saml2aws: Error authenticating using google

After accepting yes on google prompt during sam2aws login Getting exception

error authenticating to IdP: page is missing saml assertion

Did configure

account {
  URL: https://accounts.google.com/
  Username: rohit.verma@xxx.xx
  Provider: GoogleApps
  MFA: Auto
  SkipVerify: false
  AmazonWebservicesURN: urn:amazon:webservices
  SessionDuration: 3600
  Profile: default
}

with .aws/config file as

[default]
region = us-west-2
google_config.ask_role = False
google_config.keyring = False
google_config.duration = 43100
google_config.google_idp_id = C000000
google_config.role_arn = arn:aws:iam::0000000000000:role/root-sysadmin-delegate
google_config.google_sp_id = 0000000000
google_config.u2f_disabled = True
google_config.google_username = rohit.verma@xxx

About this issue

Original URL
State: closed
Created 6 years ago
Reactions: 9
Comments: 28 (3 by maintainers)

Commits related to this issue

Add support for new Google Login Page Formats Fixes #203 and #444 Google has been changing a number of their login pages recently. As a result of that, their CAPTCHA page doesn't behave exactly as b... — committed to nathandines/saml2aws by deleted user 4 years ago

Most upvoted comments

Still facing this issue, especially in the case when some of the attempts for login have failed.

+11

rakshit-jm on Jun 27, 2021

FYI: If you allow here, the error no longer exists. https://accounts.google.com/b/0/DisplayUnlockCaptcha

+10

mominosin on Oct 24, 2018

The newest version for saml2aws should resolve this issue. I believe you can close this @wolfeidau

estahn on Sep 11, 2019

Hello,

I’m also running into this issue.

Running DUMP_CONTENT=true saml2aws login --verbose looks like it’s getting caught on the sign in page (won’t post the dump since the README says not to).

The URL that I’m using to sign in with is in the format: https://accounts.google.com/o/saml2/initsso?idpid=XXXXXX&spid=YYYYYYY&forceauthn=false

The links that I’m hitting are:

https://accounts.google.com/signin/v1/lookup https://accounts.google.com/signin/challenge/sl/password

I’ve left it alone over a period of 24 hours and am still running into this issue.

EDIT:

Took a copy of the page’s source. This is the page that it’s getting stuck on:

screen shot 2018-10-04 at 10 25 26 am

kahyoung-zz on Oct 4, 2018

I just came back from vacations, I tried to login and got this on 2.36.2:

POST /signin/challenge/pwd/2?hl=en&loc=US HTTP/1.1                                                                                                                                                                                                             Host: accounts.google.com                                                                                                                                                                                                                                      User-Agent: saml2aws/1.0 (darwin arm64) Versent                                                                                                                                                                                                                
Content-Length: 606                                                                                                                                                                                                                                            Accept-Language: en-US                                                                                                                                                                                                                                         Content-Language: en-US                                                                                                                                                                                                                                        
Content-Type: application/x-www-form-urlencoded                                                                                                                                                                                                                Referer: https://accounts.google.com/signin/challenge/pwd/2                                                                                                                                                                                                    Accept-Encoding: gzip

HTTP/1.1 400 Bad Request
<p>The server cannot process the request because it is malformed. It should not be retried. <ins>That’s all we know.</ins>

amontalban on Jan 16, 2023

I believe it’s a captcha issue:

<label  for="logincaptcha" class="hidden-label">Enter the letters above</label>
<input  type="text"
       id="logincaptcha"
       name="logincaptcha"
       class="captcha "
       placeholder="Enter the letters above"
       title="Type the characters that you see or the numbers that you hear">

estahn on Oct 9, 2018

@volker48 @wolfeidau I spoke to Google Support and TL;DR is “Not our problem”. I couldn’t get an explanation why you would need a CAPTCHA if 2FA is enabled. Both require an active action from a human, so I don’t see the point.

Hello Enrico,

Thank you for your patience while my colleague transferred your case. I understand that your using the sml2aws client for CLI access to Amazon Web services, authenticated via your XXX account.

This is XXX on the Google Cloud API & SSO Team, and I’ll be dealing with your issue. unfortunately, due to time zone differences, I’m unable to call to discuss your issue further but can ask a colleague to call you at a time of your choosing.

Google only support web based authentication for SAML apps, so CLI access is outside our scope of support. having said that, I reviewed the issue you referenced[1], and noticed that one poster[2] referenced another CLI AWS integration, which supports Captcha handling[3]. I’d recommend investigating this option, as Captcha is used for both login risk, and abuse verification, so is relevant even if two factor is enabled, and it’s not possible to disable it.

If you have any other queries regarding this issue, please reply to this message, and I’d be happy to assist you further.

Sincerely,

XXX Google Cloud Support

[1] https://github.com/Versent/saml2aws/issues/203 [2] https://github.com/Versent/saml2aws/issues/203#issuecomment-428231296 [3] https://github.com/cevoaustralia/aws-google-auth

estahn on Oct 10, 2018