Problems with Google Prompts

[bhargavamin]

Few of the user in my company face problem where they get a Google Prompt on their phone while attempting to login, but on the terminal, they get the following error:

Error::root: SAML lookup failed, storing failure page to 'saml.html' to assist with debugging.

The failure page aka saml.html says "Confirm if it was you/your device or not." with "Yes" or "No"

Does anyone know why Google behaves as such with few selected users?

However, I figured out that this issue can be bypassed by removing Google Account from the phone which disabled Google Prompts and the tool aws-google-auth fallback to secondary 2FA methods like SMS-code or Captcha.

Any help or guidance to fix this on Google or aws-google-auth side is much appreciated.

[priyendra]

I can confirm that we are experiencing the same issue as well.

[priyendra]

Based on some debugging we did, we observed the following:

• For users where it works, the sign-in challenge url is of the following form:

DEBUG:urllib3.connectionpool:https://accounts.google.com:443 "GET /signin/challenge/az/2?continue=... HTTP/1.1" 200 None

• For those where it does not work, the sign-in challenge url is of the following form:

DEBUG:urllib3.connectionpool:https://accounts.google.com:443 "GET /signin/challenge/dp/5?continue=... HTTP/1.1" 200 None

Note the dp vs az. Also, the failure debug html contains a prompt which is supposed to be clicked after the prompt is tapped on the phone.

[priyendra]

Here's the failure debug html screenshot.

[tomcolaa]

Also facing the same issue since last week and also getting the same debug html screenshot. Already tried to reset my password and change the 2FA method but Google doesn't allow it.

TEMPORARY SOLUTION EDIT (13.10.2020) I found a solution that worked for me

1. Go to your Google Account > Security > Devices
2. Log out from your phone (Remove Phone)
3. Go to Security > 2FA and set up 2FA with the Authenticator App
4. Open a Chrome Incognito Window -> Sign In with your Google Account using the 2FA Authenticator App and check the box remember this PC
5. Go back to VSCode and run your aws-google-auth command as usual. It should now ask your for an MFA token from your Authenticator App. Make sure you have enough time left until the code gets invalidated and enter the code.

The problem is as soon as you log in on your phone again, 2FA will jump back to phone prompts. Therefore you can't log back in your phone in your google account.

Cheers!

[bhargavamin]

Seems a lot of us having the same issue.

Some of the other troubleshooting steps I did to bypass this:

1. Remove device/phone from Google Account (thanks @tomcolaa) or Remove Google Account from Device
2. It helped to clean up saml_cache files from ~/.aws directory and start fresh.
3. It also helped to get a different login option when I changed my Network/IP. I did this because Google sometimes blocks traffic initiated from a particular IP as bot/malicious. (I derived this step while going through the comments in google.py)

[mikehodgk]

Might be worth pointing out that this issue started for me when I updated my Samsung Note 9 (SM-N960F) to Android 10. Could be a coincidence though.

[mursilsayed]

I am using ver 0.0.36 and facing similar problem with Google prompts. In my case I am getting 2FA Google prompt on my mobile device but aws-google-auth throws error without waiting for the response.

Google Password: 
ERROR:root:SAML lookup failed, storing failure page to 'saml.html' to assist with debugging.
Something went wrong - Could not find SAML response, check your credentials or use --save-failure-html to debug.

Removing Google account from mobile device helped. aws-google-auth is now prompting for the fallback 2FA authentication application.

[aukris]

Resetting my google password did the trick for me. It still makes me solve a captcha though 😞

[stevemac007]

Support for the Dual Prompt dp path has been merged now.

The issues here should be resolved with the release of 0.0.37

[unstoppablecarl]

I just set this up for the first time with version aws-google-auth 0.0.37 and am having the same problems described above.

[aviv-barel-pp]

I recently encountered the same error, using aws-google-auth 0.0.36

[dtmpower]

I'm having to remove the Google account from my phone each time before I login with aws-google-auth

[unstoppablecarl]

Do I need to do something special on my end to get this to work other than removing the google account from my phone every time?

[Parent5446]

I ran into this same issue, and I think it's just a minor fixed. Submitted a PR in #227.

[filoxo]

I'm still encountering this issue while onboarding at a new company.

[eechau]

facing the same issue time to time

[Parent5446]

@eechau @filoxo I recommend patching in my pull request above (or just checking out my fork), since it fixed the issue for me. I'm not sure if the author still monitors this repository.

[yuanweid1g1t]

I'm getting this issue now, even with @Parent5446's patch. Wasn't getting this issue before, then had to change my password, and now I'm getting this issue. Nothing I've tried works :/

Edit: I figured out the issue: after changing my password, I had to manually update my password in the Credential Manager.