Giters

Versent / saml2aws

CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP

Home Page:https://github.com/Versent/saml2aws

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Unable to login using SAML 2.0 federated users to access the AWS Management Console due to recent change.

eliat123 opened this issue · comments

commented

A new code change that was introduced 5 days ago in #1157 is causing the following bug to occur:

Background
We are using "SAML 2.0 federated users to access the AWS Management Console" as described in: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html

Symptom
After the identity verification, the browser gets redirected to "https://signin.aws.amazon.com/saml" which immediately gets redirected to "about:blank", the user should have been prompted for role selection. However, the login process does not complete because the user is not able to select a role in the UI.

For your reverence, here is step 7 from AWS docs:

7. The client browser is redirected to the AWS Management Console. 
If the SAML authentication response includes attributes that map to multiple IAM roles, 
the user is first prompted to select the role for accessing the console.

The expected page is described at https://aws.amazon.com/blogs/security/easier-role-selection-for-saml-based-single-sign-on/

The interaction with the browser provider used to work until this commit was merged.

Proposed solution
It can be fixed if you change the following lines in pkg/provider/browser/browser.go change:

r, _ := page.ExpectRequest(signin_re, func() error {
		_, err := page.Goto("about:blank")
		return err
	}, client.expectRequestTimeout())

To:

r, _ := page.ExpectRequest(signin_re, func() error {
		return nil
	}, client.expectRequestTimeout())
commented

Hi @gliptak,
Can you please share what was the reason for the redirect to "about:blank" in https://github.com/Versent/saml2aws/pull/1157/files#diff-5cd59a5a8d31c61bb9c035ee3524699cd8e97b722683501d805074f7d11b7ee9R102-R103
This is causing a bug where saml2aws does not prompt for MFA code but being redirected immediatly.

Is this mandatory?
Can we not redirect in some cases?

commented

there was a signature change with new release and this method has an error callback:

https://github.com/playwright-community/playwright-go/blob/main/page.go#L567

the blank page likely indicates that there was a failure

feel free to submit PR improving