Consoleme and aws sso integration bug

The following error occurs while linking with aws sso in local

2022-08-05 15:37:23,402 - WARNING - tornado.access - [web.py:2271 - log_request() ] - 403 GET /api/v2/user_profile (::1) 377.89ms
{"asctime": "2022-08-05T15:37:23Z+0900", "name": "consoleme", "processName": "MainProcess", "filename": "exceptions.py", "funcName": "__init__", "levelname": "ERROR", "lineno": 14, "module": "exceptions", "threadName": "MainThread", "message": "Unable to authenticate the user by SAML. Redirecting to authentication endpoint", "eventTime": "2022-08-04T23:36:13.551503-07:00", "hostname": "", "timestamp": "2022-08-05T15:37:23Z+0900"}

{"asctime": "2022-08-05T15:37:23Z+0900", "name": "consoleme", "processName": "MainProcess", "filename": "saml.py", "funcName": "authenticate_user_by_saml", "levelname": "ERROR", "lineno": 70, "module": "saml", "threadName": "MainThread", "message": null, "function": "consoleme.lib.saml.authenticate_user_by_saml", "error": "SAML Response not found, Only supported HTTP_POST Binding", "eventTime": "2022-08-04T23:36:13.551503-07:00", "hostname": "", "timestamp": "2022-08-05T15:37:23Z+0900"}

my saml config

# Warning: The following configuration file is an example, and it is insecure by default. Please carefully
# review and change values accordingly before deploying to a production environment. You are responsible
# for your deployment.

extends:
  - example_config_base.yaml
  - example_secrets.yaml

auth:
  get_user_by_saml: true
  set_auth_cookie: true
  force_redirect_to_identity_provider: false

get_user_by_saml_settings:
  idp_metadata_url: https://portal.sso.ap-northeast-2.amazonaws.com/saml/metadata/************
  saml_path: example_config/saml_examples
  jwt:
    expiration_hours: 1
    email_key: email
    groups_key: groups
  attributes:
    user: user
    groups: groups
    email: email
  saml_settings:
    debug: true
    # idp:
    #   entityId: https://portal.sso.ap-northeast-2.amazonaws.com/saml/assertion/*********
    #   singleLogoutService:
    #     binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
    #     url: https://portal.sso.ap-northeast-2.amazonaws.com/saml/logout/************
    #   singleSignOnService:
    #     binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
    #     url: https://portal.sso.ap-northeast-2.amazonaws.com/saml/assertion/**********
    #   x509cert: 
********************

    sp:
      NameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
      assertionConsumerService:
        binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
        url: http://127.0.0.1:8081/saml/acs
      entityId: http://127.0.0.1:8081
      singleLogoutService:
        binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
        url: http://127.0.0.1:8081/saml/sls
    strict: false
    support:
      emailAddress: support@example.com
      givenName: support_name
      technical:
        emailAddress: technical@example.com
        givenName: technical_name
    # security:
    #   authnRequestsSigned: true
    #   digestAlgorithm: http://www.w3.org/2000/09/xmldsig#sha1
    #   logoutRequestSigned: true
    #   logoutResponseSigned: true
    #   nameIdEncrypted: true
    #   signMetadata: true
    #   signatureAlgorithm: http://www.w3.org/2000/09/xmldsig#rsa-sha1
    #   wantAssertionsEncrypted: true
    #   wantAssertionsSigned: true
    #   wantMessagesSigned: true
    #   wantNameId: true
    #   wantNameIdEncrypted: false

url: http://127.0.0.1:8081

http://127.0.0.1:3000/auth?redirect_url=http://127.0.0.1:3000 403 Forbidden http://127.0.0.1:3000/api/v2/user_profile. 403 Forbidden

If you remove the start url in aws sso, it will temporarily work, but you will get the above error again

consoleme <-> aws sso <-> ldp

Netflix / consoleme

Consoleme and aws sso integration bug #9334