search

gate-sso / gate

Gate is MFA Enabled SSO Platform that supports SAML, OAuth, Linux shell login and CAS
https://gate-sso.github.io
MIT License
203 stars 53 forks source link

Multi-domain: When "duplicate" users are present, only authenticate against active users. #22

Closed kingsly closed 6 years ago

kingsly commented 6 years ago

While Gate's multi-domain support expects usernames to be unique across domains. it isn't strictly enforced at the moment.

This allows for the following situation.

USER1 - username@domain1.com INACTIVE USER2 - username@domain2.com ACTIVE

Present behaviour:

While USER2 is active and able to login to gate with their Google account, but when authenticating against gate, gate only checks the oldest user irrespective of "active" status, so username@domain2.com will never get a successful auth, even though they exist on gate and are the only active user at present.

Expected behavior:

Gate should check for "active" users with a particular username and authenticate them.

(Ideally Gate should also prevent such situations from arising in the first place, which will be addressed as a different issue for that but this fix will allow existing installations to work with minimal change in gate auth logic. )

olttwa commented 6 years ago

This is fixed. As a temporary hack, we have added authentication only for active users. But 2 users with same login_id can still be present.