AnsweredAssumed Answered

Respond to ADFS Agent SecurID prompt programatically

Question asked by Jesse Gardner on Jan 25, 2019
Latest reply on Feb 11, 2019 by Jun Hu

We use ADFS to federate access to the AWS console.  For users that don't require MFA, I'm able to use PowerShell to authenticate to ADFS, basically:

POST to https://adfshost/adfs/ls/IdpInitiatedSignon.aspx?LoginToRP=urn:amazon:webservices with a body containing Active Directory credentials, and the response contains a SAMLResponse field that I can pass on to AWS and get temporary API credentials that I can use in PowerShell to interact with AWS.

 

With MFA enabled, I can log in through ADFS with a browser just fine.  Enter credentials, get prompted for SecurID passcode, enter successfully and get to the AWS console.

 

From PowerShell, the result of the first POST as described above is another page with a form for MFA passcode, as expected.  Through extensive analysis of browser behavior and SSL-decrypted Wireshark, I really think I'm replicating browser behavior but not getting a SAMLResponse back.  

I'm using a session variable to allow cookies to work, and see MSISAuth and MSISSamlRequest cookies.

The body I'm attempting to POST to the MFA challenge contains:

AuthMethod=SecurIDv2Authentication&Context=$Context&Passcode=$passcode

 

In the RSA AD FS MFA Adapter log, a browser-based successful authentication looks like:

2019-01-25 09:51:08,245 [41] INFO AuthnAdapter - Claim Type = http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
2019-01-25 09:51:08,245 [41] INFO AuthnAdapter - Username obtained from AD FS: [DOMAIN\Username]
2019-01-25 09:51:08,245 [41] INFO AuthnAdapter - Initial state: ActivityId = [obfuscated], ContextID = [obfuscated], User = [Username], lcid = 1033
2019-01-25 09:51:08,245 [41] INFO AuthSessionAdapter - Initial state: ActivityId = [obfuscated], ContextId = [obfuscated], authState = NotAuthenticated
2019-01-25 09:51:08,245 [41] INFO AuthSessionAdapter - BeginAuthentication() called for User: Username
2019-01-25 09:51:08,537 [41] INFO AuthnAdapter - Initial state: ActivityId = [obfuscated], ContextID = [obfuscated]
2019-01-25 09:51:08,537 [41] INFO AuthSessionAdapter - Initial state: ActivityId = [obfuscated], ContextID = [obfuscated], AuthState = CALL_INITIALIZE
2019-01-25 09:51:08,537 [41] INFO AuthSessionAdapter - TryEndAuthentication() called for User: [Username]
2019-01-25 09:51:08,537 [41] INFO AuthnRequestService - Creating AuthN sessionData from Initialize response.
2019-01-25 09:51:08,537 [41] INFO AuthnRequestService - Facts are not available
2019-01-25 09:51:08,537 [41] INFO ServerManager - getServerUrl(): returning server: https://[RSA servername]:5555/mfa/v1_1/
2019-01-25 09:51:08,621 [41] INFO AuthnAdapter - Authentication step completed.
2019-01-25 09:51:21,114 [41] INFO AuthnAdapter - Initial state: ActivityId = [obfuscated], ContextID = [obfuscated]
2019-01-25 09:51:21,114 [41] INFO AuthSessionAdapter - Initial state: ActivityId = [obfuscated], ContextID = [obfuscated], AuthState = NotAuthenticated
2019-01-25 09:51:21,114 [41] INFO AuthSessionAdapter - TryEndAuthentication() called for User: [Username]
2019-01-25 09:51:21,225 [41] INFO AuthnAdapter - Authentication succeeded.

For my attempts at authentication through Powershell, the blue section never happens, it just ends at "Authentication step completed".

 

Has anyone done anything like this, be in PowerShell, curl, or something else?  Is there another method I should be pursuing to fulfill the MFA challenge via ADFS?

Outcomes