Powershell, ADFS, Duo, and SAML


#1

Hi,

I’m currently in a scenario where I’m trying to automate some tasks in AWS using PowerShell. In our environment we authenticate to AWS via ADFS with DUO MFA it then passes this token to the AWS SAML provider. Using this method I’m given access to 200+ AWS accounts now I want to use the AWS PowerShell modules to enumerate all the accounts available to me then query each account for all the EC2 instances they have provisioned.

What I seem to be having issue with is I technically should be able to login to ADFS via PowerShell, get my token then pass that token to AWS but I’m not getting my token from ADFS because I assume it’s not actually logging in because it’s not doing a DUO authentication.

Does anyone know a way around this?

Thanks
Anthony


#2

Hey Anthony,

TL;DR - At the very least, if you can get your setup to work WITHOUT Duo, It may work WITH Duo if the user is in Bypass mode.

This github fork[2] mentions forms based auth and MFA support. Using this, if the cmdlet launches a browser during forms based auth, that should fully work with Duo enabled. For UX, this would very similar to the way ADAL enabled Microsoft applications launch a browser window when signing in to Microsoft Outlook for instance, which is compatible with Duo.

Even if the AWS SAML cmdlet was MFA aware (it isn’t[1]) the Duo interaction happens in a browser window, not in a PowerShell one. Unless the cmdlet opens a browser window for authentication, Duo has no way to interact with the user. Some Duo integrations can fall back to an auto mode in a situation where there is no textual challenge - (such as a direct SFTP connection to a Unix host protected with pam_duo.) but ADFS is Web based Authentication Prompt only.

Sources/helpful links

  1. According to the AWS Docs, http://docs.aws.amazon.com/powershell/latest/userguide/saml-pst.html
    valid authentication schemes include Basic, Digest, Kerberos, Negotiate, and NTLM.

  2. https://github.com/awslabs/aws-saml-adfs-cmdlet-sample/pull/4

edit: spelling

Cheers


#3

We’re in the same boat:
ADFS works like a charm for our console users.
We’ve even been able to get the CLI working with tools like aws-adfs.

Our only holdup for using ADFS in production is the need for MFA.
Duo integration with ADFS was a snap however, it breaks access for CLI use (with aws-adfs and other similar tools).

Have you found a path to implementation?

We are very close to having something working but are having problems with the strategy described here:
https://duo.com/docs/duoweb

Namely that our solution lacks of proper session propagation. We need to figure out how to convince duo that next calls are within same session.

https://github.com/venth/aws-adfs/tree/feature/duo-integration