-
Notifications
You must be signed in to change notification settings - Fork 575
JumpCloud provider requests MFA when user doesn't exist #552
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
@iainelder you can inspect the // Invalid User or bad password
{{"message":"Authentication failed."}}
// MFA Required carry on requesting MFA from the User
{{"factors":[{"type":"totp","status":"available"},{"type":"duo","status":"available"}],"message":"MFA required."}} |
MFA is not yet company policy, so we need the tool to work without MFA as well. It's on the roadmap, but our first priority is to eliminate long-lived IAM access keys. saml2aws is extremely helpful to achieve this. So our first step is to train people to use saml2aws for configuring the CLI. When we have that under control, enabling MFA is an important next step.
Great! What do we need to implement this? Is there another module whose pattern we can follow? I have reproduced similar outputs using the |
@jack1902 I put together a PR that I think solves this. Could you take a look? It's my first time writing Go and my first contribution to this project so any pointers would be appreciated. Thanks! |
I had to refer to the source code to solve a strange login problem I had. It seems the code makes a false assumption.
saml2aws/pkg/provider/jumpcloud/jumpcloud.go
Line 117 in f70fefb
Not necessarily. You also get a 401 if the "username" is incorrect.
I don't have MFA configured on my JumpCloud user.
In my case, I was putting the actual JumpCloud username (aws-sandbox) instead of the email address (aws-sandbox@example.com) which is what the JumpCloud login console page really expects.
I don't see a way to disable the MFA prompt. That may be because I'm new to this tool, but I didn't see it in the README.
Failing that, is there a way to programmatically distinguish 401 for lack of MFA and 401 for incorrect credentials? I'm also new to Jumpcloud so I don't know if that's possible.
The text was updated successfully, but these errors were encountered: