Please help on Okta MFA

[kevbook]

Sorry, I never ask these questions on repo issues. [v2.0.3 on mac 10.13.2]

Config for multi-account done exactly as here http://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Amazon-Web-Service.html

• When I setup Okta with NO MFA - things work just fine.
• But with MFA setup on AWS (google authenticator) - I do saml2aws login --verbose or saml2aws login --verbose --mfa="totp"

Response did not contain a valid SAML assertion
Please check your username and password is correct

[wolfeidau]

Have you tried disabling MFA and logging in?

Just to ensure your basic configuration is working.

[kevbook]

Oh yea basic works just fine with multiple AWS accounts, using saml2aws & okta web.
But saml2aws gives me the above error when MFA is enabled

[chamila-c]

Any chance this is related to #84 ?

[kevbook]

Seems like when MFA on Okta is setup on okta org or group level, this works. But not, when MFA is setup at the AWS app level.

[kevbook]

See this as well. Nextdoor/nd_okta_auth#2

[etendards]

Is this still an issue? How do we enable MFA with CLI?

[wolfeidau]

OK I need to fire up my okta developer account and take a look at the output of --debug.

I didn't even know you could do per app configuration of MFA.

[wolfeidau]

@pwmcintyre How are you configuring this at the moment?

[emmanuel]

I'm experiencing this same issue with 2.5.0 on macOS; my organization has Okta configured for MFA on a per-application basis (i.e., MFA is enabled for AWS, but not all apps in the tenant). (Based on my understanding of the underlying issue, neither the version of saml2aws nor my OS are relevant, however.)

I have cycles to prepare a patch for this functionality, but I think I'll need a little guidance to do so effectively. Can someone help me sort out how to diagnose what Okta does differently in the per-application case vs. in the tenant-wide case?

[emmanuel]

... looks like I have to rescind my offer here; I was mistaken about having cycles for this. My organization is switching to org-wide MFA tomorrow, so there's no justification for investing dev effort in support of app-level MFA.

Apologies for the offer-then-retraction.

[kgamanji]

Hello,

We are looking for a solution to use MFA at the application level. Any updates on this issue?

Or any indications on how can this be solved?

[sagar-srivastava]

I confirm, app level MFA enforcement accounts are failing while it works for Org level exactly as @kevbook mentioned.

can we expect a solution sometime sooner? Thanks

[MukeshSingh28]

The same issue persist for me too. Expecting for a solution sooner or later. Thank you

[Meroje]

I had a look at this, and it seems there is no way to handle this mfa setup without running a browser capable of running javascript.

[dmmsonos]

Can anyone on this thread confirm that they saw the app-level MFA issue with Duo specifically? I see that the code for Duo is fairly different from the other cases. Would save me the time of setting up an evaluation Duo account to find out what I already suspect...

[dmmsonos]

Good news for anyone using Duo MFA with Okta:

saml2aws works with application-level MFA for Duo

🎉

[alsmola]

I think this should fix Okta with TOTP MFA: #369

[joshk0]

repeating myself from PR for visibility:

I can confirm this works for me and to be more precise, it fixes the case where an app level MFA policy is enabled on AWS. This change is not necessary unless that is the case, and it fixes interaction with all second factors, not just TOTP.