Unable to login using SAML 2.0 federated users to access the AWS Management Console due to recent change.
eliat123 opened this issue · comments
A new code change that was introduced 5 days ago in #1157 is causing the following bug to occur:
Background
We are using "SAML 2.0 federated users to access the AWS Management Console" as described in: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html
Symptom
After the identity verification, the browser gets redirected to "https://signin.aws.amazon.com/saml" which immediately gets redirected to "about:blank", the user should have been prompted for role selection. However, the login process does not complete because the user is not able to select a role in the UI.
For your reverence, here is step 7 from AWS docs:
7. The client browser is redirected to the AWS Management Console.
If the SAML authentication response includes attributes that map to multiple IAM roles,
the user is first prompted to select the role for accessing the console.
The expected page is described at https://aws.amazon.com/blogs/security/easier-role-selection-for-saml-based-single-sign-on/
The interaction with the browser provider used to work until this commit was merged.
Proposed solution
It can be fixed if you change the following lines in pkg/provider/browser/browser.go change:
r, _ := page.ExpectRequest(signin_re, func() error {
_, err := page.Goto("about:blank")
return err
}, client.expectRequestTimeout())
To:
r, _ := page.ExpectRequest(signin_re, func() error {
return nil
}, client.expectRequestTimeout())
Hi @gliptak,
Can you please share what was the reason for the redirect to "about:blank" in https://github.com/Versent/saml2aws/pull/1157/files#diff-5cd59a5a8d31c61bb9c035ee3524699cd8e97b722683501d805074f7d11b7ee9R102-R103
This is causing a bug where saml2aws
does not prompt for MFA code but being redirected immediatly.
Is this mandatory?
Can we not redirect in some cases?
there was a signature change with new release and this method has an error
callback:
https://github.com/playwright-community/playwright-go/blob/main/page.go#L567
the blank page likely indicates that there was a failure
feel free to submit PR improving