By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Issue: AWS SSO login always fails once before success, at least in Firefox

1

I'm here because apparently, reporting issues, with details, to AWS, via the AWS support mechanism, isn't the right thing to do... despite this not being a question, I was told I needed to post here because AWS engineers monitor it... we'll see. If the issue is my end, I'm intrigued as to what would cause AWS to return me an error?

I have been using AWS SSO for several years but have recently been seeing a strange login behaviour. I am a Firefox browser user, and I remain current. This issue affects me in my personal org and also at one of my work orgs. A quick test from Safari doesn't show the issue, at least the couple of times I tried.

I have hardware MFA, navigate to my login page and enter my username, password and then respond to the MFA challenge. Every time, the login process appears to work, but then fails and I am re-presented with the login process, which always works second time around.

I have created an HAR file of the entire session, I can clearly see my valid password in the first request (there is a JSON field in "inputs[]" called passwordString, which returns a 200, however, after a few more requests, I see a failure (401) to a POST into https://portal.sso.eu-west-2.amazonaws.com/token/whoAmI with the JSON response:

{
  "message": "Session token not found or invalid",
  "__type": "com.amazonaws.switchboard.portal#UnauthorizedException"
}

I notice the second time around, there is also a POST into https://eu-west-2.signin.aws/metrics/fingerprint but other than that, both flows appear to be the same? Same HTTP response codes, same null in errorMessage response fields etc.

CloudTrail does not show any errors, all (repeated) calls to CredentialVerification, Authenticate & UserAuthentication show successful outcomes.

It is very frustrating, and a poor user experience.

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity Center
Language
English
profile picture
Robert
asked 5 months ago123 views
2 Answers
0

Hi, based on your report that SSO login functions correctly in Safari but encounters issues in Firefox, the problem likely stems from a Firefox configuration or an extension. Please follow these steps:

  • Disable each Firefox extension individually to identify the problematic one.
  • If the issue persists with all extensions disabled, proceed with the following additional steps:
    • Clear Cache and Cookies in Firefox: Sometimes corrupted cache or cookies can cause login issues. Go to Firefox settings, clear your recent history, and remove cookies.
    • Disable ALL Firefox Add-ons: Some browser add-ons can interfere with web applications. Try disabling add-ons, especially those related to security or privacy, and attempt to log in again.
    • Update Firefox: Ensure you are using the latest version of Firefox. Updates often include fixes for compatibility and security issues.
    • Check Security Settings: Review your Firefox security settings. High security or privacy settings might block certain web functionalities needed for AWS SSO.
    • Try Private Browsing: Use Firefox’s private browsing mode to see if the issue persists. This mode uses default settings and disables most add-ons, which can help identify if the problem is related to browser configuration.

Hope this address your issue, best regards. Lechu.

profile pictureAWS
Lechu
answered 5 months ago
-1

I'm on the latest version of Firefox. With or without extensions the issue happened. The problem did (see below) occur when using Private Browsing. The problem was occuring on multiple machines, always from Firefox. Different organisations too - meaning the AWS web application, and browser was the common factor.

Having made no changes, no browser updates, no extension changes - something has changed as I am no longer able to re-create the issue. I notice there is no longer a POST into the whoAmI endpoint. That's not a change from my browser, so presumably AWS have made some changes?

Obviously it is good that this issue has (at least for now?) been resolved Lechu. I cannot accept your answer though, I do not believe anything on my side has made this problem go away, and your answer puts all the onus on my client browser.

profile picture
Robert
answered 5 months ago
  • Lechu
    3 months ago

    Thanks for sharing it with us.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content