From 95b9234e716548a01b00822bdedd71ab5b08ce42 Mon Sep 17 00:00:00 2001
From: Joe-Zer0 <jmeagle3@gmail.com>
Date: Tue, 20 Oct 2020 11:15:55 -0500
Subject: [PATCH 1/5] update aad to account for mfa being skipped

---
 pkg/provider/aad/aad.go | 368 ++++++++++++++++++++--------------------
 1 file changed, 187 insertions(+), 181 deletions(-)

diff --git a/pkg/provider/aad/aad.go b/pkg/provider/aad/aad.go
index 796400e8f..01073a366 100644
--- a/pkg/provider/aad/aad.go
+++ b/pkg/provider/aad/aad.go
@@ -19,6 +19,7 @@ import (
 	"github.com/versent/saml2aws/v2/pkg/creds"
 	"github.com/versent/saml2aws/v2/pkg/prompter"
 	"github.com/versent/saml2aws/v2/pkg/provider"
+	"golang.org/x/net/html"
 )
 
 // Client wrapper around AzureAD enabling authentication and retrieval of assertions
@@ -682,190 +683,223 @@ func (ac *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error)
 	if err != nil {
 		return samlAssertion, errors.Wrap(err, "error retrieving login results")
 	}
+
 	resBody, _ = ioutil.ReadAll(res.Body)
 	resBodyStr = string(resBody)
 
-	// require reprocess
-	if strings.Contains(resBodyStr, "<form") {
-		res, err = ac.reProcess(resBodyStr)
-		if err != nil {
-			return samlAssertion, errors.Wrap(err, "error retrieving login reprocess results")
+	// MFA has been skipped
+	if !strings.HasPrefix(resBodyStr, "<html><head><title>Working...</title>") {
+		// require reprocess
+		if strings.Contains(resBodyStr, "<form") {
+			res, err = ac.reProcess(resBodyStr)
+			if err != nil {
+				return samlAssertion, errors.Wrap(err, "error retrieving login reprocess results")
+			}
+			resBody, _ = ioutil.ReadAll(res.Body)
+			resBodyStr = string(resBody)
 		}
-		resBody, _ = ioutil.ReadAll(res.Body)
-		resBodyStr = string(resBody)
-	}
-
-	// data is embedded javascript object
-	// <script><![CDATA[  $Config=......; ]]>
-	var loginPasswordJson string
-	if strings.Contains(resBodyStr, "$Config") {
-		startIndex := strings.Index(resBodyStr, "$Config=") + 8
-		endIndex := startIndex + strings.Index(resBodyStr[startIndex:], ";")
-		loginPasswordJson = resBodyStr[startIndex:endIndex]
-	}
-	var loginPasswordResp passwordLoginResponse
-	var loginPasswordSkipMfaResp SkipMfaResponse
-
-	if err := json.Unmarshal([]byte(loginPasswordJson), &loginPasswordResp); err != nil {
-		return samlAssertion, errors.Wrap(err, "loginPassword response unmarshal error")
-	}
-	if err := json.Unmarshal([]byte(loginPasswordJson), &loginPasswordSkipMfaResp); err != nil {
-		return samlAssertion, errors.Wrap(err, "loginPassword response unmarshal error")
-	}
-	var restartSAMLResp startSAMLResponse
-	if err := json.Unmarshal([]byte(loginPasswordJson), &restartSAMLResp); err != nil {
-		return samlAssertion, errors.Wrap(err, "startSAML response unmarshal error")
-	}
-
-	mfas := loginPasswordResp.ArrUserProofs
 
-	// If there's an explicit option to skip MFA, do so
-	if loginPasswordSkipMfaResp.URLSkipMfaRegistration != "" {
-		res, err = ac.client.Get(loginPasswordSkipMfaResp.URLSkipMfaRegistration)
-		if err != nil {
-			return samlAssertion, errors.Wrap(err, "error retrieving skip mfa results")
-		}
-	} else if len(mfas) != 0 {
-		// There's no explicit option to skip MFA, and MFA options are available
-		// Start MFA
-		if len(mfas) == 0 {
-			return samlAssertion, errors.Wrap(err, "mfa not found")
+		// data is embedded javascript object
+		// <script><![CDATA[  $Config=......; ]]>
+		var loginPasswordJson string
+		if strings.Contains(resBodyStr, "$Config") {
+			startIndex := strings.Index(resBodyStr, "$Config=") + 8
+			endIndex := startIndex + strings.Index(resBodyStr[startIndex:], ";")
+			loginPasswordJson = resBodyStr[startIndex:endIndex]
 		}
-		mfa := mfas[0]
-		switch ac.idpAccount.MFA {
+		var loginPasswordResp passwordLoginResponse
+		var loginPasswordSkipMfaResp SkipMfaResponse
 
-		case "Auto":
-			for _, v := range mfas {
-				if v.IsDefault {
-					mfa = v
-					break
-				}
-			}
-		default:
-			for _, v := range mfas {
-				if v.AuthMethodID == ac.idpAccount.MFA {
-					mfa = v
-					break
-				}
-			}
-		}
-		mfaReq := mfaRequest{AuthMethodID: mfa.AuthMethodID, Method: "BeginAuth", Ctx: loginPasswordResp.SCtx, FlowToken: loginPasswordResp.SFT}
-		mfaReqJson, err := json.Marshal(mfaReq)
-		if err != nil {
-			return samlAssertion, err
+		if err := json.Unmarshal([]byte(loginPasswordJson), &loginPasswordResp); err != nil {
+			return samlAssertion, errors.Wrap(err, "loginPassword response unmarshal error")
 		}
-		mfaBeginRequest, err := http.NewRequest("POST", loginPasswordResp.URLBeginAuth, strings.NewReader(string(mfaReqJson)))
-		if err != nil {
-			return samlAssertion, errors.Wrap(err, "error retrieving begin mfa")
+		if err := json.Unmarshal([]byte(loginPasswordJson), &loginPasswordSkipMfaResp); err != nil {
+			return samlAssertion, errors.Wrap(err, "loginPassword response unmarshal error")
 		}
-		mfaBeginRequest.Header.Add("Content-Type", "application/json")
-		res, err = ac.client.Do(mfaBeginRequest)
-		if err != nil {
-			return samlAssertion, errors.Wrap(err, "error retrieving begin mfa")
-		}
-		mfaBeginJson := make([]byte, res.ContentLength)
-		if n, err := res.Body.Read(mfaBeginJson); err != nil && err != io.EOF || n != int(res.ContentLength) {
-			return samlAssertion, errors.Wrap(err, "mfa BeginAuth response error")
-		}
-		var mfaResp mfaResponse
-		if err := json.Unmarshal(mfaBeginJson, &mfaResp); err != nil {
-			return samlAssertion, errors.Wrap(err, "mfa BeginAuth  response unmarshal error")
-		}
-		if !mfaResp.Success {
-			return samlAssertion, fmt.Errorf("mfa BeginAuth is not success %v", mfaResp.Message)
+		var restartSAMLResp startSAMLResponse
+		if err := json.Unmarshal([]byte(loginPasswordJson), &restartSAMLResp); err != nil {
+			return samlAssertion, errors.Wrap(err, "startSAML response unmarshal error")
 		}
 
-		//  mfa end
-		for i := 0; ; i++ {
-			mfaReq = mfaRequest{
-				AuthMethodID: mfaResp.AuthMethodID,
-				Method:       "EndAuth",
-				Ctx:          mfaResp.Ctx,
-				FlowToken:    mfaResp.FlowToken,
-				SessionID:    mfaResp.SessionID,
+		mfas := loginPasswordResp.ArrUserProofs
+
+		// If there's an explicit option to skip MFA, do so
+		if loginPasswordSkipMfaResp.URLSkipMfaRegistration != "" {
+			res, err = ac.client.Get(loginPasswordSkipMfaResp.URLSkipMfaRegistration)
+			if err != nil {
+				return samlAssertion, errors.Wrap(err, "error retrieving skip mfa results")
 			}
-			if mfaReq.AuthMethodID == "PhoneAppOTP" || mfaReq.AuthMethodID == "OneWaySMS" {
-				verifyCode := prompter.StringRequired("Enter verification code")
-				mfaReq.AdditionalAuthData = verifyCode
+		} else if len(mfas) != 0 {
+			// There's no explicit option to skip MFA, and MFA options are available
+			// Start MFA
+			if len(mfas) == 0 {
+				return samlAssertion, errors.Wrap(err, "mfa not found")
 			}
-			if mfaReq.AuthMethodID == "PhoneAppNotification" && i == 0 {
-				log.Println("Phone approval required.")
+			mfa := mfas[0]
+			switch ac.idpAccount.MFA {
+
+			case "Auto":
+				for _, v := range mfas {
+					if v.IsDefault {
+						mfa = v
+						break
+					}
+				}
+			default:
+				for _, v := range mfas {
+					if v.AuthMethodID == ac.idpAccount.MFA {
+						mfa = v
+						break
+					}
+				}
 			}
+			mfaReq := mfaRequest{AuthMethodID: mfa.AuthMethodID, Method: "BeginAuth", Ctx: loginPasswordResp.SCtx, FlowToken: loginPasswordResp.SFT}
 			mfaReqJson, err := json.Marshal(mfaReq)
 			if err != nil {
 				return samlAssertion, err
 			}
-			mfaEndRequest, err := http.NewRequest("POST", loginPasswordResp.URLEndAuth, strings.NewReader(string(mfaReqJson)))
+			mfaBeginRequest, err := http.NewRequest("POST", loginPasswordResp.URLBeginAuth, strings.NewReader(string(mfaReqJson)))
 			if err != nil {
 				return samlAssertion, errors.Wrap(err, "error retrieving begin mfa")
 			}
-			mfaEndRequest.Header.Add("Content-Type", "application/json")
-			res, err = ac.client.Do(mfaEndRequest)
+			mfaBeginRequest.Header.Add("Content-Type", "application/json")
+			res, err = ac.client.Do(mfaBeginRequest)
 			if err != nil {
 				return samlAssertion, errors.Wrap(err, "error retrieving begin mfa")
 			}
-			mfaJson := make([]byte, res.ContentLength)
-			if n, err := res.Body.Read(mfaJson); err != nil && err != io.EOF || n != int(res.ContentLength) {
-				return samlAssertion, errors.Wrap(err, "mfa EndAuth response error")
+			mfaBeginJson := make([]byte, res.ContentLength)
+			if n, err := res.Body.Read(mfaBeginJson); err != nil && err != io.EOF || n != int(res.ContentLength) {
+				return samlAssertion, errors.Wrap(err, "mfa BeginAuth response error")
 			}
-			if err := json.Unmarshal(mfaJson, &mfaResp); err != nil {
-				return samlAssertion, errors.Wrap(err, "mfa EndAuth  response unmarshal error")
+			var mfaResp mfaResponse
+			if err := json.Unmarshal(mfaBeginJson, &mfaResp); err != nil {
+				return samlAssertion, errors.Wrap(err, "mfa BeginAuth  response unmarshal error")
 			}
-			if mfaResp.ErrCode != 0 {
-				return samlAssertion, fmt.Errorf("error mfa fail errcode: %d, message: %v", mfaResp.ErrCode, mfaResp.Message)
+			if !mfaResp.Success {
+				return samlAssertion, fmt.Errorf("mfa BeginAuth is not success %v", mfaResp.Message)
 			}
-			if mfaResp.Success {
-				break
+
+			//  mfa end
+			for i := 0; ; i++ {
+				mfaReq = mfaRequest{
+					AuthMethodID: mfaResp.AuthMethodID,
+					Method:       "EndAuth",
+					Ctx:          mfaResp.Ctx,
+					FlowToken:    mfaResp.FlowToken,
+					SessionID:    mfaResp.SessionID,
+				}
+				if mfaReq.AuthMethodID == "PhoneAppOTP" || mfaReq.AuthMethodID == "OneWaySMS" {
+					verifyCode := prompter.StringRequired("Enter verification code")
+					mfaReq.AdditionalAuthData = verifyCode
+				}
+				if mfaReq.AuthMethodID == "PhoneAppNotification" && i == 0 {
+					log.Println("Phone approval required.")
+				}
+				mfaReqJson, err := json.Marshal(mfaReq)
+				if err != nil {
+					return samlAssertion, err
+				}
+				mfaEndRequest, err := http.NewRequest("POST", loginPasswordResp.URLEndAuth, strings.NewReader(string(mfaReqJson)))
+				if err != nil {
+					return samlAssertion, errors.Wrap(err, "error retrieving begin mfa")
+				}
+				mfaEndRequest.Header.Add("Content-Type", "application/json")
+				res, err = ac.client.Do(mfaEndRequest)
+				if err != nil {
+					return samlAssertion, errors.Wrap(err, "error retrieving begin mfa")
+				}
+				mfaJson := make([]byte, res.ContentLength)
+				if n, err := res.Body.Read(mfaJson); err != nil && err != io.EOF || n != int(res.ContentLength) {
+					return samlAssertion, errors.Wrap(err, "mfa EndAuth response error")
+				}
+				if err := json.Unmarshal(mfaJson, &mfaResp); err != nil {
+					return samlAssertion, errors.Wrap(err, "mfa EndAuth  response unmarshal error")
+				}
+				if mfaResp.ErrCode != 0 {
+					return samlAssertion, fmt.Errorf("error mfa fail errcode: %d, message: %v", mfaResp.ErrCode, mfaResp.Message)
+				}
+				if mfaResp.Success {
+					break
+				}
+				if !mfaResp.Retry {
+					break
+				}
+				// if mfaResp.Retry == true then
+				// must exist loginPasswordResp.OPerAuthPollingInterval[mfaResp.AuthMethodID]
+				time.Sleep(time.Duration(loginPasswordResp.OPerAuthPollingInterval[mfaResp.AuthMethodID]) * time.Second)
 			}
-			if !mfaResp.Retry {
-				break
+			if !mfaResp.Success {
+				return samlAssertion, fmt.Errorf("error mfa fail")
 			}
-			// if mfaResp.Retry == true then
-			// must exist loginPasswordResp.OPerAuthPollingInterval[mfaResp.AuthMethodID]
-			time.Sleep(time.Duration(loginPasswordResp.OPerAuthPollingInterval[mfaResp.AuthMethodID]) * time.Second)
-		}
-		if !mfaResp.Success {
-			return samlAssertion, fmt.Errorf("error mfa fail")
-		}
 
-		// ProcessAuth
-		ProcessAuthValues := url.Values{}
-		ProcessAuthValues.Set(startSAMLResp.SFTName, mfaResp.FlowToken)
-		ProcessAuthValues.Set("request", mfaResp.Ctx)
-		ProcessAuthValues.Set("login", loginDetails.Username)
+			// ProcessAuth
+			ProcessAuthValues := url.Values{}
+			ProcessAuthValues.Set(startSAMLResp.SFTName, mfaResp.FlowToken)
+			ProcessAuthValues.Set("request", mfaResp.Ctx)
+			ProcessAuthValues.Set("login", loginDetails.Username)
 
-		ProcessAuthRequest, err := http.NewRequest("POST", loginPasswordResp.URLPost, strings.NewReader(ProcessAuthValues.Encode()))
-		if err != nil {
-			return samlAssertion, errors.Wrap(err, "error retrieving process auth results")
-		}
-		ProcessAuthRequest.Header.Add("Content-Type", "application/x-www-form-urlencoded")
-		res, err = ac.client.Do(ProcessAuthRequest)
-		if err != nil {
-			return samlAssertion, errors.Wrap(err, "error retrieving process auth results")
-		}
-		// data is embeded javascript object
-		// <script><![CDATA[  $Config=......; ]]>
-		resBody, _ = ioutil.ReadAll(res.Body)
-		resBodyStr = string(resBody)
-		// reset res.Body so it can be read again later if required
-		res.Body = ioutil.NopCloser(bytes.NewBuffer(resBody))
+			ProcessAuthRequest, err := http.NewRequest("POST", loginPasswordResp.URLPost, strings.NewReader(ProcessAuthValues.Encode()))
+			if err != nil {
+				return samlAssertion, errors.Wrap(err, "error retrieving process auth results")
+			}
+			ProcessAuthRequest.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+			res, err = ac.client.Do(ProcessAuthRequest)
+			if err != nil {
+				return samlAssertion, errors.Wrap(err, "error retrieving process auth results")
+			}
+			// data is embeded javascript object
+			// <script><![CDATA[  $Config=......; ]]>
+			resBody, _ = ioutil.ReadAll(res.Body)
+			resBodyStr = string(resBody)
+			// reset res.Body so it can be read again later if required
+			res.Body = ioutil.NopCloser(bytes.NewBuffer(resBody))
 
-		// After performing MFA we may be prompted with KMSI (Keep Me Signed In) page
-		// Ref: https://docs.microsoft.com/ja-jp/azure/active-directory/fundamentals/keep-me-signed-in
-		if strings.Contains(resBodyStr, "$Config") {
-			startIndex := strings.Index(resBodyStr, "$Config=") + 8
-			endIndex := startIndex + strings.Index(resBodyStr[startIndex:], ";")
-			ProcessAuthJson := resBodyStr[startIndex:endIndex]
+			// After performing MFA we may be prompted with KMSI (Keep Me Signed In) page
+			// Ref: https://docs.microsoft.com/ja-jp/azure/active-directory/fundamentals/keep-me-signed-in
+			if strings.Contains(resBodyStr, "$Config") {
+				startIndex := strings.Index(resBodyStr, "$Config=") + 8
+				endIndex := startIndex + strings.Index(resBodyStr[startIndex:], ";")
+				ProcessAuthJson := resBodyStr[startIndex:endIndex]
 
-			var processAuthResp processAuthResponse
-			if err := json.Unmarshal([]byte(ProcessAuthJson), &processAuthResp); err != nil {
-				return samlAssertion, errors.Wrap(err, "ProcessAuth response unmarshal error")
+				var processAuthResp processAuthResponse
+				if err := json.Unmarshal([]byte(ProcessAuthJson), &processAuthResp); err != nil {
+					return samlAssertion, errors.Wrap(err, "ProcessAuth response unmarshal error")
+				}
+
+				KmsiURL := res.Request.URL.Scheme + "://" + res.Request.URL.Host + processAuthResp.URLPost
+				KmsiValues := url.Values{}
+				KmsiValues.Set("flowToken", processAuthResp.SFT)
+				KmsiValues.Set("ctx", processAuthResp.SCtx)
+				KmsiValues.Set("LoginOptions", "1")
+				KmsiRequest, err := http.NewRequest("POST", KmsiURL, strings.NewReader(KmsiValues.Encode()))
+				if err != nil {
+					return samlAssertion, errors.Wrap(err, "error retrieving kmsi results")
+				}
+				KmsiRequest.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+				ac.client.DisableFollowRedirect()
+				res, err = ac.client.Do(KmsiRequest)
+				if err != nil {
+					return samlAssertion, errors.Wrap(err, "error retrieving kmsi results")
+				}
+				ac.client.EnableFollowRedirect()
 			}
+		} else {
+			// There was no explicit link to skip MFA
+			// and there were no MFA options available for us to process
+			// This can happen if MFA is enabled, but we're accessing from a MFA trusted IP
+			// See https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#targetText=MFA%20service%20settings,-Settings%20for%20app&targetText=Service%20settings%20can%20be%20accessed,Additional%20cloud-based%20MFA%20settings.
+			// Proceed with login as normal
+		}
 
-			KmsiURL := res.Request.URL.Scheme + "://" + res.Request.URL.Host + processAuthResp.URLPost
+		// If we've been prompted with KMSI despite not going via MFA flow
+		// Azure can do this if MFA is enabled but
+		//  - we're accessing from an MFA whitelisted / trusted IP
+		//  - we've been exempted from a Conditional Access Policy
+		if loginPasswordResp.URLPost == "/kmsi" {
+			KmsiURL := res.Request.URL.Scheme + "://" + res.Request.URL.Host + loginPasswordResp.URLPost
 			KmsiValues := url.Values{}
-			KmsiValues.Set("flowToken", processAuthResp.SFT)
-			KmsiValues.Set("ctx", processAuthResp.SCtx)
+			KmsiValues.Set("flowToken", loginPasswordResp.SFT)
+			KmsiValues.Set("ctx", loginPasswordResp.SCtx)
 			KmsiValues.Set("LoginOptions", "1")
 			KmsiRequest, err := http.NewRequest("POST", KmsiURL, strings.NewReader(KmsiValues.Encode()))
 			if err != nil {
@@ -879,42 +913,14 @@ func (ac *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error)
 			}
 			ac.client.EnableFollowRedirect()
 		}
-	} else {
-		// There was no explicit link to skip MFA
-		// and there were no MFA options available for us to process
-		// This can happen if MFA is enabled, but we're accessing from a MFA trusted IP
-		// See https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#targetText=MFA%20service%20settings,-Settings%20for%20app&targetText=Service%20settings%20can%20be%20accessed,Additional%20cloud-based%20MFA%20settings.
-		// Proceed with login as normal
-	}
 
-	// If we've been prompted with KMSI despite not going via MFA flow
-	// Azure can do this if MFA is enabled but
-	//  - we're accessing from an MFA whitelisted / trusted IP
-	//  - we've been exempted from a Conditional Access Policy
-	if loginPasswordResp.URLPost == "/kmsi" {
-		KmsiURL := res.Request.URL.Scheme + "://" + res.Request.URL.Host + loginPasswordResp.URLPost
-		KmsiValues := url.Values{}
-		KmsiValues.Set("flowToken", loginPasswordResp.SFT)
-		KmsiValues.Set("ctx", loginPasswordResp.SCtx)
-		KmsiValues.Set("LoginOptions", "1")
-		KmsiRequest, err := http.NewRequest("POST", KmsiURL, strings.NewReader(KmsiValues.Encode()))
-		if err != nil {
-			return samlAssertion, errors.Wrap(err, "error retrieving kmsi results")
-		}
-		KmsiRequest.Header.Add("Content-Type", "application/x-www-form-urlencoded")
-		ac.client.DisableFollowRedirect()
-		res, err = ac.client.Do(KmsiRequest)
-		if err != nil {
-			return samlAssertion, errors.Wrap(err, "error retrieving kmsi results")
-		}
-		ac.client.EnableFollowRedirect()
+		resBody, _ = ioutil.ReadAll(res.Body)
+		resBodyStr = string(resBody)
 	}
 
-	//  oidc
-	doc, err := goquery.NewDocumentFromResponse(res)
-	if err != nil {
-		return samlAssertion, errors.Wrap(err, "failed to build document from response")
-	}
+	node, _ := html.Parse(strings.NewReader(resBodyStr))
+	doc := goquery.NewDocumentFromNode(node)
+
 	// data in input tag
 	authForm := url.Values{}
 	var authSubmitURL string

From d664c4079482af213f46066d1f74a6e4869d5dc1 Mon Sep 17 00:00:00 2001
From: ismferd <fernandez.molina.ismael@gmail.com>
Date: Mon, 14 Dec 2020 08:46:11 +0100
Subject: [PATCH 2/5] adding ChallengeQuestionAnswer input name

---
 pkg/provider/adfs2/rsa.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkg/provider/adfs2/rsa.go b/pkg/provider/adfs2/rsa.go
index 436a59e72..5d7f5b0ae 100644
--- a/pkg/provider/adfs2/rsa.go
+++ b/pkg/provider/adfs2/rsa.go
@@ -49,6 +49,7 @@ func (ac *Client) authenticateRsa(loginDetails *creds.LoginDetails) (string, err
 
 	token := prompter.Password("Enter passcode")
 
+	passcodeForm.Set("ChallengeQuestionAnswer", token)
 	passcodeForm.Set("Passcode", token)
 	passcodeForm.Del("submit")
 

From 67c1f754a42e82d8af8514a6b33c9814659a110a Mon Sep 17 00:00:00 2001
From: ismferd <fernandez.molina.ismael@gmail.com>
Date: Mon, 14 Dec 2020 08:59:33 +0100
Subject: [PATCH 3/5] adding ChallengeQuestionAnswer to second the question

---
 pkg/provider/adfs2/rsa.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkg/provider/adfs2/rsa.go b/pkg/provider/adfs2/rsa.go
index 5d7f5b0ae..4b4acc4c2 100644
--- a/pkg/provider/adfs2/rsa.go
+++ b/pkg/provider/adfs2/rsa.go
@@ -66,6 +66,7 @@ func (ac *Client) authenticateRsa(loginDetails *creds.LoginDetails) (string, err
 	if rsaForm.Get("SAMLResponse") == "" {
 		nextCode := prompter.Password("Enter nextCode")
 
+        rsaForm.Set("ChallengeQuestionAnswer", token)
 		rsaForm.Set("NextCode", nextCode)
 		rsaForm.Del("submit")
 

From f7e90008f483e767cb6b4ee2d721bb7d856706ba Mon Sep 17 00:00:00 2001
From: ismferd <fernandez.molina.ismael@gmail.com>
Date: Mon, 14 Dec 2020 09:38:23 +0100
Subject: [PATCH 4/5] gofmt

---
 pkg/provider/adfs2/rsa.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/provider/adfs2/rsa.go b/pkg/provider/adfs2/rsa.go
index 4b4acc4c2..f5bbdd44e 100644
--- a/pkg/provider/adfs2/rsa.go
+++ b/pkg/provider/adfs2/rsa.go
@@ -66,7 +66,7 @@ func (ac *Client) authenticateRsa(loginDetails *creds.LoginDetails) (string, err
 	if rsaForm.Get("SAMLResponse") == "" {
 		nextCode := prompter.Password("Enter nextCode")
 
-        rsaForm.Set("ChallengeQuestionAnswer", token)
+		rsaForm.Set("ChallengeQuestionAnswer", token)
 		rsaForm.Set("NextCode", nextCode)
 		rsaForm.Del("submit")
 

From 3ad53e410fa9118622f74ebedcf2085245744652 Mon Sep 17 00:00:00 2001
From: John Jones <Jones2026@gmail.com>
Date: Tue, 12 Jan 2021 17:35:18 -0600
Subject: [PATCH 5/5] exclude default profile prompt

---
 cmd/saml2aws/commands/login.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/cmd/saml2aws/commands/login.go b/cmd/saml2aws/commands/login.go
index f937dc506..23c3597ad 100644
--- a/cmd/saml2aws/commands/login.go
+++ b/cmd/saml2aws/commands/login.go
@@ -297,7 +297,9 @@ func saveCredentials(awsCreds *awsconfig.AWSCredentials, sharedCreds *awsconfig.
 	log.Println("")
 	log.Println("Your new access key pair has been stored in the AWS configuration")
 	log.Printf("Note that it will expire at %v", awsCreds.Expires)
-	log.Println("To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile", sharedCreds.Profile, "ec2 describe-instances).")
+	if sharedCreds.Profile != "default" {
+		log.Println("To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile", sharedCreds.Profile, "ec2 describe-instances).")
+	}
 
 	return nil
 }