DUO Security Enhancement to AWS CLI protection via Duo Universal Prompt

[zemliany]

Hey, folks! Recently DUO announced a security protection enhancement update to protect their AWS CLI login customers by using non-recommended third-party tools, like saml2aws, aws-adfs, awslogin, etc.

https://help.duo.com/s/article/6441?language=en_US

Based on that info, seems DUO released a new version of SDK (Duo Web SDK v4) which gets rid of the iframe approach, which was implemented in DUO Web SDK v2 and instead of that, a new approach doing redirection to a temporarily generated page hosted on duosecurity.com, like api-xxxxxxxx.duosecurity.com

They named such method for prompting during retrieving temp credentials Duo Universal Prompt. Seems Duo enforce this new thing across all the partners https://help.duo.com/s/article/7098?language=en_US so quite surely sooner we can see full deprecation/EOL of supporting Duo Classic (Traditional Duo Prompt) https://help.duo.com/s/article/8694?language=en_US

I'm just wondering if saml2aws maintainers are aware of such activities from Duo side in the scope of security enhancements that imply a fight against third-party tools which essentially is saml2aws in their eyes and that could be used with Duo along with different providers like Okta, Shibboleth, OneLogin and if maintainers are going to do something with that?

I've registered an issue related to that #1212 which relates to Duo + Okta as IdP, but who knows, perhaps in a long-term perspective such issues could be as a snowball and the problems will begin to arise more and more often with different IdP's that use Okta

[mapkon]

CC: @wolfeidau @gliptak

[zemliany]

any updates or any thoughts about recent Duo updates, folks?

[mapkon]

I was not aware, but I imagine that we would have to retrofit our code to use the new approach based of the new SDK? @zemliany is this something you can work on?