snipe
Able to login using normal login form with AAD SSO configured
Debug mode
- [X] I have enabled debug mode
- [X] I have read checked the Common Issues page
Describe the bug
I've managed to configure AAD SSO with Snipe-IT, and when in the browser I insert the snipe-it url the AAD SSO screen appears as it should. So far, so good, however, I think it's strange that when I logout (from the user top right menu) I'm able to login using the normal Login form, even with the option Make SAML the primary login (You can use '/login?nosaml' to get to the normal login page.) checked. I don't think this is normal behavior. As per documentation it says:
"SAML Force Login When this checkbox is enabled, you will not see a login form of Snipe-IT anymore when you go to the Snipe-IT website. Instead it will redirect you directly to the IdP SAML Login." and this is true, but imho it should also be true when you logout.
Any insights on this?
Thank you very much.
Reproduction steps
- Login in Snipe-IT using the Microsoft SSO (since it's configured with Azure).
- Logout from the user option in the top right corner.
- Being able to login using the normal Login Form. ...
Expected behavior
Not being able to login using the normal Login Form. In my opinion, the user shouldnt be able to login using the normal Login Form, or at least if he tries to do so, get an error/link to login via SSO again.
Screenshots
No response
Snipe-IT Version
6.0.9
Operating System
CentOS 7
Web Server
Apache
PHP Version
7.4.30
Operating System
Windows
Browser
Chrome
Version
101.0.4951.64
Device
No response
Operating System
No response
Browser
No response
Version
No response
Error messages
No response
Additional context
No response
Update: If in the .env file there's the line "REQUIRE_SAML=true" I can only in fact login only with SAML, but unfortunately using https://assets.example.com/login?nosaml (this is useful in case SSO is down) won't let me login using the normal login form.
Well yeah, that's the point tho. REQUIRE_SAML=true literally disables any ability to login using the regular web UI, even with the /login?nosaml parameter.
Well yeah, that's the point tho.
REQUIRE_SAML=trueliterally disables any ability to login using the regular web UI, even with the/login?nosamlparameter.
Hello. Didn't know that. I was just going by trial and error, I'll take that line out and wait for feedback. Thank you.
Yeah, we actually allow our hosted customers do have that setting enabled, but we discourage it because it's hard for us to log in with our own user to look at their instance when they need us to.
Regardless, if it turns out that things are working as expected and your users are happy, please do close the issue once if they let you know that the system is working OK. Thanks!
Yeah, for hosted customers, if we enable that flag, we explain that our ability to provide support will be limited unless they want to create a user for us in their SAML provider (which a few have done.)
Ok, I really don’t know what to say. If it’s supposed for the user login using the login form after logout when SAML is configured, I guess you could close the ticket. :) thank you all.
I still think this is an issue.
When I enabled 'Make SAML the primary login' I'm always presented with the normal username/password login form with the little link undereath to login with SAML.
I would expect that I don't get the username/password login box at all.
