Cannot parse form field

[usa-usa-usa-usa]

I am attempting to run the following line:

awsprocesscreds-saml --endpoint https://my.company.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices --username '[email protected] --provider adfs --role-arn arn:aws:iam::595513102389:role/IaaSOperations --verbose

I am getting the following error:

Traceback (most recent call last):
  File "c:\python27\lib\runpy.py", line 174, in _run_module_as_main
    "__main__", fname, loader, pkg_name)
  File "c:\python27\lib\runpy.py", line 72, in _run_code
    exec code in run_globals
  File "C:\Python27\Scripts\awsprocesscreds-saml.exe\__main__.py", line 9, in <module>
  File "c:\python27\lib\site-packages\awsprocesscreds\cli.py", line 81, in saml
    creds = fetcher.fetch_credentials()
  File "c:\python27\lib\site-packages\awsprocesscreds\saml.py", line 348, in fetch_credentials
    creds = super(SAMLCredentialFetcher, self).fetch_credentials()
  File "C:\Users\me\AppData\Roaming\Python\Python27\site-packages\botocore\credentials.py", line 507, in fetch_credentials
    return self._get_cached_credentials()
  File "C:\Users\me\AppData\Roaming\Python\Python27\site-packages\botocore\credentials.py", line 517, in _get_cached_credentials
    response = self._get_credentials()
  File "c:\python27\lib\site-packages\awsprocesscreds\saml.py", line 357, in _get_credentials
    kwargs = self._get_assume_role_kwargs()
  File "c:\python27\lib\site-packages\awsprocesscreds\saml.py", line 393, in _get_assume_role_kwargs
    assertion = self._authenticator.retrieve_saml_assertion(config)
  File "c:\python27\lib\site-packages\awsprocesscreds\saml.py", line 138, in retrieve_saml_assertion
    self._fill_in_form_values(config, form_data)
  File "c:\python27\lib\site-packages\awsprocesscreds\saml.py", line 178, in _fill_in_form_values
    self._ERROR_MISSING_FORM_FIELD % self.USERNAME_FIELD)
awsprocesscreds.saml.SAMLError: Error parsing HTML form, could not find the form field: "ctl00$ContentPlaceHolder1$UsernameTextBox"

[JordonPhillips]

If you open up https://my.company.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices in a web browser what do you see? You should see a login form, something like this:

Note that you may have to configure adfs to use form-based auth by default.

[AMMullan]

I'm running into the same issue - I wonder if this is because we're using ADFS3? I'm using the same details I use for the (modified) version of https://aws.amazon.com/blogs/security/how-to-implement-federated-api-and-cli-access-using-saml-2-0-and-ad-fs/

[JordonPhillips]

@AMMullan could you please answer the question I asked @jcwhisman ? If form-based login isn't your default configuration, this will not work as only forms-based login is supported.

[AMMullan]

Hey @JordonPhillips - yeah, we use form-based logins. I'm just working through comparing what awsprocesscreds does to process the form and how it differs to the way I do it, might just be a small difference.

[hoegertn]

I am struggeling with ADFS too. Part 1 is working if I use

    USERNAME_FIELD = 'UserName'
    PASSWORD_FIELD = 'Password'

Then I get access keys. For other problems, I will open a different issue.

[AMMullan]

Yep, I replicated the fix @hoegertn proposed and it works.

[mbokman]

I ran into the same issue and the fix by @hoegertn solves at least the part about logging in.

I struggled a bit to figure out where to apply it so I am including a diff:

diff saml.py saml.py.org
256,257c256,257
<     USERNAME_FIELD = 'UserName'
<     PASSWORD_FIELD = 'Password'
---
>     USERNAME_FIELD = 'ctl00$ContentPlaceHolder1$UsernameTextBox'
>     PASSWORD_FIELD = 'ctl00$ContentPlaceHolder1$PasswordTextBox'

Perhaps it is an idea if these field names can be passed as arguments to the awsprocesscreds tool?

While I am able to login now, I am running into a problem where I am not able to switch roles but I'll open a separate issue for that.

[lingrlongr]

Same problem here, and changing fields to 'UserName' and 'Password' helps. Would it be silly to support all conventions seen in the codebase and have it choose the appropriate one based on what is found in the form?

username
password

UserName
Password

ctl00$ContentPlaceHolder1$UsernameTextBox
ctl00$ContentPlaceHolder1$PasswordTextBox

[yiannis-tss]

is there an update for that issue? this issue is still present in 2019 if the authentication is done using NTLM instead of username/password.

[groboclown]

I'm still seeing this issue. I pulled from pip, and __init__.py reports version 0.0.2.

When I change the saml.py USERNAME_FIELD and PASSWORD_FIELD to the above listed values, it is able to get me past the login form.

Is there an alternate authentication approach I should be looking at?

[aliasgar1]

I'm also facing the same issue, but after doing the fix as mentioned in the above comments, I am not getting prompt for password but instead getting below error:

awsprocesscreds.saml.SAMLError: Login failed, could not retrieve SAML assertion. Double check  you have entered your password correctly.