search

dnitsch / aws-cli-auth

AWS Developer Authentication using SAML provider linked to AWS account or SSO login without storing refresh tokens locally. Enables linked roles with multiple methods.
MIT License
5 stars 2 forks source link

Additional split on SAMLResponse split #6

Closed stephanpieterse closed 1 year ago

stephanpieterse commented 1 year ago

name: Extra split to remove additional SAML Response Data about: PR to address special case for some providers title: '' labels: '' assignees: ''

Describe the bug Some providers add additional information in the SAML Response and this appears to be randomly ordered, causing intermittent issues with validation. Example: SAMLResponse=dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6.........UmVzcG9uc2U+&RelayState=https://console.aws.amazon.com In this case RelayState is being included and AWS to base64decode it, which is not succesful, and causes InvalidIdentityToken: Invalid base64 SAMLResponse (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlInvalidSamlResponseException;

To Reproduce Steps to reproduce the behavior:

  1. Use the tool such as aws-cli-auth saml -v -d 3600 -p https://foo.example.com --role arn:aws:iam::xxx:role/xxx --principal arn:aws:iam::xxx:saml-provider/xxx -s --cfg-section nonprod
  2. Log in using the correct credentials
  3. Authentication completes successfully
  4. See error

Expected behavior User able to login with correct credentials.

Screenshots n/a

Desktop (please complete the following information):

Additional context n/a

dnitsch commented 1 year ago

ah sorry @stephanpieterse - totally missed this

dnitsch commented 1 year ago

I can merge this in now - though will need to bypass the require signed commits policy, since I have not come back to this in a while I realise it's probably not on your active watchlist.