[0017] HTTP Req                                      URL="https://account.activedirectory.windowsazure.com/" http=client method=POST
DEBU[0017] HTTP Res                                      Status="403 Forbidden" http=client
DEBU[0017] reached an unknown page within the authentication process  provider=AzureAD
failed get SAMLAssertion
github.com/versent/saml2aws/v2/pkg/provider/aad.(*Client).Authenticate
	github.com/versent/saml2aws/v2/pkg/provider/aad/aad.go:222
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
	github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:105
main.main
	github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:190
runtime.main
	runtime/proc.go:250
runtime.goexit
	runtime/asm_arm64.s:1172
Error authenticating to IdP.
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
	github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107
main.main
	github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:190
runtime.main
	runtime/proc.go:250
runtime.goexit
	runtime/asm_arm64.s:1172

keshavrathi01 on Apr 4, 2023

@missingcharacter - i have a use case where saml2aws functioning for AzureAD (idp) and Amazon SSO (sp) would be useful - we have a mixed environment where some AWS accounts use AWS SSO, and other accounts in AWS GovCloud cannot use AWS SSO because it is not supported in GovCloud. There we are using the traditional AWS SAML 2.0 login scheme with AzureAD as the IDP. If saml2aws could support both then we could have a single CLI login experience for users and it would be very helpful!

brent-bradbury-stoke-space on Aug 17, 2021

same issue in 2.28.4, however, 2.27.1 works for me, you can have a try

MinsonTFW on Mar 18, 2021