The browser provider needs to be prevented from entering the username during auto-fill for authentication.

[cvirtucio]

Some identity providers do not allow you to enter your username on the login page. Okta is one example (it only allows you to enter your password):

We would like to have a means of preventing the browser provider from trying to enter the username on the login page when browser_autofill is set to true on "${HOME}/.saml2aws". We're open to ideas, but have created a PR that hopefully gives a rough idea of what we need.

[cvirtucio]

Hmm.. on a related note, we notice a problem with browser_autofill = true. If the user is already authenticated, the <input/> for the password doesn't appear, and the app gets stuck because it waits for the node.

Perhaps instead of disabling the username lookup, the provider can make a best effort attempt to enter each required field. Something like this.