Load saml from responses

[jspc]

As per #49, SAML responses from AWS return a list of 1+ role/principal ARNs that can be assumed.

This PR will:

1. Load saml responses from onelogin, okta and parse them
2. Return an ARN immediately should the response contain just one
3. Ask the user to choose an ARN should many be contained within a saml response
4. Return an error should there be none

This looks like:

# Many ARNs
$(aws-creds-from-saml) ./clisso get                                                                                                                       
OneLogin password:                                                                                                                                                                                                                         
1. 123456 - Google Authenticator                                                                                                                                                                                                           
2. 234567 - Google Authenticator                                                                                                                                                                                                           
Please choose an MFA device to authenticate with (1-2): 2                                                                                                                                                                                  
Please enter the OTP from your MFA device: 098765                                                                                                                                                                                          
0. arn:aws:iam::nnnnn:role/development                                                                                                                                                                                    
1. arn:aws:iam::nnnnn:role/qa                                                                                                                                                                                 
2. arn:aws:iam::nnnnn:role/production                                                                                                                                                                                     
3. arn:aws:iam::nnnnn:role/audit                                                                                                                                                                                     
Please select an ARN to assume: 2                                                                                                                                                                                                          
Credentials written successfully to '/tmp/.aws/credentials'              

# Single ARN
$ (aws-creds-from-saml) ./clisso get rd                                                                                                           
OneLogin password:                                                                                                                                                                                                                         
1. 123456 - Google Authenticator                                                                                                                                                                                                           
2. 234567 - Google Authenticator                                                                                                                                                                                                           
Please choose an MFA device to authenticate with (1-2): 2                                                                                                                                                                                  
Please enter the OTP from your MFA device: 654654                                                                                                                                                                                          
Credentials written successfully to '/tmp/.aws/credentials'                                       

[jspc]

@johananl and any chance of a review in this, also?

[johananl]

I have to rebase because of 8f13fe8 (breaking change by OneLogin).

[johananl]

@jspc - could you maybe share how you've configured OneLogin to return multiple IAM roles in the SAML assertion? I've been struggling with this for a while now.

[ghost]

@johananl you need a different version of OneLogin for this, if I remember correctly...

[jspc]

Have a look at https://onelogin.service-now.com/support/?id=kb_article&sys_id=66a91d03db109700d5505eea4b9619a5 from the linked issue

[johananl]

Rebased over master.

[johananl]

Thanks so much for this contribution @jspc. Superb work on this one.
This simplifies many areas of the code and makes the user experience much better when configuring new apps. Highly appreciated!

I took the liberty to refactor the role selection part - it would panic when selecting the last role in the list, plus I wanted to be consistent with enumerating from 1 instead of 0. I've also added handling for a SAML response which contains roles sections without a value (strange, but I've got this while testing using some OneLogin config). Lastly, I've added github.com/edaniels/go-saml as a dependency which was missing.

Thanks again!