error authenticating to IdP: error verifying MFA: The provided key handle is not present on the device, or was created with a different application parameter.

[carloshmiranda]

Started to get this error after changing to a new laptop, has this happened to some else?

We use Okta as an IDP and Yubikeys for FIDO.

[cdchris12]

This is happening to a few different folks in our company; anyone else seeing this?

[sriram-clever]

Ran into this issue in my org when we have users with multiple FIDO keys configured.

If anyone wants to test this https://github.com/Versent/saml2aws/pull/649/files

[cdchris12]

We tested this in our organization, and it appeared to be fixed with #630 . We've not had any further issues since the release of v2.28.4.

[sriram-clever]

Interesting for us v2.28.4 ended up introducing this issue for users, especially if the first FIDO key registered happened to be the one they normally use. The pull request addresses what looks like a bug in the new code.

[ocraviotto]

@sriram-clever Yes, #630 introduced it for me as well (linux client) and precisely I realized when updating an older PR fixing u2f usb detection in linux with that change and testing that I had the same issue given that I use multiple keys and the first one (and only connected) was being escaped.
I had not seen your PR until just now, but followed the issue and found the same change (only reversed for clarity) fixed it, so I added it along multiple other changes I did to update and make my fix to usb detection acceptable.
The line with my version of the change is this one.

[jseiser]

We just setup saml2aws and our entire team is getting this issue. We all have n+1 Yubikeys configured to access Okta. I did setup a temporary MFA setup with Google Authenticator and it worked, so the problem is down to just the Yubikeys.

The Yubi keys works when we access Okta in the web browser, it pops up asking you to tap it. Not sure if there is some other configuration required.

❯ saml2aws --version
2.33.0

❯ saml2aws --verbose -a redacted login --force
DEBU[0000] Running                                       command=login
DEBU[0000] Check if creds exist.                         command=login
DEBU[0000] Expand                                        name=/Users/justin/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink                                name=/Users/justin/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists                            filename=/Users/justin/.aws/credentials pkg=awsconfig
Using IdP Account redacted to access Okta https://auth.redacted.network/home/amazon_aws/dfgdfgdfbdfbbfgnfgbfgb/272
DEBU[0000] Get credentials                               helper=osxkeychain serverURL="https://auth.redacted.network/home/amazon_aws/dfgdfgdfbdfbbfgnfgbfgb/272"
DEBU[0000] Get credentials                               helper=osxkeychain user=justin
DEBU[0000] Get credentials                               helper=osxkeychain serverURL="https://auth.redacted.network/home/amazon_aws/dfgdfgdfbdfbbfgnfgbfgb/272/sessionCookie"
DEBU[0000] Get credentials                               helper=osxkeychain user=justin
To use saved password just hit enter.
? Username
? Password

DEBU[0004] building provider                             command=login idpAccount="account {\n  DisableSessions: true\n  DisableRememberDevice: true\n  URL: https://auth.redacted.network/home/amazon_aws/dfgdfgdfbdfbbfgnfgbfgb/272\n  Username: justin\n  Provider: Okta\n  MFA: Auto\n  SkipVerify: false\n  AmazonWebservicesURN: urn:amazon:webservices\n  SessionDuration: 3600\n  Profile: redacted\n  RoleARN: \n  Region: us-gov-west-1\n}"
DEBU[0004] okta | disableSessions: true                  provider=okta
DEBU[0004] okta | rememberDevice: false                  provider=okta
Authenticating as justin ...
DEBU[0004] HTTP Req                                      URL="https://auth.redacted.network/api/v1/authn" http=client method=POST
DEBU[0004] HTTP Res                                      Status="200 OK" http=client
? Select which MFA option to use FIDO WebAuthn MFA authentication
DEBU[0006] MFA                                           factorID=fdff4fdfdffdfdfdf mfaIdentifer="FIDO WEBAUTHN" oktaVerify="https://auth.redacted.network/api/v1/authn/factors/fdff4fdfdffdfdfdf/verify" provider=okta
DEBU[0006] HTTP Req                                      URL="https://auth.redacted.network/api/v1/authn/factors/fdff4fdfdffdfdfdf/verify" http=client method=POST
DEBU[0006] HTTP Res                                      Status="200 OK" http=client
The provided key handle is not present on the device, or was created with a different application parameter.
tried all MFA options
github.com/versent/saml2aws/v2/pkg/provider/okta.fidoWebAuthn
	github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:1136
github.com/versent/saml2aws/v2/pkg/provider/okta.verifyMfa
	github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:1096
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
	github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:479
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
	github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:105
main.main
	github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:187
runtime.main
	runtime/proc.go:255
runtime.goexit
	runtime/asm_amd64.s:1581
error verifying MFA
github.com/versent/saml2aws/v2/pkg/provider/okta.(*Client).Authenticate
	github.com/versent/saml2aws/v2/pkg/provider/okta/okta.go:481
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
	github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:105
main.main
	github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:187
runtime.main
	runtime/proc.go:255
runtime.goexit
	runtime/asm_amd64.s:1581
Error authenticating to IdP.
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
	github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107
main.main
	github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:187
runtime.main
	runtime/proc.go:255
runtime.goexit
	runtime/asm_amd64.s:1581

I confirmed this works if I remove the other yubikey from the account.

[alsmola]

I think this PR should also fix the "multiple Yubikey" error: https://github.com/Versent/saml2aws/pull/745/files

[rkialashaki]

I currently use saml2aws with Okta and have 4 yubikeys configured with my account. I've run into this issue in the current saml2aws version 2.34.0 where it seems like it pinned the MFA factorID regardless of which yubikey I had inserted into my device.

A workaround that seemed to work for me was to:

1. remove the last added yubikey from my Okta account
2. then re-auth with saml2aws using the yubikey I first registered with Okta
3. then re-add my last added yubikey back to Okta

Once completed, I could use any of my yubikey devices again.