You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2022/08/24 16:23:21 UTC

[GitHub] [cloudstack] atmaniak opened a new issue, #6672: After removing SAML auth, user should be able to login via password directly

atmaniak opened a new issue, #6672:
URL: https://github.com/apache/cloudstack/issues/6672

   ##### ISSUE TYPE
    * Bug Report
   
   ##### COMPONENT NAME
   ~~~
   API via cmk
   ~~~
   
   ##### CLOUDSTACK VERSION
   ~~~
   4.17.0.1
   ~~~
   
   ##### CONFIGURATION
   N/A
   
   
   ##### OS / ENVIRONMENT
   N/A
   
   
   ##### SUMMARY
   <!-- Explain the problem/feature briefly -->
   
   
   ##### STEPS TO REPRODUCE
   ~~~
   step1: add user, add password for this user, play with this user.
   step2: enable SAML SSO authentication for this user, either by webui or API
   step3: When you choose to remove the SAML SSO authentication, via cmk : authorize samlsso enable=false userid=myuser id
   step4: Try to login on webui with failure :)
   ~~~
   
   
   
   ##### EXPECTED RESULTS
   User should be able to login on cloudstack web UI
   When SSO is disable the field "source" on user table is SAML2DISABLED
   When SSO has never been activated (and user is able to login via cloudstack directly) this field must be UNKNOWN.
   
   ##### ACTUAL RESULTS
   User can't login on cloudstack web UI
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] rohityadavcloud commented on issue #6672: After removing SAML auth, user should be able to login via password directly

Posted by GitBox <gi...@apache.org>.

rohityadavcloud commented on issue #6672:
URL: https://github.com/apache/cloudstack/issues/6672#issuecomment-1225957018

   This is done so if some security issue happens, SSO authorised SAML account/users don't become active for normal auth access. Consider/think this like an ldap account, you can't change the source or change their auth mechanism too (I think cc @DaanHoogland to confirm). I think maybe only the root admin can do something like that.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] DaanHoogland commented on issue #6672: After removing SAML auth, user should be able to login via password directly

Posted by GitBox <gi...@apache.org>.

DaanHoogland commented on issue #6672:
URL: https://github.com/apache/cloudstack/issues/6672#issuecomment-1226842900

   I will have to investigate, but both premisses seem reasonable from a functional point of view:
   - a user that gets saml enabled looses its status as direct login user, or
   - a user has an underlaying account that remains available for normal login while its enabled for sso.
   The source of a user is however only one and cannot be changed by normal interaction with the system. That part is correct. I don´t know enough of the saml implementation to say if this is a bug or on purpose.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] rohityadavcloud commented on issue #6672: After removing SAML auth, user should be able to login via password directly

Posted by GitBox <gi...@apache.org>.

rohityadavcloud commented on issue #6672:
URL: https://github.com/apache/cloudstack/issues/6672#issuecomment-1229887515

   By design once you create an user-account you can't change their source; the question is can the root admin do that (change a SAML user to normal account, maybe a new API to do so?); or is the bug that the account holder itself can't do this. I think the account holder shouldn't be allowed to do this, but root or (we can argue?) domain account should be allowed to do this? 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] boring-cyborg[bot] commented on issue #6672: After removing SAML auth, user should be able to login via password directly

Posted by GitBox <gi...@apache.org>.

boring-cyborg[bot] commented on issue #6672:
URL: https://github.com/apache/cloudstack/issues/6672#issuecomment-1225952083

   Thanks for opening your first issue here! Be sure to follow the issue template!
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org