I need to disable the MFA of this Cognito user pool. However, I cannot, when clicking OFF, nothing happens.
You can try to disable MFA using AWS CLI like this:
aws cognito-idp set-user-pool-mfa-config --mfa-configuration OFF --user-pool-id <your_user_pool_id>
Related
I'm using the AWS CLI to enable a MFA user pool with only TOTP MFA (no SMS).
aws cognito-idp set-user-pool-mfa-config --user-pool-id xxxx_xxxx --mfa-configuration OPTIONAL --software-token-mfa-configuration Enabled=true
{
"SoftwareTokenMfaConfiguration": {
"Enabled": true
},
"MfaConfiguration": "OPTIONAL"
}
Seems okay, right?
But when I try to set up an user preference I keep getting this error:
An error occurred (InvalidParameterException) when calling the AdminSetUserMFAPreference operation: User has not set up software token mfa
Command:
aws cognito-idp admin-set-user-mfa-preference --user-pool-id xxxx_xxxx --username username#email.com --software-token-mfa-settings Enabled=true
Tryin to use admin-set-user-preference also doesn't work:
aws cognito-idp admin-set-user-settings --user-pool-id us-xxxx-xxxx--username username#email.com --mfa-option DeliveryMedium=EMAIL
An error occurred (InvalidParameterException) when calling the AdminSetUserSettings operation: Only phone_number attribute is currently supported as a MFA option.
What am I missing? Does it need an extra configuration not mentioned anywhere in documentation?
Solution:
First you need to get the ACCESS_TOKEN for the user and proceed to start the TOTP process:
aws cognito-idp associate-software-token --access-token ACCESS_TOKEN
(this will generate a unique code that you could use in Google Authenticator)
With the TOTP code retrieved from the Authenticator app run:
aws cognito-idp verify-software-token --access-token ACCESS_TOKEN --user-code USER_CODE
With the successfull message from the previous command you can change the user preference:
aws cognito-idp admin-set-user-mfa-preference --user-pool-id xxxxx --username xxxxxxx --software-token-mfa-settings Enabled=True,PreferredMfa=True
Solution:
First you need to get the ACCESS_TOKEN for the user and proceed to start the TOTP process:
aws cognito-idp associate-software-token --access-token ACCESS_TOKEN
(this will generate a unique code that you could use in Google Authenticator)
With the TOTP code retrieved from the Authenticator app run:
aws cognito-idp verify-software-token --access-token ACCESS_TOKEN --user-code USER_CODE
With the successfull message from the previous command you can change the user preference:
aws cognito-idp admin-set-user-mfa-preference --user-pool-id xxxxx --username xxxxxxx --software-token-mfa-settings Enabled=True,PreferredMfa=True
To setup the TOTP for user you have to call the AWS Cognito APIs in the following order
Associate Software Token
Verify Software Token
Set User MFA Preference
The associate software token will give you an SecretCode which you will convert to a QR either so that user can scan it with an authenticator app. Then you will call the verify software token and pass it the code generated by the authenticator app. And finally you will enable the MFA by calling the set user preference API. And voila.
How can I disable the User from Amazon Cognito User Pool using API ?
I tried to check the API from Amazon and couldn't find one.
Thanks.
There is a specific command for disabling user, please see API reference - API_AdminDisableUser
It looks like it is supported here, https://docs.amplify.aws/cli/auth/admin#admin-queries-api
So far I have always been able to log in successfully via sso.
cf login -a url --sso
I need another way to log in for my pipeline script and tried the following command.
cf login [-a API_URL] [-u USERNAME] [-p PASSWORD] [-o ORG] [-s SPACE]
This command does not work with my user, nor with a technical user to whom all necessary roles have been assigned (M D A). I get the following message.
API endpoint: url
Password>
Authenticating...
Credentials were rejected, please try again.
Does anyone know how to solve this problem?
Or maybe an alternative to create a gradle task, for example, that can be executed in a jenkins pipeline.
At the end, I want to automate a deploy (to cloud) of an artifact with my Jenkins pipeline.
You provided —sso flag, so you shouldn’t see a password prompt. Instead you should be given the url to get a token.
Maybe your CF has been misconfigured and does not support SSO yet. I tried to fix the CF CLI to avoid this but it was oddly rejected https://github.com/cloudfoundry/cli/pull/1624
Try fixing your CF installation (it needs to provide some prompts), or skip the —sso flag usage.
Using --sso and -u/-p are not doing the same thing on the backend, and there's no guarantee that a user which can login through SSO is also set up to login as a user stored directly in UAA. UAA has multiple origin's from which users can be loaded, like SAML, LDAP and internal to UAA. When you use the --sso flag, you are typically logging in via a user from your company's SAML provider. When you use the -u/-p flags, it's typically LDAP or UAA, something UAA validates directly.
In order for what you are trying to do to work, you would need to have a user available with an origin in SAML (for --sso) and a user in origin LDAP or UAA (internal), and technically those would be two separate users (despite the fact that they may have the same credentials).
At any rate, if you normally login with the --sso flag and you want to automate work, what you really want is to get a UAA client that is set with the grant type of client credentials. You can then use cf auth CLIENT_ID CLIENT_SECRET --client-credentials to automate logging in.
Typically you don't want your user account to be tied to pipelines and automated scripts anyway. If you leave the company and your user get deactivated then everything breaks :) You want a service account, and that is basically a client enabled with the client credentials grant type in UAA.
I'm using AWS amplify on my vuejs app, but I don't need the MFA authentication.
I'm trying to disable it with import { Auth } from 'aws-amplify';
Auth.setPreferredMFA(user, 'NOMFA'); but it doesn't work.
someone know how to disable it?
You can try with the Amplify CLI. It should propose you the following option:
Multifactor authentication (MFA) user login options: (Use arrow keys)
❯ OFF
- ON (Required for all logins, can not be enabled later) (Disabled)
OPTIONAL (Individual users can use MFA)
I want to learn more.
If you already enable Auth configuration, you have to update it with the following command: amplify auth update
We're using Cognito. All is well. I added a user using the AdminCreateUser API, and they received their temporary password. Unfortunately they waited over a month to login, and now when they try to login with their temporary password, Cognito returns this error:
User account has expired, it must be reset by an administrator.
How do I do that? I don't see any reset button in the Cognito UI. Is there a CLI or API that I can call?
The commands admin-reset-user-password and admin-enable-user do not work for an expired user.
The way you reset an expired user is to call admin-create-user again with the parameter MessageAction value = 'RESEND'
For example via CLI command:
aws cognito-idp admin-create-user --region us-east-1 --user-pool-id us-east-1_youruserpoolid --username theusername --message-action RESEND
From the documentation:
"Set to 'RESEND' to resend the invitation message to a user that
already exists and reset the expiration limit on the user's account."
Once you have reset the user, the user will need to change the temporary password otherwise they will be put back into this state again once they have exceeded the expiration time period (by default 7 days according to AWS documentation).