Error with Federated Account

[ncs-alexhoward]

Extension Version

1.5.1

Description

All accounts published through AWS SSO by my organization work great, however, one account is actually accessed via Federation as it is not our account, but one we manage. Doing this through the plugin doesn't seem to log in the same way as when accessed via the AWS SS0 directory page provided by my organization. I get a "HTTP 429 Unknown Code" error. When I successfully log in via the SSO directory, I notice that the role does not match the role that is listed in the menu bar dropdown.

Browsers

Firefox

OS

Mac

[WTFender]

@ncs-alexhoward thanks for the report. Just to clarify, when you say "federated", how are you actually getting into that account?

• Are you logging in to an account with SSO and then assuming an IAM role?
• Or are you logging in directly to an AWS account (with an IAM user) and then assuming an IAM role (in the same or different account)?

Thanks!

[ncs-alexhoward]

I’m logging into AWS SSO with Okta. I'm told that our AWS account is an IDP on the other account, which is kind of an unusual set up.

---

From: Michael @.> Sent: Friday, August 4, 2023 3:38:04 PM To: WTFender/aws-sso-extender @.> Cc: Alex Howard @.>; Mention @.> Subject: Re: [WTFender/aws-sso-extender] Error with Federated Account (Issue #58)

Naviga WARNING: External email. Please verify sender before opening attachments or clicking on links.

@ncs-alexhowardhttps://github.com/ncs-alexhoward thanks for the report. Just to clarify, when you say "federated", how are you actually getting into that account?

Are you logging in to an account with SSO and then assuming an IAM role in that account? Or are you logging in directly to an AWS account (with an IAM user) and then assuming an IAM role (in the same or different account)?

Thanks!

— Reply to this email directly, view it on GitHubhttps://github.com/WTFender/aws-sso-extender/issues/58#issuecomment-1666084733, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AJSYWAAWXZRYE3QVWOTDENLXTVFRZANCNFSM6AAAAAA3ELAZYA. You are receiving this because you were mentioned.Message ID: @.***>

[WTFender]

Okay, I think I might have this figured out. Can you confirm a couple things?

Does that one account appear as it's own tile on your AWS SSO page?

When you login to that account (through the SSO page), do you see the word default in the URL bar (for just a second)?

[ncs-alexhoward]

Correct on both counts.

From: Michael @.> Date: Friday, August 4, 2023 at 8:15 PM To: WTFender/aws-sso-extender @.> Cc: Alex Howard @.>, Mention @.> Subject: Re: [WTFender/aws-sso-extender] Error with Federated Account (Issue #58) Naviga WARNING: External email. Please verify sender before opening attachments or clicking on links.

Okay, I think I might have this figured out. Can you confirm a couple things?

Does that one account appear as it's own tile on your AWS SSO page? [Image removed by sender. image]https://user-images.githubusercontent.com/12001399/258551326-504a3f4a-1de2-48a0-9d19-4f1cbb9d1136.png

When you login to that account (through the SSO page), do you see the word default in the URL bar (for just a second)? [Image removed by sender. image]https://user-images.githubusercontent.com/12001399/258551422-0498aaf7-943c-4c4d-b9db-1f2488e025e7.png

— Reply to this email directly, view it on GitHubhttps://github.com/WTFender/aws-sso-extender/issues/58#issuecomment-1666296275, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AJSYWAB4ORRHEEWRQER7H4LXTWGCNANCNFSM6AAAAAA3ELAZYA. You are receiving this because you were mentioned.Message ID: @.***>

[WTFender]

@ncs-alexhoward The login issue should be fixed in the latest version (1.5.2), but the console label is probably still broken. Can you confirm?

If you're still getting the error, can you copy/paste the URL of the error page?

[ncs-alexhoward]

After a Firefox update/relaunch and resetting my config, the latest update seems to work as expected. Now I just need to figure out why its not loading in its own container, but that is a question for the AWS SSO Containers project, I guess. Thank you!

[WTFender]

I'll have to fix containers here too, so I'll keep this open. Containers are disabled by default because I anticipate so many folks are already using pyro2927/AWS_SSO_Containers.

The issue is those "external AWS accounts" are a generic SAML app and compared to the AWS accounts assigned to you in Identity Center, the container likely needs to be created in a slightly different way / with a different URL: https://github.com/WTFender/aws-sso-extender/blob/eab2687b3bde7573d29af772ec5667f64a9a79c3/src/utils/container.ts#L122

[Elevating7734]

I've noticed a similar issue. We use JumpCloud for Authentication and when switching between AWS Orgs profiles, the loading page shows an endless load.

[WTFender]

@Elevating7734 thanks for the info; I'm still getting a handle on the AWS rate limits.

Would you mind sharing approximately how many accounts & profiles you're loading (per org/directory)?

Also, when you say switching between orgs - I'm assuming you have 2 apps in Jumpcloud, 1 linked to each org, right?

[Elevating7734]

IAM Identity Center instances in two separate AWS Organizations. "Instance 1" has 2 accounts, "Instance 2" has 9 accounts. Each account has between 1 and 5 Permission Sets available.