Open atmaniak opened 2 years ago
Thanks for opening your first issue here! Be sure to follow the issue template!
This is done so if some security issue happens, SSO authorised SAML account/users don't become active for normal auth access. Consider/think this like an ldap account, you can't change the source or change their auth mechanism too (I think cc @DaanHoogland to confirm). I think maybe only the root admin can do something like that.
I will have to investigate, but both premisses seem reasonable from a functional point of view:
By design once you create an user-account you can't change their source; the question is can the root admin do that (change a SAML user to normal account, maybe a new API to do so?); or is the bug that the account holder itself can't do this. I think the account holder shouldn't be allowed to do this, but root or (we can argue?) domain account should be allowed to do this?
ISSUE TYPE
COMPONENT NAME
CLOUDSTACK VERSION
CONFIGURATION
N/A
OS / ENVIRONMENT
N/A
SUMMARY
STEPS TO REPRODUCE
EXPECTED RESULTS
User should be able to login on cloudstack web UI When SSO is disable the field "source" on user table is SAML2DISABLED When SSO has never been activated (and user is able to login via cloudstack directly) this field must be UNKNOWN.
ACTUAL RESULTS
User can't login on cloudstack web UI