🎨 Clearer app sign on rule failure messages

- Differentiate sign-on failure due to app-level MFA - Differentiate sign-on failure due to app-level re-auth challenge - Use failure message from Okta when available otherwise
tdupreeibp · Aug 18, 2018 · 4f6f597 · 4f6f597
1 parent 12c8e2d
commit 4f6f597
Showing 1 changed file with 26 additions and 6 deletions.
diff --git a/src/main/java/com/okta/tools/saml/OktaSaml.java b/src/main/java/com/okta/tools/saml/OktaSaml.java
@@ -50,22 +50,42 @@ public String getSamlResponse() throws IOException {
 
  private String getSamlResponseForAws(String oktaSessionToken) throws IOException {
  Document document = launchOktaAwsAppWithSessionToken(environment.oktaAwsAppUrl, oktaSessionToken);
- Elements samlResponseInputElement = document.select("form input[name=SAMLResponse]");
- if (samlResponseInputElement.isEmpty()) {
- throw new RuntimeException("You do not have access to AWS through Okta. \nPlease contact your administrator.");
- }
- return samlResponseInputElement.attr("value");
+ return getSamlResponseForAwsFromDocument(document);
  }
 
  private String getSamlResponseForAwsRefresh() throws IOException {
  Document document = launchOktaAwsApp(environment.oktaAwsAppUrl);
+ return getSamlResponseForAwsFromDocument(document);
+ }
+
+ private String getSamlResponseForAwsFromDocument(Document document) {
  Elements samlResponseInputElement = document.select("form input[name=SAMLResponse]");
  if (samlResponseInputElement.isEmpty()) {
- throw new RuntimeException("You do not have access to AWS through Okta. \nPlease contact your administrator.");
+ if (isPasswordAuthenticationChallenge(document)) {
+ throw new IllegalStateException("Unsupported App sign on rule: 'Prompt for re-authentication'. \nPlease contact your administrator.");
+ } else if (isPromptForFactorChallenge(document)) {
+ throw new IllegalStateException("Unsupported App sign on rule: 'Prompt for factor'. \nPlease contact your administrator.");
+ } else {
+ Elements errorContent = document.getElementsByClass("error-content");
+ Elements errorHeadline = errorContent.select("h1");
+ if (errorHeadline.isEmpty()) {
+ throw new RuntimeException("You do not have access to AWS through Okta. \nPlease contact your administrator.");
+ } else {
+ throw new RuntimeException(errorHeadline.text());
+ }
+ }
  }
  return samlResponseInputElement.attr("value");
  }
 
+ private boolean isPasswordAuthenticationChallenge(Document document) {
+ return document.getElementById("password-verification-challenge") != null;
+ }
+
+ private boolean isPromptForFactorChallenge(Document document) {
+ return document.getElementById("okta-sign-in") != null;
+ }
+
  private Document launchOktaAwsAppWithSessionToken(String appUrl, String oktaSessionToken) throws IOException {
  return launchOktaAwsApp(appUrl + "?onetimetoken=" + oktaSessionToken);
  }