apache / cloudstack

Apache CloudStack is an opensource Infrastructure as a Service (IaaS) cloud computing platform
https://cloudstack.apache.org/
Apache License 2.0
2.11k stars 1.11k forks source link

After removing SAML auth, user should be able to login via password directly #6672

Open atmaniak opened 2 years ago

atmaniak commented 2 years ago
ISSUE TYPE
COMPONENT NAME
API via cmk
CLOUDSTACK VERSION
4.17.0.1
CONFIGURATION

N/A

OS / ENVIRONMENT

N/A

SUMMARY
STEPS TO REPRODUCE
step1: add user, add password for this user, play with this user.
step2: enable SAML SSO authentication for this user, either by webui or API
step3: When you choose to remove the SAML SSO authentication, via cmk : authorize samlsso enable=false userid=myuser id
step4: Try to login on webui with failure :)
EXPECTED RESULTS

User should be able to login on cloudstack web UI When SSO is disable the field "source" on user table is SAML2DISABLED When SSO has never been activated (and user is able to login via cloudstack directly) this field must be UNKNOWN.

ACTUAL RESULTS

User can't login on cloudstack web UI

boring-cyborg[bot] commented 2 years ago

Thanks for opening your first issue here! Be sure to follow the issue template!

rohityadavcloud commented 2 years ago

This is done so if some security issue happens, SSO authorised SAML account/users don't become active for normal auth access. Consider/think this like an ldap account, you can't change the source or change their auth mechanism too (I think cc @DaanHoogland to confirm). I think maybe only the root admin can do something like that.

DaanHoogland commented 2 years ago

I will have to investigate, but both premisses seem reasonable from a functional point of view:

rohityadavcloud commented 2 years ago

By design once you create an user-account you can't change their source; the question is can the root admin do that (change a SAML user to normal account, maybe a new API to do so?); or is the bug that the account holder itself can't do this. I think the account holder shouldn't be allowed to do this, but root or (we can argue?) domain account should be allowed to do this?