In OneLogin, it is possible to set up multiple MFA TOTP devices, and to designate one as the primary. However, when I did this, there was no way to make saml2aws use the new MFA device:
- If multiple TOTP devices are available, the CLI does not prompt for which one to use
- There are no CLI flags for specifying which TOTP device to use for OneLogin
--mfa can be set to "TOTP". All my attempts to set a specific TOTP device resulted in the error "Invalid MFA type"--disable-remember-device is only for Okta, not for OneLogin
- Setting a specific MFA device in OneLogin as "primary" has no effect on saml2aws: all attempts to log in were using the same (oldest, non-primary) device and gave the error "Error authenticating to IdP.: error verifying MFA: HTTP 401: Failed authentication with this factor"
The only solution to me was deleting my old MFA TOTP device in OneLogin, so that there was only one MFA device there. After doing that, I could log in without issue.
In OneLogin, it is possible to set up multiple MFA TOTP devices, and to designate one as the primary. However, when I did this, there was no way to make saml2aws use the new MFA device:
--mfacan be set to"TOTP". All my attempts to set a specific TOTP device resulted in the error "Invalid MFA type"--disable-remember-deviceis only for Okta, not for OneLoginThe only solution to me was deleting my old MFA TOTP device in OneLogin, so that there was only one MFA device there. After doing that, I could log in without issue.