Adfs cookie reusage issue during username change

[emanuelr93]

If is used login via Environment variable, if I try to change username the adfs_cookies of old account is used.

export username=test
export password=test
aws-adfs login --adfs-host=your-adfs-hostname --role-arn=my-role-arn --env

With this commad, the old adfs_cookie is reused and authentication fail.

export username=test1
export password=test1
aws-adfs login --adfs-host=your-adfs-hostname --role-arn=my-role-arn --env

The only way to resolve this issue is to remove adfs_cookies file inside .aws directory

[adrianolettieri]

I had the same problem and what @emanuelr93 is suggesting fixed it. In my case it was even harder to identify the issue because when the account has only one arn-role associated you don't get any error, you just receive the key for the wrong account.

[pdecat]

Appending the ADFS hostname and the username to the adfs_cookies filename may help prevent this issue.

[emanuelr93]

Yes, but please take care about special characters. For example the username can container / for domain or somethings similar. Another issue is related to the account that has only one arn-role association (as @adrianolettieri report). In this case, if you have only one arn-role, aws-adfs completely ignores the one passed by the user even if it is wrong. A strict check should be included in order not to mislead.

[pdecat]

Yes, but please take care about special characters. For example the username can container / for domain or somethings similar.

Indeed. Using a hash of those is probably better.