Adfs cookie reusage issue during username change

Question

Adfs cookie reusage issue during username change

Opened this issue 4 years ago · 4 comments

If is used login via Environment variable, if I try to change username the adfs_cookies of old account is used.

export username=test
export password=test
aws-adfs login --adfs-host=your-adfs-hostname --role-arn=my-role-arn --env

With this commad, the old adfs_cookie is reused and authentication fail.

export username=test1
export password=test1
aws-adfs login --adfs-host=your-adfs-hostname --role-arn=my-role-arn --env

The only way to resolve this issue is to remove adfs_cookies file inside .aws directory

Answer 1 · 2020-12-02T14:17:18.000Z

I had the same problem and what @emanuelr93 is suggesting fixed it.
In my case it was even harder to identify the issue because when the account has only one arn-role associated you don't get any error, you just receive the key for the wrong account.

Answer 2 · 2020-12-04T08:22:42.000Z

Appending the ADFS hostname and the username to the adfs_cookies filename may help prevent this issue.

Answer 3 · 2020-12-04T11:28:41.000Z

Yes, but please take care about special characters. For example the username can container / for domain or somethings similar. Another issue is related to the account that has only one arn-role association (as @adrianolettieri report). In this case, if you have only one arn-role, aws-adfs completely ignores the one passed by the user even if it is wrong. A strict check should be included in order not to mislead.

Answer 4 · 2020-12-05T16:43:42.000Z

Yes, but please take care about special characters. For example the username can container / for domain or somethings similar.

Indeed. Using a hash of those is probably better.