SSO SAML authentication fails with unexpected response payload content coming from AzureAD

[bmckinle]

In ~/.aws/config. (credentials is empty) and no tainting env variables (reset and clear)

[saml]
output = json
region = us-east-1
jump_role_arn = arn:aws:iam::XXXXX:role/role
saml_auth_url = https://myapps.microsoft.com/signin/766e7e73-4a56-4bfd-b5ca-ac29bf3645b6?tenantId=8cc434d7-97d0-47d3-b5c5-14fe0e33e34b
saml_username = <valid domain email>
saml_provider = azuread
federated_username = <valid federated username>
credentials_duration = 8h

[profile xyz]
role_arn=arn:aws:iam::xxxxx:role/role
source_profile = saml
region=us-east-1

Authentication to AzureAD fails at some during processing and presents the following error message

 aws-runas  xyz
Password:  <correct password verified>
2022/09/20 15:07:30 expected response content not found

We get the same response regardless of whether we use v3.1.x, 3.2.0, or 3.4.0. Suggests some SAML assertion or response content as changed in an unexpected way that prevent appropriate login/authentication processing. This problem is widespread across many teams encountered the same error.

[joshkraemer]

Is this an issue with AzureAD? As of today we're getting the same error. Here's the debug output:

DEBUG using configuration source /.aws/config
2022/09/21 09:28:19 DEBUG CLIENT CONFIG: &{CredentialsDuration:0s SessionTokenDuration:0s DurationSeconds:0 ExternalId: MfaSerial: MfaCode: MfaType:auto Region:us-east-1 RoleArn:arn:aws:iam::xxx:role/xxx RoleSessionName: SrcProfile:default JumpRoleArn: SamlUrl:xxx SamlUsername:xxx SamlProvider:azuread WebIdentityUrl: WebIdentityUsername: WebIdentityProvider: WebIdentityTokenFile: WebIdentityClientId: WebIdentityRedirectUri: FederatedUsername:xxx ProfileName:xxx sourceProfile:xxx}
2022/09/21 09:28:19 DEBUG using credentials source /.aws/credentials
2022/09/21 09:28:19 DEBUG configuring SAML client
2022/09/21 09:28:20 DEBUG no jump role found, only configuring SAML client
2022/09/21 09:28:20 DEBUG loaded sts credentials from cache
2022/09/21 09:28:20 DEBUG Detected expired or unset saml role credentials, refreshing
2022/09/21 09:28:22 DEBUG parseResponseNoClose() err: expected response content not found, attempting to directly submit response
2022/09/21 09:28:24 DEBUG parseResponseNoClose() err: expected response content not found, attempting to directly submit response
2022/09/21 09:28:25 DEBUG parseResponseNoClose() err: expected response content not found, attempting to directly submit response

[bmckinle]

Yes, AzureAD appears to have changed its request/response content during negotiation. We are looking into it.

[mmmorris1975]

There's a couple of things that are going to hinder me from providing any triage for this:

1. I do not have access to an Azure environment to work the issue with, and even if I did I think my environment may look very different than your environment from an Azure AD perspective.
2. Azure provides no documented authentication API. The entire process tools like aws-runas use is based on http request/response scraping the same path your browser uses to authenticate to Azure. (It's almost as if Microsoft only wants you to use your browser ... and I think I heard their engineer say as much; even though every one of their competitors (that runas interfaces with) provides a proper, json-based API ... with serviceable docs ... for authentication). Needless to say, this makes the Azure integration extremely fragile and subject to breakage like this.

For the above reasons, I can't be much help here. I need to rely on the people integrating runas with Azure to do some troubleshooting and making PRs to help resolve issues when using Azure AD.

[bmckinle]

@mmmorris1975 An AzureAD security policy had changed that in turn changed the flow interaction with MS IDP and its authentication process. This is what caused the breakage, in short. We have hacked a temporary fix that is indeed peculiar to our company's AzureAD security policy environment. What is needed is a more design patterned approach in the AzureAD SAML client area that allows for easy additions and removals of flow element requests, responses, parsing and their associated processing. Patterns of interest likely include encapsulated strategy, chain-of-responsibility, parsers, and factories to decouple flow item state transitions from processing per element, driven by an overall flow, not hard-coded flow and processing as it is now. We realize it was a quick hack to get saml/sso working initially, but maintenance effort needs to be reduced over the long haul.