After removing SAML auth, user should be able to login via password directly

apache / cloudstack

Apache CloudStack is an opensource Infrastructure as a Service (IaaS) cloud computing platform

https://cloudstack.apache.org/

Apache License 2.0

2.09k stars 1.11k forks source link

After removing SAML auth, user should be able to login via password directly #6672

Open atmaniak opened 2 years ago

atmaniak commented 2 years ago

ISSUE TYPE

Bug Report

COMPONENT NAME

API via cmk

CLOUDSTACK VERSION

4.17.0.1

CONFIGURATION

N/A

OS / ENVIRONMENT

N/A

SUMMARY

STEPS TO REPRODUCE

step1: add user, add password for this user, play with this user.
step2: enable SAML SSO authentication for this user, either by webui or API
step3: When you choose to remove the SAML SSO authentication, via cmk : authorize samlsso enable=false userid=myuser id
step4: Try to login on webui with failure :)

EXPECTED RESULTS

User should be able to login on cloudstack web UI When SSO is disable the field "source" on user table is SAML2DISABLED When SSO has never been activated (and user is able to login via cloudstack directly) this field must be UNKNOWN.

ACTUAL RESULTS

User can't login on cloudstack web UI

boring-cyborg[bot] commented 2 years ago

Thanks for opening your first issue here! Be sure to follow the issue template!

rohityadavcloud commented 2 years ago

This is done so if some security issue happens, SSO authorised SAML account/users don't become active for normal auth access. Consider/think this like an ldap account, you can't change the source or change their auth mechanism too (I think cc @DaanHoogland to confirm). I think maybe only the root admin can do something like that.

DaanHoogland commented 2 years ago

I will have to investigate, but both premisses seem reasonable from a functional point of view:

a user that gets saml enabled looses its status as direct login user, or
a user has an underlaying account that remains available for normal login while its enabled for sso. The source of a user is however only one and cannot be changed by normal interaction with the system. That part is correct. I don´t know enough of the saml implementation to say if this is a bug or on purpose.

rohityadavcloud commented 2 years ago

By design once you create an user-account you can't change their source; the question is can the root admin do that (change a SAML user to normal account, maybe a new API to do so?); or is the bug that the account holder itself can't do this. I think the account holder shouldn't be allowed to do this, but root or (we can argue?) domain account should be allowed to do this?