Closed LeoMcA closed 5 years ago
Staging is using this branch but there seems to be an auth0 misconfiguration. It could be the auth0-dev creds I have are wrong. The client id is eKCVLtzOkeFX5sRr9MVRrZX9dl2CiVSo
.
https://github.com/mozilla-iam/sso-dashboard-configuration/blob/master/apps.yml also needs to be updated to enable AAL: LOW
on staging.
Things are working on staging now.
I've identified one bug where all of a user's sessions will be logged off if one of them falls below the required AAL, rather than just the session(s) which have an insufficient AAL. I'll work on fixing that next.
@viorelaioia this should be ready for QA now
allows logging in with secondary emails
I never fully thought this through wrt staff accounts:
So, reverting the change for now. I'll revisit as part of the post-AAL world improvements.
do we even want to allow login with a non staff email on a staff account? (I doubt it)
No, we do not want to allow that kind of login. The basic guideline from InfoSec is: If you are Staff, you have to use Staff LDAP (plus MFA).
Best regards, Henrik
Work happening here: https://github.com/mozilla/discourse-mozilla-iam/tree/aal
Current behaviour:
allows logging in with secondary emails* currently all sessions are killed, rather than just the affected ones, I'm working on fixing this
┆Issue is synchronized with this Jira Task