Allow disabling username/password login when SSO is present

[RahimRamzanAli]

Environment & Version

• docker compose version24.0.4'
• Version: 2.0

Description

Hi, Mailu is working perfectly fine with OpenConnect ID. I am using keycloak for this, and the issue I am facing is after login via keycloak, it creates the email address automatically in Mailu which is what I want, but after that, if I try to log in with the same keycloak credentials directly by entering username and password on the Mailu login page, then also it is working and now it is getting confusing for me and my users to login via open connect (keycloak) or directly by entering username and password on the Mailu login page.

Please help me how can i resolve this issue

[Encotric]

Hi, when a user is created through OpenID Connect it should not be able to log in by the Mailu login form, as the Mailu service does not know the user's password. In the database, an OIDC user has set the flag openid instead of a password, therefore it should be impossible to log in over the default form.

But: if you created a user in the Mailu admin panel, assigned a password, and used an email address that is also registered for a Keycloak user, both the OIDC button and the login form on Mailu will work, as the user is not explicitly an OIDC user.

So, I don't see your issue right now. Would you like to disable the Mailu login form for all users and force them to use OIDC?

[RahimRamzanAli]

Hi, Thanks for replying me,

So i have checked creating user with Mailu Admin panel , assgined a password and used that email address for keycloak users, both the OIDC button and the login form is working and it is absolutely acceptable from my side.

But the issue i am facing is, if i am login with any email address for the first time via keycloak (openid), it creates the users profile, mailbox etc but than if i try to login with the login form on mailu with same keycloak credentials, so still i am able login and the strange thing is its creates a session on keycloak aswell. Dont know but there is a minor bug because of that i am able to login with login form on mailu with keycloak credentials.

Still i would like to force all my users to use OIDC only. Can you please help me in that. Right now i have just disable a sign button, but i need a proper solution for this

[Encotric]

Hi, I'm sorry, but this issue is not reproducible with the current version for me. Are you sure that you use the latest release? I know that a similar behavior was implemented earlier, but it was removed a few months ago.

[RahimRamzanAli]

Thanks for updating me. I will update my version. I have one more question. If you can help me with that?

Is it possible to stop creating a domain automatically via keycloak (OIDC) As you know, when we log in via OIDC and if the domain doesn't exist, it creates automatically.

We are using multiple domain emails in keycloak and I want to create a mail server for one specific domain. I want only those domain users to log in. If other domain users try to log in, they can get a message. Sorry you are not allowed to use this mail server or something like a similar message