search

Versent / saml2aws

CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP
https://github.com/Versent/saml2aws
MIT License
2.07k stars 562 forks source link

saml2aws login suddenly stopped working #224

Closed srflaxu40 closed 6 years ago

srflaxu40 commented 6 years ago 
~/kops-drivers/bin$ saml2aws login
Using IDP Account default to access JumpCloud https://sso.jumpcloud.com/saml2/redacted
To use saved password just hit enter.
Username [johnson.redacted@redacted.com]: 
Password: *************

Authenticating as johnson.redacted@redacted.com ...
unable to locate IDP authentication form submit URL
error authenticating to IdP
github.com/versent/saml2aws/cmd/saml2aws/commands.Login
    /Users/markw/go/src/github.com/versent/saml2aws/cmd/saml2aws/commands/login.go:56
main.main
    /Users/markw/go/src/github.com/versent/saml2aws/cmd/saml2aws/main.go:106
runtime.main
    /usr/local/Cellar/go/1.9.2/libexec/src/runtime/proc.go:195
runtime.goexit
    /usr/local/Cellar/go/1.9.2/libexec/src/runtime/asm_amd64.s:2337

Can no longer use saml2aws login on sso endpoints. It seems that maybe something between it and IdP (JumpCloud)?

Trying with verbose flag gives same error.

vr00n commented 6 years ago

Same here

btsteve commented 6 years ago

Same Here

fogfish commented 6 years ago

JumpCloud has changed the layout of they login screen. I hope you guys know how to fix it. I am also escalating this issue to JumpCloud support team.

fogfish commented 6 years ago

What I can say here that they replace a traditional web form with scripted version. Therefore https://github.com/Versent/saml2aws/blob/master/pkg/provider/jumpcloud/jumpcloud.go#L66 code is not able to detect an action to post data.

I really do not understand, why this guys do not thing about compatibility.

If you are interested the new form send a request to 

POST https://console.jumpcloud.com/userconsole/auth
Content-Type: application/json; charset=utf-8

{email: "a@b.com", password: "qqqq", context: "sso", redirectTo: "saml2/aws"
jefmsmit commented 6 years ago

Hi everyone. I'm Jeff from JumpCloud. We did change our login page today in order to make the experience the same for authentication for SAML as well as other uses. We did not realize that this library was scraping our old form.

btsteve commented 6 years ago

Hi everyone. I'm Jeff from JumpCloud. We did change our login page today in order to make the experience the same for authentication for SAML as well as other uses. We did not realize that this library was scraping our old form.

Can you guys help fix this?

fogfish commented 6 years ago

Thank you for reaching us! Do you have any suggestions how to fix an issue?

jefmsmit commented 6 years ago

We have reverted the changes for now and everything should be working again. We will figure out how to work with y'all prior to releasing it again. Thanks for understanding.

fogfish commented 6 years ago

@jefmsmit Thank a lot for support! I can confirm that it works.

srflaxu40 commented 6 years ago

Does anyone here know of an alternative for this?

https://github.com/Versent/saml2aws/issues/230

It appears that AWS STS endpoints only work with a registered MFA device's ARN which I don't believe JC supports.