mjhoffman65
commented
2 months ago Looks like aws-google-auth is having issues as well due to Google's redesigned login UI. There's a proposed fix that we can use as a reference.
Open aturbenson opened 2 months ago
mjhoffman65
commented
2 months ago Looks like aws-google-auth is having issues as well due to Google's redesigned login UI. There's a proposed fix that we can use as a reference.
ykag
commented
2 months ago We're experiencing the same issue, impacting quite a lot of users, would be good to see if there is any plans to resolve this in the very near future.
lionello
commented
2 months ago Same issue. For now, I'm grabbing the SAML assertion in my browser's web inspector (look for the saml resource) and using this shell script: https://gist.github.com/lionello/9b77df5cd7eded3cdaca3ad644d0dd35
jmctune
commented
1 month ago The workaround right now is to log in via the browser method until someone patches it:
SAML2AWS_IDP_PROVIDER=Browser saml2aws login --download-browser-driver
codingtony-candid
commented
1 month ago Any update on this issue?
austinfinnql
commented
1 month ago The workaround right now is to log in via the browser method until someone patches it:
SAML2AWS_IDP_PROVIDER=Browser saml2aws login --download-browser-driver
The ^ command didn't work for me. In case anyone else has a similar issue, you can try appending the account name to command . The full command that worked for me ended up being SAML2AWS_IDP_PROVIDER=Browser saml2aws login --download-browser-driver -a uat. You will find your account name in the .samlaws file
aaronthebaron
commented
3 weeks ago I have a pull request open to fix this issue as it's impacting most of the users in my org. I have been able to test for myself the new login flow with a 2FA phone app.
If any of you have a different 2FA you want to test this code against, it would be appreciated.
You can build my branch and test with the local copy: https://github.com/aaronthebaron/saml2aws/tree/master?tab=readme-ov-file#building
codingtony-candid
commented
3 weeks ago @aaronthebaron I'm in the same boat. I will give a shot to your branch.
edan-shalom
commented
3 weeks ago Same here.. Thanks for sharing! Will give it a try as well.
aaronthebaron
commented
3 weeks ago If you find it's not working, run the command with DUMP_CONTENT=true and --verbose flag. You can give me that output in the PR and I'll see if I can fix. Thanks!
vtstanescu
commented
2 weeks ago I suppose this can be closed with the merging of https://github.com/Versent/saml2aws/pull/1285 Is there an ETA for a new release to include the fix?
mjhoffman65
commented
2 weeks ago @mapkon Could a release be cut for this? Eager to stop logging in via my browser everytime :-)
codingtony-candid
commented
2 weeks ago Got this error when I tried to login this morning,
I tried to login on both @aaronthebaron's branch and on this repo's master branch
Using IdP Account default to access GoogleApps https://accounts.google.com/o/saml2/initsso?xxxxxxxxxxx
Authenticating as xxxxxxxxx...
Error authenticating to IdP.: error loading challenge page: unable to extract skip form: could not find form with query "form[action$=\"skip\"]"Can't dump the output of saml2aws with DUMP_CONTENT=true because it has sensitive information (I can see my creds in clear text in the output)
EDIT That might be an edge case that doesn't deserve to be fixed... This is the output when I tried to login with
SAML2AWS_BROWSER_TYPE=chrome SAML2AWS_IDP_PROVIDER=Browser@codingtony-candid This is the one case found so far I haven't been able to test locally, making it a bit difficult to pin down.
I started to work a bit on it here, see that conversation to understand where that's at. https://github.com/Versent/saml2aws/pull/1286
@edwardrf had some initial changes to test that I believe are closer to the mark than where I was going. I haven't had time to look further this week.
codingtony-candid
commented
2 weeks ago For prosperity, I rebooted my phone and I was able to use the "Tap Yes" method.
@aaronthebaron I have the html dumped locally. If it can help for debugging lmk. Perhaps if you shutdown your phone, you may end up in the same situation and will be easier to reproduce the issue?
edan-shalom
commented
2 weeks ago I encountered the same issue two days ago on both @aaronthebaron’s branch and the master branch of this repo. After reverting to using the Browser for authentication and then switching back to GoogleApps, the issue was resolved. Interestingly, this problem occurred consistently on my Mac and when working with the laptop's screen but not when connected to an external screen, though this might just be a coincidence, as I haven’t extensively tested it in different environments. Additionally, I did not observe this issue in the Linux distribution I built for other employees at my company. I hope some of this information is helpful.
mapkon
commented
2 weeks ago What is the way forward here? Should we revert the changes that were pushed to trunk?
codingtony-candid
commented
2 weeks ago I don't think it should be reverted from trunk. The code that was merged is very useful for the users of saml2aws with Google IdP.
The issue that was later mentioned in the thread is less of a problem and it's tracked as a separate issue (#1286).
When using the GoogleApps provider with saml2aws, I'm getting a error:
Looking at the code I see that saml2aws is looking for a form with
id=gaia_loginform, but the html I get when running saml2aws login doesn't have that element. It looks like google might have made an update to their login form so the form can no longer be accessed with that id.Is there a workaround so saml2aws login can work with the updated Google form?