Ability to disabled password login systemwide if SAML/SSO is working/configured

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)

https://fleetdm.com

Other

3.12k stars 431 forks source link

Ability to disabled password login systemwide if SAML/SSO is working/configured #241

Open noahtalerman opened 3 years ago

noahtalerman commented 3 years ago

Currently Fleet disables password login for SSO users. This feature request includes the ability to disable password login systemwide.

Problems

Currently, an "admin" user has to manually make sure that no one in the Fleet system has the SSO setting unchecked in order to feel confident that no user has password login access.

Goals

Allow "admin" users of Fleet to disable password login across all user accounts (systemwide) so they're confident no user has password login access.
Allow users with a specific level of access to login with a password so these users are not locked out of Fleet when the IdP is suffering an outage.

anelshaer commented 3 years ago

@noahtalerman i have a related question, i enabled SSO, but i just need to exclude an admin account (use password) i case SSO was down or had any issues, when ever i uncheck the SSO and save it come back on under that user. not able to disable it.

noahtalerman commented 3 years ago

when ever i uncheck the SSO and save it come back on under that user. not able to disable it

@anelshaer after you uncheck SSO for this admin user and save, are you able to successfully log in with a password? Even when the "Enable Single Sign On" checkbox appears to be selected.

There is a known bug, filed in this issue, that describes the following behavior:

When you uncheck SSO, save, and then open the "Edit user" modal, the "Enable Single Sign On" box is checked. However, sso_enabled is actually set to false for this user.