Could not get temporary credentials: generating SAML assertion: doing HTTP request: 401 Unauthorized

[roarklebork]

Hello,

in my setup I have many different AWS accounts and each account has many roles. I am running into this issue with version 0.7.0 where if I get a credential from one account it works but if I try to get a credential from a different account right after I receive the error

Could not get temporary credentials: generating SAML assertion: doing HTTP request: 401 Unauthorized

It seems that if i delete the credential from my aws config as well as remove the clisso config and set it up again I am able to generate the other credential. It seems it can only be one at a time for some reason.
Thanks!

[ghost]

Hey @roarklebork,

I assume you are using OneLogin. One OTP token can only be used once. So before requesting new credentials wait until the app shows a different token than the one that was used with the previous request.

[roarklebork]

Hi,

Thanks so much for the super fast response. I probably should have mentioned that I am using Onelogin and instead of the OTP im using Verify Factor. After receiving that error if i wait 15 minutes or so minutes(I assume the verify token expires) I receive the following:

Could not get temporary credentials: generating SAML assertion: parsing HTTP response: json: cannot unmarshal string into Go struct field GenerateSamlAssertionResponse.Data of type []struct { StateToken string "json:\"state_token\""; Devices []onelogin.Device; CallbackUrl string "json:\"callback_url\""; User struct { Lastname string "json:\"lastname\""; Username string "json:\"username\""; Email string "json:\"email\""; Firstname string "json:\"firstname\""; Id int "json:\"id\"" } }

Thanks

[ghost]

Okay, I'm not sure I understand your setup/what you mean with:

instead of the OTP im using Verify Factor.

Can you elaborate more on your OneLogin setup?
I.e. do you have a 2FA enabled? What is your 2FA (Onelogin Protect, OneLogin SMS, OneLogin Security Questions, Duo Security, Google Authenticator, YubiKey, Symantec VIP Access or RSA Securid)?

Also what are the Clisso app names (AWS profile names) you are using for the first run? Can you post your clisso.yaml (secrets, etc. redacted!)

[roarklebork]

Hey,

So I am using the onelogin protect app for Android. so after I type in my password it sends a push notification to my phone instead of entering the OTP Manually. The following is the config. The first run would be clisso get app-1 I would enter my password, click accept in the verify app then pick the role. If i cat credential file i can see that the correct information is there. On the second run I would do clisso get app-2 enter my password then I would receive the above error.

apps: app-1: app-id: "12345" duration: "3600" provider: one-login-provider app-2: app-id: "56789" duration: "3600" provider: one-login-provider app-3: app-id: "101112" duration: "3600" provider: one-login-provider global: credentials-path: /Users/user/.aws/credentials providers: one-login-provider: client-id: <client_id> client-secret: <client_secret> duration: "14400" region: US subdomain: <subdomain> type: onelogin username: <username>

[ghost]

So I wasn't wrong with my initial assumption.
The flow should be the following

1. running clisso get app-1 will ask for password and trigger push
2. running clisso get app-2 will ask for password and trigger push

if between running 1. and 2. the token on your OTP device has not changed (even if you don't enter it but use push) you will get a 401 unauthorized. I've seen that sometimes Onelogin Protect shows the same OTP tokens for two consecutive time slots if the app was just started up.

To verify can you do the following:

1. unlock your device and start OneLogin Protect
2. run clisso get app-1
3. wait for a fresh token to be rendered on OneLogin Protect (normally below 30s)
4. run clisso get app-2

[roarklebork]

Hi, I did exactly as requested and received the following:
Could not get temporary credentials: generating SAML assertion: parsing HTTP response: json: cannot unmarshal string into Go struct field GenerateSamlAssertionResponse.Data of type []struct { StateToken string "json:\"state_token\""; Devices []onelogin.Device; CallbackUrl string "json:\"callback_url\""; User struct { Lastname string "json:\"lastname\""; Username string "json:\"username\""; Email string "json:\"email\""; Firstname string "json:\"firstname\""; Id int "json:\"id\"" }

When I first tried troubleshooting this I even waited around 30 minutes and still ran into the same issue. There is an amount of time that I can wait before getting a different app. I am not sure what it is but I am assuming its around the time the key expires?
Thanks.

[edlitmus]

This has periodically come up for me as well, and waiting for a new token hasn't been the issue.

[edlitmus]

@roarklebork can you see if my fork corrects this issue for you? https://github.com/edlitmus/clisso

I updated to the OneLogin v2 API and I believe that fixes the issue for me.