Open aturbenson opened 2 months ago
Looks like aws-google-auth is having issues as well due to Google's redesigned login UI. There's a proposed fix that we can use as a reference.
We're experiencing the same issue, impacting quite a lot of users, would be good to see if there is any plans to resolve this in the very near future.
Same issue. For now, I'm grabbing the SAML assertion in my browser's web inspector (look for the saml
resource) and using this shell script: https://gist.github.com/lionello/9b77df5cd7eded3cdaca3ad644d0dd35
The workaround right now is to log in via the browser method until someone patches it:
SAML2AWS_IDP_PROVIDER=Browser saml2aws login --download-browser-driver
Any update on this issue?
The workaround right now is to log in via the browser method until someone patches it:
SAML2AWS_IDP_PROVIDER=Browser saml2aws login --download-browser-driver
The ^ command didn't work for me. In case anyone else has a similar issue, you can try appending the account name to command . The full command that worked for me ended up being SAML2AWS_IDP_PROVIDER=Browser saml2aws login --download-browser-driver -a uat
. You will find your account name in the .samlaws
file
I have a pull request open to fix this issue as it's impacting most of the users in my org. I have been able to test for myself the new login flow with a 2FA phone app.
If any of you have a different 2FA you want to test this code against, it would be appreciated.
You can build my branch and test with the local copy: https://github.com/aaronthebaron/saml2aws/tree/master?tab=readme-ov-file#building
@aaronthebaron I'm in the same boat. I will give a shot to your branch.
Same here.. Thanks for sharing! Will give it a try as well.
If you find it's not working, run the command with DUMP_CONTENT=true
and --verbose
flag. You can give me that output in the PR and I'll see if I can fix. Thanks!
I suppose this can be closed with the merging of https://github.com/Versent/saml2aws/pull/1285 Is there an ETA for a new release to include the fix?
@mapkon Could a release be cut for this? Eager to stop logging in via my browser everytime :-)
Got this error when I tried to login this morning,
I tried to login on both @aaronthebaron's branch and on this repo's master branch
Using IdP Account default to access GoogleApps https://accounts.google.com/o/saml2/initsso?xxxxxxxxxxx
Authenticating as xxxxxxxxx...
Error authenticating to IdP.: error loading challenge page: unable to extract skip form: could not find form with query "form[action$=\"skip\"]"
Can't dump the output of saml2aws with DUMP_CONTENT=true
because it has sensitive information (I can see my creds in clear text in the output)
EDIT That might be an edge case that doesn't deserve to be fixed... This is the output when I tried to login with
SAML2AWS_BROWSER_TYPE=chrome SAML2AWS_IDP_PROVIDER=Browser
@codingtony-candid This is the one case found so far I haven't been able to test locally, making it a bit difficult to pin down.
I started to work a bit on it here, see that conversation to understand where that's at. https://github.com/Versent/saml2aws/pull/1286
@edwardrf had some initial changes to test that I believe are closer to the mark than where I was going. I haven't had time to look further this week.
For prosperity, I rebooted my phone and I was able to use the "Tap Yes" method.
@aaronthebaron I have the html dumped locally. If it can help for debugging lmk. Perhaps if you shutdown your phone, you may end up in the same situation and will be easier to reproduce the issue?
I encountered the same issue two days ago on both @aaronthebaron’s branch and the master branch of this repo. After reverting to using the Browser for authentication and then switching back to GoogleApps, the issue was resolved. Interestingly, this problem occurred consistently on my Mac and when working with the laptop's screen but not when connected to an external screen, though this might just be a coincidence, as I haven’t extensively tested it in different environments. Additionally, I did not observe this issue in the Linux distribution I built for other employees at my company. I hope some of this information is helpful.
What is the way forward here? Should we revert the changes that were pushed to trunk?
I don't think it should be reverted from trunk. The code that was merged is very useful for the users of saml2aws with Google IdP.
The issue that was later mentioned in the thread is less of a problem and it's tracked as a separate issue (#1286).
When using the GoogleApps provider with saml2aws, I'm getting a error:
Looking at the code I see that saml2aws is looking for a form with
id=gaia_loginform
, but the html I get when running saml2aws login doesn't have that element. It looks like google might have made an update to their login form so the form can no longer be accessed with that id.Is there a workaround so saml2aws login can work with the updated Google form?