saml2aws: "page is missing saml assertion" when logging in with GoogleApps

version

v2.36.2

problem

When logging in with GoogleApps using saml2aws login, receiving the following error after providing username / password (and before receiving an MFA / challenge):

DEBU[0009] loginURL: https://accounts.google.com/signin/challenge/pwd/2  provider=googleapps
DEBU[0009] HTTP Req                                      URL="https://accounts.google.com/signin/challenge/pwd/2?hl=en&loc=US" http=client method=POST
DEBU[0009] HTTP Res                                      Status="400 Bad Request" http=client
page is missing saml assertion
github.com/versent/saml2aws/v2/pkg/provider/googleapps.(*Client).Authenticate
	/Users/user/git/saml2aws/pkg/provider/googleapps/googleapps.go:164
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
	/Users/user/git/saml2aws/cmd/saml2aws/commands/login.go:105
main.main
	/Users/user/git/saml2aws/cmd/saml2aws/main.go:188
runtime.main
	/usr/local/Cellar/go/1.18.1/libexec/src/runtime/proc.go:250
runtime.goexit
	/usr/local/Cellar/go/1.18.1/libexec/src/runtime/asm_amd64.s:1571
Error authenticating to IdP.
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
	/Users/user/git/saml2aws/cmd/saml2aws/commands/login.go:107
main.main
	/Users/user/git/saml2aws/cmd/saml2aws/main.go:188
runtime.main
	/usr/local/Cellar/go/1.18.1/libexec/src/runtime/proc.go:250
runtime.goexit
	/usr/local/Cellar/go/1.18.1/libexec/src/runtime/asm_amd64.s:1571

All users of our organization are experiencing this error.

This has previously been working fine for months and just started to become a problem in the last day or so. Seems like the data being sent to Google may be invalid.

Dumping the page HTML and looking at the error, I’m seeing:

<p><b>400.</b> <ins>That’s an error.</ins><p>The server cannot process the request because it is malformed. It should not be retried. <ins>That’s all we know.</ins></main>

workaround

Logging in with SAML2AWS_IDP_PROVIDER=Browser saml2aws login works when logging in through the Chromium browser, so Google must have changed something again.

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Reactions: 26
  • Comments: 17 (4 by maintainers)

Most upvoted comments

@michaeljs1990 @jmctune how do you use browser based auth? I don’t have a --browser option:

Apologies, I’m used to passing that flag with an internal tool I use.

You can log in through the browser method by passing:

SAML2AWS_IDP_PROVIDER=Browser saml2aws login

or updating your ~/.saml2aws config’s provider parameter value to Browser.

i.e:

[default]
name                    = default
...
provider                = Browser
...
+6
jmctune on Jan 17, 2023
Read more comments on GitHub
← saml2aws: Error authenticating using google
saml2aws: saml2aws fails to login to newly revamped login page →