Versent · Hobbit44 · Dec 11, 2024
diff --git a/cmd/saml2aws/main.go b/cmd/saml2aws/main.go
@@ -81,7 +81,7 @@ func main() {
 	app.Flag("url", "The URL of the SAML IDP server used to login. (env: SAML2AWS_URL)").Envar("SAML2AWS_URL").StringVar(&commonFlags.URL)
 	app.Flag("username", "The username used to login. (env: SAML2AWS_USERNAME)").Envar("SAML2AWS_USERNAME").StringVar(&commonFlags.Username)
 	app.Flag("password", "The password used to login. (env: SAML2AWS_PASSWORD)").Envar("SAML2AWS_PASSWORD").StringVar(&commonFlags.Password)
-	app.Flag("mfa-token", "The current MFA token (supported in Keycloak, ADFS, GoogleApps). (env: SAML2AWS_MFA_TOKEN)").Envar("SAML2AWS_MFA_TOKEN").StringVar(&commonFlags.MFAToken)
+	app.Flag("mfa-token", "The current MFA token (supported in Keycloak, ADFS, GoogleApps, Onelogin TOTP). (env: SAML2AWS_MFA_TOKEN)").Envar("SAML2AWS_MFA_TOKEN").StringVar(&commonFlags.MFAToken)
 	app.Flag("role", "The ARN of the role to assume. (env: SAML2AWS_ROLE)").Envar("SAML2AWS_ROLE").StringVar(&commonFlags.RoleArn)
 	app.Flag("policyfile", "The file containing the supplemental AssumeRole policy. (env: SAML2AWS_POLICY_FILE)").Envar("SAML2AWS_POLICY_FILE").StringVar(&commonFlags.PolicyFile)
 	app.Flag("policyarns", "The ARN of supplemental policies to restrict the token. (env: SAML2AWS_POLICY_ARNS)").Envar("SAML2AWS_POLICY_ARNS").StringVar(&commonFlags.PolicyARNs)

diff --git a/pkg/provider/onelogin/onelogin.go b/pkg/provider/onelogin/onelogin.go
@@ -159,7 +159,7 @@ func (c *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error)
 		samlAssertion = authData.String()
 	case MessageMFARequired:
 		logger.Debug("Verifying MFA")
-		samlAssertion, err = verifyMFA(c, oauthToken, c.AppID, host, resp)
+		samlAssertion, err = verifyMFA(c, loginDetails.MFAToken, oauthToken, c.AppID, host, resp)
 		if err != nil {
 			return "", errors.Wrap(err, "error verifying MFA")
 		}
@@ -206,7 +206,7 @@ func addContentHeaders(r *http.Request) {
 
 // verifyMFA is used to either prompt to user for one time password or request approval using push notification.
 // For more details check https://developers.onelogin.com/api-docs/2/saml-assertions/verify-factor
-func verifyMFA(oc *Client, oauthToken, appID, host, resp string) (string, error) {
+func verifyMFA(oc *Client, mfaToken, oauthToken, appID, host, resp string) (string, error) {
 	stateToken := gjson.Get(resp, "state_token").String()
 	// choose an mfa option if there are multiple enabled
 	var option int
@@ -287,7 +287,12 @@ func verifyMFA(oc *Client, oauthToken, appID, host, resp string) (string, error)
 
 	switch mfaIdentifer {
 	case IdentifierSmsMfa, IdentifierTotpMfa, IdentifierYubiKey, IdentifierDuoSecurity:
-		verifyCode := prompter.StringRequired("Enter verification code")
+		var verifyCode string
+		if mfaIdentifer == IdentifierTotpMfa && mfaToken != "" {
+			verifyCode = mfaToken
+		} else {
+			verifyCode = prompter.StringRequired("Enter verification code")
+		}
 		var verifyBody bytes.Buffer
 		err := json.NewEncoder(&verifyBody).Encode(VerifyRequest{AppID: appID, DeviceID: mfaDeviceID, StateToken: stateToken, OTPToken: verifyCode})
 		if err != nil {