Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added flag for disabling Kerberos SSO authentication via SSPI #97

Merged
merged 1 commit into from
Jul 5, 2018
Merged

Added flag for disabling Kerberos SSO authentication via SSPI #97

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions aws_adfs/authenticator.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
from . import roles_assertion_extractor


def authenticate(config, username=None, password=None, assertfile=None):
def authenticate(config, username=None, password=None, assertfile=None, sspi=True):

response, session = html_roles_fetcher.fetch_html_encoded_roles(
adfs_host=config.adfs_host,
Expand All @@ -17,6 +17,7 @@ def authenticate(config, username=None, password=None, assertfile=None):
provider_id=config.provider_id,
username=username,
password=password,
sspi=sspi
)

assertion = None
Expand Down Expand Up @@ -88,7 +89,7 @@ def _aggregate_roles_by_account_alias(session,

if account_no not in account_aliases:
account_aliases[account_no] = account_no

if account_aliases[account_no] not in aggregated_accounts:
aggregated_accounts[account_aliases[account_no]] = {}
aggregated_accounts[account_aliases[account_no]][role_arn] = {'name': role_name, 'principal_arn': principal_arn}
Expand All @@ -113,7 +114,7 @@ def _symantec_vip_extractor():
def extract():
return symantec_vip_access.extract(html_response, config.ssl_verification, session)
return extract

def _file_extractor():
def extract():
return roles_assertion_extractor.extract_file(assertfile)
Expand Down
5 changes: 3 additions & 2 deletions aws_adfs/html_roles_fetcher.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,8 @@ def fetch_html_encoded_roles(
ssl_verification_enabled,
provider_id,
username=None,
password=None
password=None,
sspi=True
):
# Initiate session handler
session = requests.Session()
Expand All @@ -48,7 +49,7 @@ def fetch_html_encoded_roles(
u'The error: {}'.format(error_message)
)

if _auth_provider:
if _auth_provider and sspi:
domain = None
if username:
if '@' in username: # User principal name (UPN) format
Expand Down
10 changes: 8 additions & 2 deletions aws_adfs/login.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,11 @@
'--assertfile',
help='Use SAML assertion response from a local file'
)
@click.option(
'--sspi/--no-sspi',
default=True,
help='Whether or not to use Kerberos SSO authentication via SSPI, which may not work in some environments.',
)
def login(
profile,
region,
Expand All @@ -103,7 +108,8 @@ def login(
printenv,
role_arn,
session_duration,
assertfile
assertfile,
sspi
):
"""
Authenticates an user with active directory credentials
Expand Down Expand Up @@ -135,7 +141,7 @@ def login(
else:
username, password = _get_user_credentials(config)

principal_roles, assertion, aws_session_duration = authenticator.authenticate(config, username, password)
principal_roles, assertion, aws_session_duration = authenticator.authenticate(config, username, password, sspi=sspi)

username = '########################################'
del username
Expand Down