fleet icon indicating copy to clipboard operation
fleet copied to clipboard
verified publisher icon fleetdm

Deleting a host from Fleet does not delete related IdP records

Open sgress454 opened this issue 1 month ago • 0 comments

Fleet version: 4.78.0

Expected behavior

When a host is deleted from Fleet, any related IdP records should also be deleted so that when if the host re-enrolls (and end-user authentication is on), the user is forced to re-authenticate.

💥  Actual behavior

When a host is deleted from Fleet, they are able to re-enroll without re-authenticating even if end-user authentication is turned on.

🛠️ To fix

  • Delete all host_mdm_idp_accounts and mdm_idp_accounts rows related to the host.

🧑‍💻  Steps to reproduce

These steps:

  • [X] Have been confirmed to consistently lead to reproduction in multiple Fleet instances.
  1. Go to Controls -> Setup Experience and turn on End User Authentication on a team
  2. Enroll a Windows or Linux host to that team, logging in via SSO to complete the enrollment
  3. Delete the host from Fleet
  4. Uninstall Orbit from the host
  5. Re-enroll the host to Fleet

Notice that enrollment proceeds without the SSO window popping up.

sgress454 avatar Dec 11 '25 22:12 sgress454