SAML authentication with browser provider is failing when the SAML identity provider is AWS itself

[NemindaPiyasena]

I have configured my AWS account and roles for SAML SSO, configuring the identity provider to be another AWS account. For more info on setting this up see here.

When running with saml_provider = browser, aws-runas is failing with the message illegal base64 data at input byte xxxx.

I have tackled down the issue and found that the issue is in the section where aws-runas is listening to browser events looking for the return of a SAMLResponse=xxxx.

The case is when dealing with the SAML identity provider is AWS itself. The SAML response is bit different and that's why base64 decoding is failing.

[NemindaPiyasena]

Identified the issue.

The issue is that the POST request that contains the SAMLResponse=xxxx has other attributes such as RelayState=xxxx. All this data is included when trying the base64 decoding.

The decoding then fails due to the presence of & character.

So far I have #106 as a solution.

[mmmorris1975]

Fix released in 3.5.2. Let me know if it's working as expected now

[NemindaPiyasena]

Thank you it is now working as expected.