cloudstack icon indicating copy to clipboard operation
cloudstack copied to clipboard

Published 20 hours ago verified publisher icon apache

After removing SAML auth, user should be able to login via password directly

Open atmaniak opened this issue 3 years ago • 4 comments

ISSUE TYPE
  • Bug Report
COMPONENT NAME
API via cmk
CLOUDSTACK VERSION
4.17.0.1
CONFIGURATION

N/A

OS / ENVIRONMENT

N/A

SUMMARY
STEPS TO REPRODUCE
step1: add user, add password for this user, play with this user.
step2: enable SAML SSO authentication for this user, either by webui or API
step3: When you choose to remove the SAML SSO authentication, via cmk : authorize samlsso enable=false userid=myuser id
step4: Try to login on webui with failure :)
EXPECTED RESULTS

User should be able to login on cloudstack web UI When SSO is disable the field "source" on user table is SAML2DISABLED When SSO has never been activated (and user is able to login via cloudstack directly) this field must be UNKNOWN.

ACTUAL RESULTS

User can't login on cloudstack web UI

atmaniak avatar Aug 24 '22 16:08 atmaniak

Thanks for opening your first issue here! Be sure to follow the issue template!

boring-cyborg[bot] avatar Aug 24 '22 16:08 boring-cyborg[bot]

This is done so if some security issue happens, SSO authorised SAML account/users don't become active for normal auth access. Consider/think this like an ldap account, you can't change the source or change their auth mechanism too (I think cc @DaanHoogland to confirm). I think maybe only the root admin can do something like that.

rohityadavcloud avatar Aug 24 '22 16:08 rohityadavcloud

I will have to investigate, but both premisses seem reasonable from a functional point of view:

  • a user that gets saml enabled looses its status as direct login user, or
  • a user has an underlaying account that remains available for normal login while its enabled for sso. The source of a user is however only one and cannot be changed by normal interaction with the system. That part is correct. I don´t know enough of the saml implementation to say if this is a bug or on purpose.

DaanHoogland avatar Aug 25 '22 06:08 DaanHoogland

By design once you create an user-account you can't change their source; the question is can the root admin do that (change a SAML user to normal account, maybe a new API to do so?); or is the bug that the account holder itself can't do this. I think the account holder shouldn't be allowed to do this, but root or (we can argue?) domain account should be allowed to do this?

rohityadavcloud avatar Aug 29 '22 07:08 rohityadavcloud