No device posture support

[monde]

Need to update the README noting there is not device posture support in AWS Federation App / web SSO token at this time. Therefore it is not possible to achieve this in the okta-aws-cli.

Background notes:

“When device state is required in the authentication policy the processing on the AWS Application will fail to either the catch-all rule or alternative rule preventing aal3+ device trust requirements.”

"We have no means of collecting device posture on the token exchange call, so rules with that condition will not be hit"

"We are planning on greater investments to web_sso_token, expanding it to other use cases"

[joshgch]

Hey @monde , is this something that will be fixed in the future? This is causing an issue for us as we need both Web and CLI access to support ODT and Phish Resistant factors.

[stargonautone]

This is happening even without a Device State requirement (i.e. "AND Device state is" is set to "Any").

[stargonautone]

HTTP 400 errors caused by MFA challenge on our end were due to mismatched policy between Native OIDC app and AWS Account Federation SAML app. Issues were resolved by assigning the same (OIE) Authentication Policy to OIDC intermediary authZ and SAML authN apps.

[SpencerLN]

@monde, are there any plans and/or timeline to support device posture in okta-aws-cli in the future? Is there an internal ticket number we can reference with our account team to request prioritization?

[monde]

To meet the https://github.com/okta/okta-aws-cli/labels/2.4.0 label the README will state "AWS Federation App / web SSO token does support device posture at this time. Therefore it is not possible to achieve this in the okta-aws-cli"

The note here: "We are planning on greater investments to web_sso_token, expanding it to other use cases" is from the team in Okta that owns the AWS Fed App, not the team that support okta-aws-cli. okta-aws-cli is a downstream interface from the Okta API.