search

appsmithorg / appsmith

Platform to build admin panels, internal tools, and dashboards. Integrates with 25+ databases and any API.
https://www.appsmith.com
Apache License 2.0
34.64k stars 3.74k forks source link

[Bug]-[16]:[SSO] [Disconnect] - Superuser unable to login #13518

Open jnikhila opened 2 years ago

jnikhila commented 2 years ago

Is there an existing issue for this?

Description

Scenario- The superuser used form login to create an account with Appsmith before configuring SSO. A superuser then uses Admin settings to configure SSO with a service provider. On successful configuration, the logins are driven by the SSO provider. The superuser shares the same email for form login as well as SSO. On disconnecting the SSO, the form logins are disabled, and thus, a superuser is also unable to connect to Appsmith. This could be a valid scenario where a company might have moved to another SSO provider and would want to disconnect and re-configure a new SSO provider. So, a superuser should be able to use form login as well as SSO login.

Steps To Reproduce

Go to Admin settings --> select SAML --> configure SAML for SSO --> SSO successfully configured.

Login using SSO --> Login successful.

Go to Admin settings --> Edit SAML --> Click Disconnect --> SSO disconnected.

Login using Form login -- > A login attempt is unsuccessful and the user is prompted with an error message

"Please use Keycloak authentication to login to Appsmith". (Screenshot attached below) image

Public Sample App

No response

Version

Self hosted

Nikhil-Nandagopal commented 2 years ago

@jnikhila great catch! @ankitakinger @trishaanand @vuiets we should think about this scenario to prevent users from shooting themselves in the foot

vuiets commented 2 years ago

Stats

Stat Values
Reach 4
Effort (months) 0.5

People using SSO/SAML to login: 24 Assuming that 20% of them will transition to a different provider: 2

I've parked the effort for this to be 2 person-weeks, please correct me if I'm wrong here.

hiteshjoshi commented 2 years ago

@Nikhil-Nandagopal, AFAIK, once you have configured SSO, you will have to have at least one form of login available to turn it off. This case was discussed during SSO weekly. We will check how we missed this scenario.

Nikhil-Nandagopal commented 2 years ago

@hiteshjoshi I think the problem here is that once you turn it off, you can have form login still enabled but because your ID is now linked to the SSO login, you can't use form login to login

riteshkew commented 1 month ago

Linked to #34651.

shirobachi commented 19 hours ago

any update?