Response did not contain a valid SAML assertion

[lconnell]

I do however get a notification from my MFA authenticator after attempting to login.

Configuration:
ADFS
Auto

[wolfeidau]

If your using an MFA with ADFS (3.0) then you will need to modify saml2aws to support the intermediate request used by your MFA. This normally means a bit of debugging in chrome to see what is going on behind the scenes.

You can kind of get the gist of it with the existing MFA code.

What is the MFA your using?

[lconnell]

I am using the Google Authenticator

[sagar-srivastava]

I am using OKTA with OKTA MFA and I am getting the exact error after authentication and Authorization while the debug says status=200 ok.

[live4live4]

+1 using OKTA got the exact error.

[micahlmartin]

Can you share more info about your configuration as well as the debug logging with the --verbose output?

[live4live4]

? Please choose a provider: ADFS
? Please choose an MFA Auto
? AWS Profile saml

? URL https://fs.example.com/adfs/ls/idpinitiatedsignon.htm
? Username xxx@example.com

? Password
No password supplied

account {
URL: fs.example.com/adfs/ls/idpinitiatedsignon.htm
Username: xxx@example.com
Provider: ADFS
MFA: Auto
SkipVerify: false
AmazonWebservicesURN: urn:amazon:webservices
SessionDuration: 3600
Profile: saml
RoleARN:
}

Configuration saved for IDP account: default

---

saml2aws login
Using IDP Account default to access ADFS https://fs.example.com/adfs/ls/idpinitiatedsignon.htm
To use saved password just hit enter.
? Username xxx@example.com
? Password

Authenticating as xxx@example.com ...
Response did not contain a valid SAML assertion
Please check your username and password is correct

---

We use OKTA MFA for our ADFS service.

[mphoratiu]

I had the same issue, make sure you're not required to be on some company VPN before connecting. That's the way it behaves if it is required.

[live4live4]

@mphoratiu we don't use VPN, without MFA saml2aws worked perfectly. Once MFA enabled, it stopped working. It didn't even prompt me to enter the passcode, which is demonstrated in the official doc.

$ saml2aws login
Using IDP Account default to access Ping https://id.example.com
To use saved password just hit enter.
Username [mark.wolfe@example.com]:
Password: ************

Authenticating as mark.wolfe@example.com ...
Enter passcode: 123456

Selected role: arn:aws:iam::123123123123:role/AWS-Admin-CloudOPSNonProd
Requesting AWS credentials using SAML assertion
Saving credentials
Logged in as: arn:aws:sts::123123123123:assumed-role/AWS-Admin-CloudOPSNonProd/wolfeidau@example.com

Your new access key pair has been stored in the AWS configuration
Note that it will expire at 2016-09-19 15:59:49 +1000 AEST
To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile saml ec2 describe-instances --region us-east-1).

[ore0z]

I just thought I'd drop a note in here, I had this error when I was trying to set up my access on a new computer and it ended up being my Okta account being locked. I normally didn't have to enter a password but I guess the first time you log in I had to. My account was locked because normally I would enter a blank or bogus password. Also commenting for my future self when I find this again ;)

[neelakansha85]

+1 using Okta provider and Push MFA.
I am getting a request for push notification on my device and on trying to approve, it recognizes that the request was approved however fails with this error. Below is the output with --verbose:

$ saml2aws login --verbose
DEBU[0000] Running                                       command=login
DEBU[0000] check if Creds Exist                          command=login
DEBU[0000] Expand                                        name=/Users/nshah/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink                                name=/Users/nshah/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists                            filename=/Users/nshah/.aws/credentials pkg=awsconfig
Using IDP Account default to access Okta https://mytest.okta.com/home/amazon_aws/6jzlat0sauzQlP13z569/50
DEBU[0000] Get credentials                               helper=osxkeychain serverURL="https://mytest.okta.com/home/amazon_aws/6jzlat0sauzQlP13z569/50"
DEBU[0000] Get credentials                               helper=osxkeychain user=nshah
To use saved password just hit enter.
? Username nshah
? Password

DEBU[0002] building provider                             command=login idpAccount="account {\n  URL: https://mytest.okta.com/home/amazon_aws/6jzlat0sauzQlP13z569/50\n  Username: nshah\n  Provider: Okta\n  MFA: PUSH\n  SkipVerify: false\n  AmazonWebservicesURN: urn:amazon:webservices\n  SessionDuration: 3600\n  Profile: saml\n  RoleARN: \n}"
Authenticating as nshah ...
DEBU[0002] HTTP Req                                      URL="https://mytest.okta.com/api/v1/authn" http=client method=POST
DEBU[0004] HTTP Res                                      Status="200 OK" http=client
DEBU[0004] MFA                                           factorID=opf10spckqPkgbbtJ357 mfaIdentifer="OKTA PUSH" oktaVerify="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" provider=okta
DEBU[0004] HTTP Req                                      URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0004] HTTP Res                                      Status="200 OK" http=client

Waiting for approval, please check your Okta Verify app ...DEBU[0004] HTTP Req                                      URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0005] HTTP Res                                      Status="200 OK" http=client
.DEBU[0005] Waiting for user to authorize login           provider=okta
DEBU[0005] HTTP Req                                      URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0006] HTTP Res                                      Status="200 OK" http=client
.DEBU[0006] Waiting for user to authorize login           provider=okta
DEBU[0006] HTTP Req                                      URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0007] HTTP Res                                      Status="200 OK" http=client
.DEBU[0007] Waiting for user to authorize login           provider=okta
DEBU[0007] HTTP Req                                      URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0007] HTTP Res                                      Status="200 OK" http=client
.DEBU[0007] Waiting for user to authorize login           provider=okta
DEBU[0007] HTTP Req                                      URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0008] HTTP Res                                      Status="200 OK" http=client
.DEBU[0008] Waiting for user to authorize login           provider=okta
DEBU[0008] HTTP Req                                      URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0009] HTTP Res                                      Status="200 OK" http=client
.DEBU[0009] Waiting for user to authorize login           provider=okta
DEBU[0009] HTTP Req                                      URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0009] HTTP Res                                      Status="200 OK" http=client
.DEBU[0009] Waiting for user to authorize login           provider=okta
DEBU[0009] HTTP Req                                      URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0010] HTTP Res                                      Status="200 OK" http=client
.DEBU[0010] Waiting for user to authorize login           provider=okta
DEBU[0010] HTTP Req                                      URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0010] HTTP Res                                      Status="200 OK" http=client
.DEBU[0010] Waiting for user to authorize login           provider=okta
DEBU[0010] HTTP Req                                      URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0011] HTTP Res                                      Status="200 OK" http=client
.DEBU[0011] Waiting for user to authorize login           provider=okta
DEBU[0011] HTTP Req                                      URL="https://mytest.okta.com/api/v1/authn/factors/opf10spckqPkgbbtJ357/verify" http=client method=POST
DEBU[0012] HTTP Res                                      Status="200 OK" http=client
 Approved

DEBU[0012] HTTP Req                                      URL="https://mytest.okta.com/login/sessionCookieRedirect?checkAccountSetupComplete=true&redirectUrl=https%3A%2F%2Fmytest.okta.com%2Fhome%2Famazon_aws%2F6jzlat0sauzQlP13z569%2F50&token=81773zufdrt1nM-C4s2a84_h_WSY3dzOx1vHJ5UU2eqjsL" http=client method=GET
DEBU[0013] HTTP Res                                      Status="200 OK" http=client
Response did not contain a valid SAML assertion
Please check your username and password is correct

The results are the same even if you provide --role=<iam-role-arn>