search

awslabs / awsprocesscreds

Process credential providers for AWS SDKs and Tools
Apache License 2.0
132 stars 40 forks source link

Cannot parse form field #11

Open usa-usa-usa-usa opened 6 years ago

usa-usa-usa-usa commented 6 years ago

I am attempting to run the following line:

awsprocesscreds-saml --endpoint https://my.company.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices --username 'myAccount@mycorp.net --provider adfs --role-arn arn:aws:iam::595513102389:role/IaaSOperations --verbose

I am getting the following error:

Traceback (most recent call last):
  File "c:\python27\lib\runpy.py", line 174, in _run_module_as_main
    "__main__", fname, loader, pkg_name)
  File "c:\python27\lib\runpy.py", line 72, in _run_code
    exec code in run_globals
  File "C:\Python27\Scripts\awsprocesscreds-saml.exe\__main__.py", line 9, in <module>
  File "c:\python27\lib\site-packages\awsprocesscreds\cli.py", line 81, in saml
    creds = fetcher.fetch_credentials()
  File "c:\python27\lib\site-packages\awsprocesscreds\saml.py", line 348, in fetch_credentials
    creds = super(SAMLCredentialFetcher, self).fetch_credentials()
  File "C:\Users\me\AppData\Roaming\Python\Python27\site-packages\botocore\credentials.py", line 507, in fetch_credentials
    return self._get_cached_credentials()
  File "C:\Users\me\AppData\Roaming\Python\Python27\site-packages\botocore\credentials.py", line 517, in _get_cached_credentials
    response = self._get_credentials()
  File "c:\python27\lib\site-packages\awsprocesscreds\saml.py", line 357, in _get_credentials
    kwargs = self._get_assume_role_kwargs()
  File "c:\python27\lib\site-packages\awsprocesscreds\saml.py", line 393, in _get_assume_role_kwargs
    assertion = self._authenticator.retrieve_saml_assertion(config)
  File "c:\python27\lib\site-packages\awsprocesscreds\saml.py", line 138, in retrieve_saml_assertion
    self._fill_in_form_values(config, form_data)
  File "c:\python27\lib\site-packages\awsprocesscreds\saml.py", line 178, in _fill_in_form_values
    self._ERROR_MISSING_FORM_FIELD % self.USERNAME_FIELD)
awsprocesscreds.saml.SAMLError: Error parsing HTML form, could not find the form field: "ctl00$ContentPlaceHolder1$UsernameTextBox"
JordonPhillips commented 6 years ago

If you open up https://my.company.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices in a web browser what do you see? You should see a login form, something like this:

example

Note that you may have to configure adfs to use form-based auth by default.

AMMullan commented 6 years ago

I'm running into the same issue - I wonder if this is because we're using ADFS3? I'm using the same details I use for the (modified) version of https://aws.amazon.com/blogs/security/how-to-implement-federated-api-and-cli-access-using-saml-2-0-and-ad-fs/

JordonPhillips commented 6 years ago

@AMMullan could you please answer the question I asked @jcwhisman ? If form-based login isn't your default configuration, this will not work as only forms-based login is supported.

AMMullan commented 6 years ago

Hey @JordonPhillips - yeah, we use form-based logins. I'm just working through comparing what awsprocesscreds does to process the form and how it differs to the way I do it, might just be a small difference.

hoegertn commented 6 years ago

I am struggeling with ADFS too. Part 1 is working if I use

    USERNAME_FIELD = 'UserName'
    PASSWORD_FIELD = 'Password'

Then I get access keys. For other problems, I will open a different issue.

AMMullan commented 6 years ago

Yep, I replicated the fix @hoegertn proposed and it works.

mbokman commented 6 years ago

I ran into the same issue and the fix by @hoegertn solves at least the part about logging in.

I struggled a bit to figure out where to apply it so I am including a diff:

diff saml.py saml.py.org
256,257c256,257
<     USERNAME_FIELD = 'UserName'
<     PASSWORD_FIELD = 'Password'
---
>     USERNAME_FIELD = 'ctl00$ContentPlaceHolder1$UsernameTextBox'
>     PASSWORD_FIELD = 'ctl00$ContentPlaceHolder1$PasswordTextBox'

Perhaps it is an idea if these field names can be passed as arguments to the awsprocesscreds tool?

While I am able to login now, I am running into a problem where I am not able to switch roles but I'll open a separate issue for that.

lingrlongr commented 6 years ago

Same problem here, and changing fields to 'UserName' and 'Password' helps. Would it be silly to support all conventions seen in the codebase and have it choose the appropriate one based on what is found in the form?

username
password

UserName
Password

ctl00$ContentPlaceHolder1$UsernameTextBox
ctl00$ContentPlaceHolder1$PasswordTextBox
yiannis-tss commented 5 years ago

is there an update for that issue? this issue is still present in 2019 if the authentication is done using NTLM instead of username/password.

groboclown commented 4 years ago

I'm still seeing this issue. I pulled from pip, and __init__.py reports version 0.0.2.

When I change the saml.py USERNAME_FIELD and PASSWORD_FIELD to the above listed values, it is able to get me past the login form.

Is there an alternate authentication approach I should be looking at?

aliasgar1 commented 4 years ago

I'm also facing the same issue, but after doing the fix as mentioned in the above comments, I am not getting prompt for password but instead getting below error:

awsprocesscreds.saml.SAMLError: Login failed, could not retrieve SAML assertion. Double check  you have entered your password correctly.