prolane / samltoawsstskeys

Google Chrome Extension which converts a SAML 2.0 assertion to AWS STS Keys.
MIT License
139 stars 91 forks source link

Doesn't work for me #33

Closed AstroTom closed 4 years ago

AstroTom commented 5 years ago

Hi, Not sure what the problem is. I installed the plugin and logged in to the AWS console with my Google G-suite SAML, but nothing happens. Is something supposed to pop up?

I also tried this i Incognito mode, but that also does not work.

I also installed it in firefox, but with the same negative results.

Any suggestions?

ChristophShyper commented 4 years ago

Doesn't work on MacOS with Chrome.

prolane commented 4 years ago

Hi guys

@AstroTom You are supposed to see Chrome downloading a file, which will be saved to the location specified in the options panel.

Both of you could try checking the logs:

Go to Extensions

Also, I've seen other users reporting the extension wasn't working because they had other extensions enabled which were interfering. So you could try disabling your other extensions to see if that makes any difference. If it does, enable the other extensions one by one to find the malicious one.

ChristophShyper commented 4 years ago

Hello, I've tried couple of different combinations without any effect. Console is empty.

prolane commented 4 years ago

Do you have debug enabled in the options panel @ChristophShyper ?

I'm on MacOS with Chrome as well btw. So I'm expecting there is something odd with your setup perhaps?

ChristophShyper commented 4 years ago

OK, after some more digging console logs are showing up: ValidationError: The requested DurationSeconds exceeds the MaxSessionDuration set for this role. at constructor.s (chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/lib/aws-sdk-2.7.5.min.js:35:9093) at constructor.callListeners (chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/lib/aws-sdk-2.7.5.min.js:36:2887) at constructor.emit (chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/lib/aws-sdk-2.7.5.min.js:36:2596) at constructor.emitEvent (chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/lib/aws-sdk-2.7.5.min.js:35:22039) at constructor.e (chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/lib/aws-sdk-2.7.5.min.js:35:17889) at a.runTo (chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/lib/aws-sdk-2.7.5.min.js:37:8555) at chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/lib/aws-sdk-2.7.5.min.js:37:8762 at constructor.<anonymous> (chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/lib/aws-sdk-2.7.5.min.js:35:18099) at constructor.<anonymous> (chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/lib/aws-sdk-2.7.5.min.js:35:22094) at constructor.callListeners (chrome-extension://ekniobabpcnfjgfbphhcolcinmnbehde/lib/aws-sdk-2.7.5.min.js:36:2993) And: aws-sdk-2.7.5.min.js:34 POST https://sts.amazonaws.com/ 400 (Bad Request)

Session duration in Okta is set to 14400, if it helps.

prolane commented 4 years ago

There you go.

The error already says it all. You have a configuration mismatch between Okta and the AWS Role: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_saml.html#troubleshoot_saml_duration-exceeds

ChristophShyper commented 4 years ago

Thank you for pointing to IAM setup. It's one of those options that I forgot even exists :) Now extension works perfectly and switching between the accounts is super easy.

prolane commented 4 years ago

Great @ChristophShyper, glad it works now ! 👍

prolane commented 4 years ago

@AstroTom Please re-open the issue in case the above suggestions did not help you.