versent / saml2aws Goto Github PK

I am currently working on a refactor of the providers, and a new configuration file.

The goals of this release are:

1. Enable configurable MFA per provider, to support #50
2. Refactor all the providers into their own package to enable a bit more protection, and the flexibility to do more in each.
3. Allow any number of new parameters for providers instead of just skip-verify
4. A general tidy based on feedback from https://goreportcard.com/report/github.com/versent/saml2aws

This work is ongoing in the master branch but given the breaking config change is last this should be OK.

New configuration will be located at ~/.saml2aws, rather than the current ~/.aws2saml and look something like:

[wolfeidau]
hostname = id.wolfe.id.au
username = [email protected]
provider = keycloak
mfa      = totp

[test123]
hostname = id.whatever.com
username = [email protected]
provider = keycloak
mfa      = sms

There will be a new configure command, similar to the AWS cli which will enable you to setup IDP accounts and give each a name.

Outstanding tasks:

• Configuration refactor
• Provider refactor
• Use the provider flag to highlight configuration changes and point to readme.
• Update readme
• Implement timeouts for http client
• Debug Logging
• Pre release build

The AWS cli does not create the C:\Users{username}.aws folder in Windows. Running saml2aws results in the following error if the folder doesn't exist.

Saving credentials
main.go:66: error saving credentials: open C:\Users{username}.aws\credentials: The system cannot find the path specified.

Manually creating the folder fixes the issue. Perhaps we could have a check for the folder and create it if it's missing.

While the username is listed in the ~/.awas2saml.config file

Still getting prompted for username ( and not offered as a default value )

secondly, would like to skip prompt for hostname and username and only prompt for password.

using version 1.8.3

Currently when authenticating, the resulting credentials are only valid for an hour. Is there a way to configure this value so that we could have credentials expire after 6 hours?

When we first configured access to our AWS console via ADFS we were able to set up a claim rule that specified how long the session should last (see this AWS blog post for more info). It would be great if saml2aws could use of this same claim rule.

It would be good to be able to run saml2aws login without having to always have accounts preconfigured (in the ~/.saml2aws config file via saml2aws configure).

Given all the account details required by saml2aws configure can be passed as command line flags to saml2aws login, it would be good to have the option to skip the saml2aws configure step

This is probably going to also be a pre-requisite for #55

saml2AWS expects the SAML Role (https://aws.amazon.com/SAML/Attributes/Role) AttributeValue to be formated as saml-provider,role
eg arn:aws:iam::456456456456:saml-provider/example-idp,arn:aws:iam::456456456456:role/admin
otherwise if the order is reveresed the role selection list displays as follows:

Please choose the role you would like to assume:
[ 0 ]:  arn:aws:iam::123123123123:saml-provider/example-idp
[ 1 ]:  arn:aws:iam::123123123123:saml-provider/example-idp
[ 2 ]:  arn:aws:iam::123123123123:saml-provider/example-idp
[ 3 ]:  arn:aws:iam::123123123123:saml-provider/example-idp
[ 4 ]:  arn:aws:iam::123123123123:saml-provider/example-idp

AWS do not mandate an order for for the Role Attribute Value in the SAML assertion, as such identity providers can populate this attribute in any order and AWS will still be able to process the information. saml2AWS should follow the same behaviour.

saml2aws print a strange output about osx helpers for every command.

$ saml2aws --version
Adding osx helper
1.8.2

$ saml2aws exec bash
Adding osx helper
NoCredentialProviders: no valid providers in chain. Deprecated.
	For verbose messaging see aws.Config.CredentialsChainVerboseErrors
error validating token
github.com/versent/saml2aws/cmd/saml2aws/commands.Exec
	/Users/markw/Code/go/src/github.com/versent/saml2aws/cmd/saml2aws/commands/exec.go:26
main.main
	/Users/markw/Code/go/src/github.com/versent/saml2aws/cmd/saml2aws/main.go:75
runtime.main
	/usr/local/Cellar/go/1.8.1/libexec/src/runtime/proc.go:185
runtime.goexit
	/usr/local/Cellar/go/1.8.1/libexec/src/runtime/asm_amd64.s:2197

It happens in the checkToken function. It should handle more AWS errors by going to login.

Thoughts on implementing something like keyring from python for storing username/password so users can better automate the running of saml2aws?

I had found this package with a little bit of googling: https://github.com/tmc/keyring

When attempting to login with saml2aws using KeyCloak IdP get error
"Response did not contain a valid SAML assertion" when MFA is enabled.

With Okta, if no factors have been enrolled, assertion is assumed and fails with error:
"Response did not contain a valid SAML assertion"

This is the status from the response

"status\":\"MFA_ENROLL\"

Maybe just need a nice message to the user to go to Okta and enroll some new MFA types

saml2aws login fails with the following error when $HOME/.aws/credentials file is missing.

lstat /home/sjcho/.aws/credentials: no such file or directory
unable to resolve symlink
github.com/versent/saml2aws/pkg/awsconfig.(*CredentialsProvider).filename
        /opt/saml2aws/src/github.com/versent/saml2aws/pkg/awsconfig/awsconfig.go:144
github.com/versent/saml2aws/pkg/awsconfig.(*CredentialsProvider).Save
        /opt/saml2aws/src/github.com/versent/saml2aws/pkg/awsconfig/awsconfig.go:64
github.com/versent/saml2aws/cmd/saml2aws/commands.Login
        /opt/saml2aws/src/github.com/versent/saml2aws/cmd/saml2aws/commands/login.go:146
main.main
        /opt/saml2aws/src/github.com/versent/saml2aws/cmd/saml2aws/main.go:76
runtime.main
        /snap/go/922/src/runtime/proc.go:185
runtime.goexit
        /snap/go/922/src/runtime/asm_amd64.s:2337
error saving credentials
github.com/versent/saml2aws/cmd/saml2aws/commands.Login
        /opt/saml2aws/src/github.com/versent/saml2aws/cmd/saml2aws/commands/login.go:148
main.main
        /opt/saml2aws/src/github.com/versent/saml2aws/cmd/saml2aws/main.go:76
runtime.main
        /snap/go/922/src/runtime/proc.go:185
runtime.goexit
        /snap/go/922/src/runtime/asm_amd64.s:2337

The command works fine when I create an empty credentials file before running the command.

glide.lock line 67 should have Sirupsen instead of sirupsen, see Should I use lowercase or uppercase for the package name and Rename back to Sirupsen/logrus

same with imports, it needs to match the repo, all imports need to be renamed to Sirupsen and Versent as well

Works

• Login works with saml2aws login
• awscli works with multiple profiles defined in ~/.aws/config. For example this non-default profile can be used: aws -p dev ec2 describe-instances.

Does not work

• Login and specify the same arn role as defined in ~/.aws/config for profile 'dev'. Error message:

Supplied RoleArn not found in saml assertion: <supplied arn role>
Failed to assume role, please check you are permitted to assume the given role for the AWS service

(1) As shown above, I am permitted to assume this role... Or is there a difference with logging in with a arn role specified via --role vs logging in and assuming that same arn role via aws -p?

• Using the same arn role as defined in ~/.aws/config for profile 'dev' and then execute:

saml2aws exec --role '<arn role copied from aws config>' aws ec2 describe-instances
Running command as: arn:aws:sts::....:assumed-role/..../....

The Running command as: does not show the role specified by the --role parameter. It's even possible to add a bogus text value for the --role parameter, and it still executes with always the same role.

(2) How can I use exec with a different arn role?

Can I pass in host and username via args?

saml2aws login -h hostname -u username

The readme file says that the exec sub command exports the following environment variables -

• AWS_ACCESS_KEY_ID
• AWS_SECRET_ACCESS_KEY
• AWS_SESSION_TOKEN
• AWS_SECURITY_TOKEN
• EC2_SECURITY_TOKEN

I'm having trouble seeing them.

saml2aws exec --provider=Ping -- echo AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID

returns

Running command as: arn:aws:sts::<blah>:assumed-role/admin/me
AWS_ACCESS_KEY_ID=

I was expecting to be able to see the value of the AWS_ACCESS_KEY_ID environment variable.

Users can't login to AWS if they are configured in the IdP with a single IAM role only.

If a user is configured with only a single IAM role in the IdP, saml2aws used to log the user in without prompting them to select a role. If they have more than one role, they are presented with a list of roles they must select from.

This was working in version 1.7.1 but with 1.8.1 this no longer works. If the user is configured with one role only, they are now prompted to select a role from the list but no list is printed. Entering 0 causes it to crash.

$ saml2aws login --provider=KeyCloak
Adding osx helper
Hostname [hostname.com.au/auth/realms/amp/protocol/saml/clients/amazon-aws]:
To use saved username and password just hit enter.
Username [user]:
Password: **********

Authenticating as user to KeyCloak https://hostname.com.au/auth/realms/amp/protocol/saml/clients/amazon-aws
Please choose the role you would like to assume:
Selection: 0
panic: runtime error: index out of range

goroutine 1 [running]:
github.com/versent/saml2aws.PromptForAWSRoleSelection(0x477cdd8, 0x0, 0x0, 0x477cdd8, 0x0, 0x0)
	/Users/markw/Code/go/src/github.com/versent/saml2aws/input.go:88 +0x602
github.com/versent/saml2aws/cmd/saml2aws/commands.resolveRole(0xc42000e080, 0x1, 0x1, 0xc4204fc000, 0x29d4, 0xc4201461c0, 0x0, 0x0, 0xa0)
	/Users/markw/Code/go/src/github.com/versent/saml2aws/cmd/saml2aws/commands/login.go:220 +0x123
github.com/versent/saml2aws/cmd/saml2aws/commands.Login(0xc4201461c0, 0x5, 0x44d7ab7)
	/Users/markw/Code/go/src/github.com/versent/saml2aws/cmd/saml2aws/commands/login.go:103 +0x4cb
main.main()
	/Users/markw/Code/go/src/github.com/versent/saml2aws/cmd/saml2aws/main.go:73 +0x272

Version: saml2aws version 1.8.1
OS: macOS 10.12.5 (Sierra)
Provider: KeyCloak

The latest release has verbose output and behaves strangely when no username was saved before:

[hoegertn@MacBook-Pro Downloads]$ ./saml2aws login --role="arn:aws:iam::123456789012:role/ADFS-Test"
adding osx helper
LookupCredentials <ADFS-URL>
hostname <ADFS-URL>
Using saved username
Using saved password
savedUsername
Hostname [<ADFS-URL>]:
To use saved username and password just hit enter.
Username []:
Username []: someusername
Password: ********

Authenticating to ADFS with URL https://<ADFS-URL>
Selected role: arn:aws:iam::123456789012:role/ADFS-Test
Requesting AWS credentials using SAML assertion
Saving credentials
Logged in as: arn:aws:sts::123456789012:assumed-role/ADFS-Test/someusername

Your new access key pair has been stored in the AWS configuration
Note that it will expire at 2017-07-27 15:08:08 +0200 CEST
To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile saml ec2 describe-instances).
Saving config: /Users/hoegertn/.aws2saml.config

Second try:

[hoegertn@MacBook-Pro Downloads]$ ./saml2aws login --role="arn:aws:iam::123456789012:role/ADFS-Test"
adding osx helper
LookupCredentials <ADFS-URL>
hostname <ADFS-URL>
Using saved username
Using saved password
savedUsername someusername
Hostname [<ADFS-URL>]:
To use saved username and password just hit enter.
Username [someusername]:
Password: ********

Authenticating to ADFS with URL https://<ADFS-URL>
Selected role: arn:aws:iam::123456789012:role/ADFS-Test
Requesting AWS credentials using SAML assertion
Saving credentials
Logged in as: arn:aws:sts::123456789012:assumed-role/ADFS-Test/someusername

Your new access key pair has been stored in the AWS configuration
Note that it will expire at 2017-07-27 15:08:24 +0200 CEST
To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile saml ec2 describe-instances).
Saving config: /Users/hoegertn/.aws2saml.config
[hoegertn@MacBook-Pro Downloads]$

Trying to auth to ADFS v2 environment and getting the following using version 1.4.0. I don't control/have access to ADFS. Let me know if there is anything else I can try for you.

C:\Users\jbruett>saml2aws --profile ADFS2 login
Hostname []: adfs.******.com
Username []: jbruett
Password: ***********

ADFS https://adfs.******.com
Authenticating to ADFS...
main.go:66: error authenticating to adfs: unable to locate IDP authentication form submit URL

C:\Users\jbruett>saml2aws --profile ADFS2 login
Hostname []: adfs.****.com/adfs/ls/IdpInitiatedSignon.aspx
Username []: jbruett
Password: ***********

ADFS https://adfs.******.com/adfs/ls/IdpInitiatedSignon.aspx
Authenticating to ADFS...
main.go:66: error authenticating to adfs: unable to locate IDP authentication form submit URL

C:\Users\jbruett>saml2aws --profile ADFS2 login
Hostname []: adfs..com
Username []: jbruett@.com
Password: ***********

ADFS https://adfs.******.com
Authenticating to ADFS...
main.go:66: error authenticating to adfs: unable to locate IDP authentication form submit URL

C:\Users\jbruett>saml2aws --profile ADFS2 login
Hostname []: adfs..com/adfs/ls/IdpInitiatedSignon.aspx
Username []: jbruett@.com
Password: ***********

ADFS https://adfs.******.com/adfs/ls/IdpInitiatedSignon.aspx
Authenticating to ADFS...
main.go:66: error authenticating to adfs: unable to locate IDP authentication form submit URL

We're using Google Apps as IdP. Would be great to see this supported.

Need to figure out if we can accept the passcode and send that to ping.

As reported by @ltrifonov and @rowanu

it fails often after a long inactivity, my android has some aggressive memory management and it kills something, perhaps the ping push listener. The only way to re-activate it is Disable swipe -> confirm, then Enable swipe -> confirm

PITA

Hey guys, there's a minor display issue when a security token is requested:

Authenticating as fots ...

Security Token [000000]
: xxxxxx
Please choose the role you would like to assume:

Expected Result:

Authenticating as fots ...

Security Token [000000]: xxxxxx
Please choose the role you would like to assume:

Cheers
Fotis

It would be great to be able to use "saml2aws exec" without storing the credentials to the config but using only env.

So it would be possible to start multiple "saml2aws exec bash" with different roles.

When enabling the new Okta Sign-In Page saml2aws borks with the following error
Authenticating to Okta... main.go:66: error authenticating to adfs: unable to locate IDP authentication form submit URL

Okta have changed the way they initiate a login with the new Okta Sign-In page, It appears the JavaScript signin widget now calls the Okta Auth api which then initiates the Duo Web Widget when duo is enabled.

saml2aws needs to use the okta auth api instead of the previous simulation via the web page.

My normal browser displays a page like this:

For security reasons, we require additional information to verify your account ([email protected])

We've sent a text message with a verification code.

+xx xxx xxx1234
Verification code

saml2aws fails with this error on mfa enabled accounts:

Response did not contain a valid SAML assertion
Please check your username and password is correct

Hello, what would it take to implement duo push for adfs similar to this python tool?

thanks!

doesn't support google authenticator for Okta

saml2aws -p saml -i Ping login

Ping https://xxxx.xxxx.xx
Authenticating to Ping...
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x13e46ea]

goroutine 1 [running]:
github.com/versent/saml2aws.(*PingFedClient).Authenticate(0xc42000e1d8, 0xc420146a20, 0xc42000e1d8, 0x0, 0x0, 0x1a)
/Users/markw/Code/go/src/github.com/versent/saml2aws/pingfed.go:102 +0x4ca
github.com/versent/saml2aws/cmd/saml2aws/commands.Login(0x7fff5fbffc04, 0x4, 0x7fff5fbffc0c, 0x4, 0x14cd400, 0x5, 0x0)
/Users/markw/Code/go/src/github.com/versent/saml2aws/cmd/saml2aws/commands/login.go:46 +0x398
main.main()
/Users/markw/Code/go/src/github.com/versent/saml2aws/cmd/saml2aws/main.go:60 +0x29c

How to reproduce.
OS: Ubuntu 16.04.1 LTS
How: initiate make command.
Output:

1 errors occurred:
--> darwin/amd64 error: exit status 1
Stderr: go build github.com/versent/saml2aws/helper/osxkeychain: no buildable Go source files in /home/debojit/gocode/src/github.com/versent/saml2aws/helper/osxkeychain

Makefile:29: recipe for target 'compile' failed
make: *** [compile] Error 1

In windows, run saml2aws exec got error: exec: "/bin/sh": file does not exist

Please see console output below for steps to reproduce.
Points to note:

• Login details redacted, but faithfully so as to still highlight the observed behaviour
• ~/.aws/credential file was present (but empty) before first invocation of exec
• second invocation of exec was done immediately after the first, so there was no chance of STS token expiry
• the requested role of first invocation of exec is AcmeRole1, while for the second invocation it's AcmeRole2
• both invocations of exec end up running as the same role, namely AcmeRole1

[centos@localhost ~]$ saml2aws -i KeyCloak --hostname="id.acme.com/auth/realms/acme/protocol/saml/clients/amazon-aws" --username="joe.bloggs" --password="${SAML2AWS_PASSWORD}" --role="arn:aws:iam::012345678910:role/AcmeRole1" --skip-prompt exec aws sts get-caller-identity

Authenticating as joe.bloggs to KeyCloak https://id.acme.com/auth/realms/acme/protocol/saml/clients/amazon-aws
Selected role: arn:aws:iam::012345678910:role/AcmeRole1
Requesting AWS credentials using SAML assertion
Logged in as: arn:aws:sts::012345678910:assumed-role/AcmeRole1/joe.bloggs
Your new access key pair has been stored in the AWS configuration
Note that it will expire at 2017-09-08 00:35:28 +1000 AEST
To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile saml ec2 describe-instances).
Saving config: /home/centos/.aws2saml.config

{
    "Account": "012345678910", 
    "UserId": "ABCDEF123456GHIJKLMN0:joe.bloggs", 
    "Arn": "arn:aws:sts::012345678910:assumed-role/AcmeRole1/joe.bloggs"
}

[centos@localhost ~]$ saml2aws -i KeyCloak --hostname="id.acme.com/auth/realms/acme/protocol/saml/clients/amazon-aws" --username="joe.bloggs" --password="${SAML2AWS_PASSWORD}" --role="arn:aws:iam::012345678910:role/AcmeRole2" --skip-prompt exec aws sts get-caller-identity

Running command as: arn:aws:sts::012345678910:assumed-role/AcmeRole1/joe.bloggs

{
    "Account": "012345678910", 
    "UserId": "ABCDEF123456GHIJKLMN0:joe.bloggs", 
    "Arn": "arn:aws:sts::012345678910:assumed-role/AcmeRole1/joe.bloggs"
}

Expected behaviour is that the second (and any) invocation of exec would run under the requested role in the command line options (i.e. AcmeRole2 in the case of the second invocation above)

DurationSeconds

The value can range from 900 seconds (15 minutes) to 3600 seconds (1 hour).

Need to update to max value for packer builds.

Would be great if this worked with us-gov-west-1, which has a different urn (amazon:webservices:govcloud) and uses a different sts endpoint. I tried changing the urn in the ADFS provider and re-building, but I was still directed to the public endpoints and got a role from the public side.

It is undesirable to use the --password option due to safety. but -skip-prompt is at least useful to skip the Username prompt. However, this is what happens:

fots > ~ $ saml2aws --skip-prompt -a fots login
Using IDP Account amp to access KeyCloak https://...
Authenticating as fots ...
Empty password
error validating login details
github.com/versent/saml2aws/cmd/saml2aws/commands.Login
        /Users/markw/go/src/github.com/versent/saml2aws/cmd/saml2aws/commands/login.go:65
main.main
        /Users/markw/go/src/github.com/versent/saml2aws/cmd/saml2aws/main.go:95
runtime.main
        /usr/local/Cellar/go/1.9.2/libexec/src/runtime/proc.go:195
runtime.goexit
        /usr/local/Cellar/go/1.9.2/libexec/src/runtime/asm_amd64.s:2337

This works as expected for the MFA token input with the --skip-prompt option:

fots > ~ $ saml2aws --skip-prompt --password=pass123 -a fots login
Using IDP Account amp to access KeyCloak https://...
Authenticating as fots ...

Security Token [000000]
:

Cheers
Fotis

Hi,

We have many clients so this new ability to save configurations per idp is awesome, but it still places the AWS session token into the default profile.

You can override it on the command line
~/go/bin/saml2aws --idp-account=somecustomer --profile somecustomer_saml login

But it would be good if profile could be saved into the idp configuration also, allowing.
~/go/bin/saml2aws --idp-account=somecustomer login

I understand this may not be needed by everyone so I think it should be optional.

I'm seeing the following error when trying to login. I have previously been able to login.

Adding osx helper
One or more parameters passed to a function were not valid.
error loading saved password
github.com/versent/saml2aws/cmd/saml2aws/commands.resolveLoginDetails
	/Users/markw/Code/go/src/github.com/versent/saml2aws/cmd/saml2aws/commands/login.go:162
github.com/versent/saml2aws/cmd/saml2aws/commands.Login
	/Users/markw/Code/go/src/github.com/versent/saml2aws/cmd/saml2aws/commands/login.go:45
main.main
	/Users/markw/Code/go/src/github.com/versent/saml2aws/cmd/saml2aws/main.go:73
runtime.main
	/usr/local/Cellar/go/1.8.1/libexec/src/runtime/proc.go:185
runtime.goexit
	/usr/local/Cellar/go/1.8.1/libexec/src/runtime/asm_amd64.s:2197

Version info

➜  ~ saml2aws --version
Adding osx helper
1.8.2

When on boarding if someone runs aws configure it only creates ~/.aws/config need to ensure my save method checks and creates credentials file if it doesn't exist.

This file needs to be 0600 too.

Prompts and auth details should be written to stdout.

This is especially important when using the exec variant as I want to pipe the output of the subcommand ignoring the saml2aws output.

Would it be possible to create the option to have multiple hostnames for a single provider? Example if you have different roles and you wanted to switch between them with SAML2AWS you have to enter a different hostname in each time. If there was a way to read the config file with hostnames that you wanted to regularly use that would make things really easy for switch authenticating.

Can we add a flag that allows a user to pass in the role they want to assume?

saml2AWS dosen't have the account friendly name as part of the role selection list. This can make it hard to select the role you require if standard role names have been used across your aws accounts.
eg

[ 0 ]:  arn:aws:iam::123123123123:role/admin
[ 1 ]:  arn:aws:iam::123123123123:role/developer
[ 2 ]:  arn:aws:iam::456456456456:role/admin
[ 3 ]:  arn:aws:iam::456456456456:role/developer
[ 4 ]:  arn:aws:iam::789789789789:role/admin

The AWS saml signin page will display the account alias as part of the role selection.

Select a role:
Account: example-cloudops (123123123123)
admin
developer
Account: example-digital-nonprod (456456456456)
admin
developer
Account: example-digital-prod (789789789789)
admin

AWS supports an optional request parameter to prolong a SessionDuration

The default session support is few hours... It would be nice to enhance the app... Do you have any idea how to implement such improvement in your app?

If the credentials file in the ~/.aws folder is a symlink to some other location, this link is broken after using saml2aws.

So instead of creating a new file, the script should modify the content of the existing one.

When we enable (out-of-band) MFA on our ADFS, saml2aws times out before we can accept the MFA request

Hi,
is it possible to add a 32bit windows version to the releases area?
Thanks

Hello,

I tried to use Saml2AWS in Windows but I get an exception

Issue

Following error I get:

Authenticating as xxx@xxx ...
Post https://signin.aws.amazon.com/saml: Proxy Authorization Required
error retrieving AWS login form
github.com/versent/saml2aws.ParseAWSAccounts

Tests
I added HTTP_PROXY as systemvariable with the companies proxy like "http://Address:Port

Additional Note
When I use VirtualBox/Ubuntu/CNTLM on the same machine in the same network -> it works.

Question:
Does any one of you have further ideas how to get this accomplished ?

I am able to login to the web app using this URL, but I am getting this error when using the script.

Authenticating as ...
time="2017-12-05T14:24:45-05:00" level=debug msg="building provider" command=login idpAccount="&{https://e.oktapreview.com/home/amazon_aws/0oab5djefnTb4cMht0h7/137 Okta Auto true 0 urn:amazon:webservices}"
Response did not contain a valid SAML assertion
Please check your username and password is correct

Current prompt says:
"Enter verification code:"

you can tell which type from the factorType field

From Okta SMS (no other factors enrolled)
"factors\":[{\"id\":\"<redacted>\",\"factorType\":\"sms\",\"provider\":\"OKTA\"

We are using Okta+DUO for AWS authentication. I cannot get Okta provider to work. SAML Assertion is always empty. I got it to work by sending another get request to Okta APP to actually get SAML Assertion value (Code below). For now I just patch it and recompile so we can start using this awesome tool.

I am wondering if I am missing something to get Okta+DUO to work without code changes below?

If fix below is necessary then what is the proper way to setup extra config per provider? (Like for fix below it will need Okta APP parameter.)

Repo with the patch:
https://github.com/richardheath/saml2aws/blob/master/pkg/provider/okta/okta.go

I hardcoded the Okta APP since I am not sure how to properly make this a config option:

req, err = http.NewRequest("GET", oktaEntryURL+"/home/amazon_aws/0oagi9d4ouv6LpCWS0x7/272", nil)
if err != nil {
	return samlAssertion, errors.Wrap(err, "error building app request")
}

q = req.URL.Query()
q.Add("RelayState", "/")
q.Add("sessionToken", oktaSessionToken)
req.URL.RawQuery = q.Encode()

req.Header.Add("Accept", "*/*")
res, err = oc.client.Do(req)
if err != nil {
	return samlAssertion, errors.Wrap(err, "error retrieving app response")
}

Hello,

I`m trying to build the current master because I need to use a specific pull request in both
Ubuntu and Windows.

1. I executed glide install and I correctly set the $GOPATH
   => works

2. I tried to build it for both x86 and x64 with these commands:

env GOOS=windows GOARCH=amd64 go build -o saml2aws.exe
env GOOS=windows GOARCH=386 go build -o saml2aws.exe

and was able to build the file but it doesnt work when I execute these files. **It tells me its incompatbile with this windows version**
I have windows 7 but I think that not the issue.
Any clue what the issue might be ?