Errors using GoogleApps - error loading first page

[aturbenson]

When using the GoogleApps provider with saml2aws, I'm getting a error:

Error authenticating to IdP.: error loading first page: failed to build login form data: could not find any forms matching the provided IDs An error occurred

Looking at the code I see that saml2aws is looking for a form with id=gaia_loginform , but the html I get when running saml2aws login doesn't have that element. It looks like google might have made an update to their login form so the form can no longer be accessed with that id.

Is there a workaround so saml2aws login can work with the updated Google form?

[mjhoffman65]

Looks like aws-google-auth is having issues as well due to Google's redesigned login UI. There's a proposed fix that we can use as a reference.

[ykag]

We're experiencing the same issue, impacting quite a lot of users, would be good to see if there is any plans to resolve this in the very near future.

[lionello]

Same issue. For now, I'm grabbing the SAML assertion in my browser's web inspector (look for the saml resource) and using this shell script: https://gist.github.com/lionello/9b77df5cd7eded3cdaca3ad644d0dd35

[jmctune]

The workaround right now is to log in via the browser method until someone patches it:

SAML2AWS_IDP_PROVIDER=Browser saml2aws login --download-browser-driver

[codingtony-candid]

Any update on this issue?

[austinfinnql]

The workaround right now is to log in via the browser method until someone patches it:

SAML2AWS_IDP_PROVIDER=Browser saml2aws login --download-browser-driver

The ^ command didn't work for me. In case anyone else has a similar issue, you can try appending the account name to command . The full command that worked for me ended up being SAML2AWS_IDP_PROVIDER=Browser saml2aws login --download-browser-driver -a uat. You will find your account name in the .samlaws file

[aaronthebaron]

I have a pull request open to fix this issue as it's impacting most of the users in my org. I have been able to test for myself the new login flow with a 2FA phone app.

If any of you have a different 2FA you want to test this code against, it would be appreciated.

You can build my branch and test with the local copy:
https://github.com/aaronthebaron/saml2aws/tree/master?tab=readme-ov-file#building

[codingtony-candid]

@aaronthebaron I'm in the same boat. I will give a shot to your branch.

[edan-shalom]

Same here.. Thanks for sharing! Will give it a try as well.

[aaronthebaron]

If you find it's not working, run the command with DUMP_CONTENT=true and --verbose flag. You can give me that output in the PR and I'll see if I can fix. Thanks!

[vtstanescu]

I suppose this can be closed with the merging of #1285
Is there an ETA for a new release to include the fix?

[mjhoffman65]

@mapkon Could a release be cut for this? Eager to stop logging in via my browser everytime :-)

[codingtony-candid]

Got this error when I tried to login this morning,

I tried to login on both @aaronthebaron's branch and on this repo's master branch

Using IdP Account default to access GoogleApps https://accounts.google.com/o/saml2/initsso?xxxxxxxxxxx
Authenticating as xxxxxxxxx...
Error authenticating to IdP.: error loading challenge page: unable to extract skip form: could not find form with query "form[action$=\"skip\"]"

Can't dump the output of saml2aws with DUMP_CONTENT=true because it has sensitive information (I can see my creds in clear text in the output)

EDIT
That might be an edge case that doesn't deserve to be fixed... This is the output when I tried to login with

 SAML2AWS_BROWSER_TYPE=chrome SAML2AWS_IDP_PROVIDER=Browser

[aaronthebaron]

@codingtony-candid This is the one case found so far I haven't been able to test locally, making it a bit difficult to pin down.

I started to work a bit on it here, see that conversation to understand where that's at.
#1286

@edwardrf had some initial changes to test that I believe are closer to the mark than where I was going. I haven't had time to look further this week.

[codingtony-candid]

For prosperity, I rebooted my phone and I was able to use the "Tap Yes" method.

@aaronthebaron I have the html dumped locally. If it can help for debugging lmk. Perhaps if you shutdown your phone, you may end up in the same situation and will be easier to reproduce the issue?

[edan-shalom]

I encountered the same issue two days ago on both @aaronthebaron’s branch and the master branch of this repo. After reverting to using the Browser for authentication and then switching back to GoogleApps, the issue was resolved. Interestingly, this problem occurred consistently on my Mac and when working with the laptop's screen but not when connected to an external screen, though this might just be a coincidence, as I haven’t extensively tested it in different environments. Additionally, I did not observe this issue in the Linux distribution I built for other employees at my company. I hope some of this information is helpful.

[mapkon]

What is the way forward here? Should we revert the changes that were pushed to trunk?

[codingtony-candid]

I don't think it should be reverted from trunk. The code that was merged is very useful for the users of saml2aws with Google IdP.

The issue that was later mentioned in the thread is less of a problem and it's tracked as a separate issue (#1286).

[tinaboyce]

Hi everyone, just letting you know that the changes made to fix this issue has just been released (v2.36.17).

[mjhoffman65]

Tested this out and it's failing for me on the 2-step verification selection. I used to be able to use my security key in the past (YubiKey), but that selection is grayed out on the UI.

Is this a known issue? Looks like the PR from an earlier comment might be trying to address this, but it hasn't had any activity recently.

could not find form with query "form[action$=\"skip\"]"
unable to extract skip form
github.com/versent/saml2aws/v2/pkg/provider/googleapps.(*Client).skipChallengePage
	github.com/versent/saml2aws/v2/pkg/provider/googleapps/googleapps.go:468
github.com/versent/saml2aws/v2/pkg/provider/googleapps.(*Client).loadChallengePage
	github.com/versent/saml2aws/v2/pkg/provider/googleapps/googleapps.go:454
github.com/versent/saml2aws/v2/pkg/provider/googleapps.(*Client).Authenticate
	github.com/versent/saml2aws/v2/pkg/provider/googleapps/googleapps.go:83
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
	github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107
main.main
	github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:197
runtime.main
	runtime/proc.go:271
runtime.goexit
	runtime/asm_amd64.s:1695
error loading challenge page
github.com/versent/saml2aws/v2/pkg/provider/googleapps.(*Client).Authenticate
	github.com/versent/saml2aws/v2/pkg/provider/googleapps/googleapps.go:85
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
	github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107
main.main
	github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:197
runtime.main
	runtime/proc.go:271
runtime.goexit
	runtime/asm_amd64.s:1695
Error authenticating to IdP.
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
	github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:109
main.main
	github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:197
runtime.main
	runtime/proc.go:271
runtime.goexit
	runtime/asm_amd64.s:1695

[nmfon]

@mjhoffman65 ditto

[vtstanescu]

tinaboyce commented 2 days ago
Hi everyone, just letting you know that the changes made to fix this issue has just been released (v2.36.17).

I can confirm this is now working, when using a OTP as MFA. The OTP is requested in the CLI and workflow works E2E.

I'm wondering if there's a way to store the session details securely, similar to credentials in the OS credentials manager (eg. Keychain in macOS) so the MFA is not required on every login (similar to what happens in the browser).
Currently, each login via saml2aws with GoogleApps provider is seen by Google as a new device logging in, triggering an e-mail notification.

[phillippark-wb]

I used the new version, v2.36.17, and this time I am getting the following error. In fact, 2-step verification is activated and authentication is performed through the browser to connect.

Error authenticating to IdP.: Because of your organization settings, you must set-up 2-Step Verification in your account

[mdouglass]

I used the new version, v2.36.17, and this time I am getting the following error. In fact, 2-step verification is activated and authentication is performed through the browser to connect.

Error authenticating to IdP.: Because of your organization settings, you must set-up 2-Step Verification in your account

I got this same error with the new version. Once I removed my passkey from my account, it was able to work.

[phillippark-wb]

I used the new version, v2.36.17, and this time I am getting the following error. In fact, 2-step verification is activated and authentication is performed through the browser to connect.

Error authenticating to IdP.: Because of your organization settings, you must set-up 2-Step Verification in your account

I got this same error with the new version. Once I removed my passkey from my account, it was able to work.

Thank you for answer. However, the situation is the same even after deleting the passkey, in my case.

[Nazar32]

I was getting the same error with provider GoogleApps in my ~/.saml2aws config file, but then I've changed that to

provider  = Browser

and it's working fine now

[vanhoale]

@Nazar32 How does it work? I can't get it working with browser provider, I opened an issue here: #1338