Unable to login (AWS SSO)

[mrchops1024]

Describe the bug
I am unable to login via AWS SSO. There are no visible errors and no log files being generated.

Leapp Version
macOS 0.6.1

To Reproduce

1. Open app for the first time
2. Click 'Start'
3. Click 'AWS Single Sign-On'
4. Paste in my SSO url
5. Specify my region (us-west-2)
6. Click 'Login'
7. Enter my SSO username
8. Enter my SSO password
9. The login window closes and returns me to the Identity Providers screen (with my SSO url and region still there)
10. Any further attempts to login are just repeating steps 6-9

Expected behavior
I would assume after entering credentials I'd receive my IDP MFA prompt.

Screenshots
I never get past this screen (although in the app the button says 'Login' instead of 'AWS SSO':

https://docs.leapp.cloud/images/tutorials/aws/aws_sso/SETUP_IN_LEAPP_2.png

Desktop (please complete the following information):

• OS: macOS
• OS Version: 11.0.1
• Leapp Version: 0.6.1

[pethron]

I can't reproduce the issue. Can you please describe your AWS SSO setup?
You're mentioning an IdP, are you using the AWS SSO IdP or is it linked with another IdP?

[mrchops1024]

I have my organization linked to AzureAD. So the normal flow is:

1. Navigate to AWS SSO Url
2. Automatically redirected to AzureAD for authentication
3. Enter credentials
4. Automatically redirected to DUO for MFA
5. Confirm MFA and automatically redirected back to AWS

[pethron]

Are you able to complete the flow from the AWS CLI v2?

[mrchops1024]

Yes, that's typically how I login.

[pethron]

Without logs I think the best way to tackle this is to run the development version, open the developer webtools, and check the URL flow of the authentication process. I think it might have to do with this method

leapp/src/app/services/session/aws/methods/aws-sso-role.service.ts

Line 387 in 716a963

private async openVerificationBrowserWindow(registerClientResponse: RegisterClientResponse, startDeviceAuthorizationResponse: StartDeviceAuthorizationResponse): Promise<VerificationResponse> {

But without further info it might be difficult to debug without your setup, you can join our slack and we can schedule a call where we try to debug together.

[pethron]

The problem is due to error management in this method

leapp/src/app/services/session/aws/methods/aws-sso-role.service.ts

Line 418 in 716a963

this.ssoWindow.webContents.session.webRequest.onErrorOccurred((details) => {

During the normal flow of authentication is normal to encounter chromium errors such as ERROR_FAILED, ERROR_ABORTED, and ERROR_CACHE_MISS. Duo during authentication calls a local endpoint on a service named "device-health" which is basically a firewall for controlling the device and detect if it needs to fail the authentication process; this action produces a CONNECTION_REFUSED error (because I think the agent is not enabled but duo still makes the requests), the onErrorOccurred filter triggers but since this error is not taken into account it automatically closes the window.

Short term fix is to add this to the list of whitelisted errors.

[ericvilla]

We added net::CONNECTION_REFUSED filter in AWS SSO confirmation browser window. I'll close this issue as fixed by e281746