aws-google-auth: Problems with Google Prompts

Few of the user in my company face problem where they get a Google Prompt on their phone while attempting to login, but on the terminal, they get the following error:

Error::root: SAML lookup failed, storing failure page to 'saml.html' to assist with debugging.

The failure page aka saml.html says "Confirm if it was you/your device or not." with "Yes" or "No"

Does anyone know why Google behaves as such with few selected users?

However, I figured out that this issue can be bypassed by removing Google Account from the phone which disabled Google Prompts and the tool aws-google-auth fallback to secondary 2FA methods like SMS-code or Captcha.

Any help or guidance to fix this on Google or aws-google-auth side is much appreciated.

About this issue

Original URL
State: open
Created 4 years ago
Reactions: 18
Comments: 18 (1 by maintainers)

Commits related to this issue

Add dual-prompt to list of challenge choices This fixes a small issue from 77e7544 (#206) where the code for handling the dual-prompt page was added, but the support for it wasn't added in the challe... — committed to Parent5446/aws-google-auth by Parent5446 3 years ago

Most upvoted comments

Also facing the same issue since last week and also getting the same debug html screenshot. Already tried to reset my password and change the 2FA method but Google doesn’t allow it.

TEMPORARY SOLUTION EDIT (13.10.2020) I found a solution that worked for me

Go to your Google Account > Security > Devices
Log out from your phone (Remove Phone)
Go to Security > 2FA and set up 2FA with the Authenticator App
Open a Chrome Incognito Window -> Sign In with your Google Account using the 2FA Authenticator App and check the box remember this PC
Go back to VSCode and run your aws-google-auth command as usual. It should now ask your for an MFA token from your Authenticator App. Make sure you have enough time left until the code gets invalidated and enter the code.

The problem is as soon as you log in on your phone again, 2FA will jump back to phone prompts. Therefore you can’t log back in your phone in your google account.

Cheers!

+23

tomcolaa on Oct 13, 2020

I just set this up for the first time with version aws-google-auth 0.0.37 and am having the same problems described above.

unstoppablecarl on Feb 12, 2021

Seems a lot of us having the same issue.

Some of the other troubleshooting steps I did to bypass this:

Remove device/phone from Google Account (thanks @tomcolaa) or Remove Google Account from Device
It helped to clean up saml_cache files from ~/.aws directory and start fresh.
It also helped to get a different login option when I changed my Network/IP. I did this because Google sometimes blocks traffic initiated from a particular IP as bot/malicious. (I derived this step while going through the comments in google.py)

bhargavamin on Oct 14, 2020

Here’s the failure debug html screenshot.

priyendra on Oct 8, 2020

@eechau @filoxo I recommend patching in my pull request above (or just checking out my fork), since it fixed the issue for me. I’m not sure if the author still monitors this repository.

Parent5446 on Aug 16, 2021

I ran into this same issue, and I think it’s just a minor fixed. Submitted a PR in #227.

Parent5446 on Mar 27, 2021

I am using ver 0.0.36 and facing similar problem with Google prompts. In my case I am getting 2FA Google prompt on my mobile device but aws-google-auth throws error without waiting for the response.

Google Password: 
ERROR:root:SAML lookup failed, storing failure page to 'saml.html' to assist with debugging.
Something went wrong - Could not find SAML response, check your credentials or use --save-failure-html to debug.

Removing Google account from mobile device helped. aws-google-auth is now prompting for the fallback 2FA authentication application.

mursilsayed on Jan 28, 2021