OpenStack CLI Not Working With Okta MFA

Problem

OpenStack CLI tends to not work with Okta Multi-Factor Authentication. The following error message is observed while running any OpenStack command with**--debug** option.

starting new HTTPS connection (1): *******.okta.comhttps://*******.okta.com:443 "POST /api/v1/authn HTTP/1.1" 200 NoneUser "username" password validates, checking second factorStarting new HTTPS connection (1): *******.okta.comhttps://*******.okta.com:443 "POST /api/v1/authn/factors/ost1hlvxdmcNbMSaD0h8/verify HTTP/1.1" 200 NoneUnable to obtain SAML assertion. Authentication failed or server error.

Environment

Platform9 Managed OpenStack - All Versions
Okta, Google G Suite, One Login, Microsoft ADFS

Cause

Identity provider plugins do not support Multi-Factor Authentication for the command-line interface.

Resolution

We have two workarounds for this issue.

Disable the MFA for the user in Okta or the identity provider plugin mentioned above.
Instead of using SSO user-id, you can create a local user-id that can be used for accessing OpenStack through CLI.

PreviousInstance Created Using Server Snapshot Fails to Spawn NextHost Unable to Converge Due to Untrusted Package Error

Last updated 4 months ago

Good afternoon

hashtagProblem

hashtagEnvironment

hashtagCause

hashtagResolution

Problem

Environment

Cause

Resolution