JumpCloud provider requests MFA when user doesn't exist #552
Comments
|
@iainelder you can inspect the // Invalid User or bad password
{{"message":"Authentication failed."}}
// MFA Required carry on requesting MFA from the User
{{"factors":[{"type":"totp","status":"available"},{"type":"duo","status":"available"}],"message":"MFA required."}} |
MFA is not yet company policy, so we need the tool to work without MFA as well. It's on the roadmap, but our first priority is to eliminate long-lived IAM access keys. saml2aws is extremely helpful to achieve this. So our first step is to train people to use saml2aws for configuring the CLI. When we have that under control, enabling MFA is an important next step.
Great! What do we need to implement this? Is there another module whose pattern we can follow? I have reproduced similar outputs using the |
|
@jack1902 I put together a PR that I think solves this. Could you take a look? It's my first time writing Go and my first contribution to this project so any pointers would be appreciated. Thanks! |
I had to refer to the source code to solve a strange login problem I had. It seems the code makes a false assumption.
saml2aws/pkg/provider/jumpcloud/jumpcloud.go
Line 117 in f70fefb
Not necessarily. You also get a 401 if the "username" is incorrect.
I don't have MFA configured on my JumpCloud user.
In my case, I was putting the actual JumpCloud username (aws-sandbox) instead of the email address (aws-sandbox@example.com) which is what the JumpCloud login console page really expects.
I don't see a way to disable the MFA prompt. That may be because I'm new to this tool, but I didn't see it in the README.
Failing that, is there a way to programmatically distinguish 401 for lack of MFA and 401 for incorrect credentials? I'm also new to Jumpcloud so I don't know if that's possible.
The text was updated successfully, but these errors were encountered: