search

proversity-org / edx-platform

The Open edX platform, the software that powers edX!
http://open.edx.org/
GNU Affero General Public License v3.0
1 stars 1 forks source link

PE-330 - Allow the same account to login in multiples sites. #1054

Closed Squirrel18 closed 5 years ago

Squirrel18 commented 5 years ago

Description:

This PR enables the association of an existing account (by email) and a SSO account to enable login in multiples sites.

Reviewers:

ryangadams commented 5 years ago

Let's consider what we know at this point.

  1. SSO service A has authenticated someone and given us some metadata which includes an email address.
  2. That email address matches someone in our database.
  3. We don't know if they are authorised to link that SSO to this account. So the default behaviour is to prompt them to authenticate with Open edX.

This change assumes that if the email address provided by the SSO service matches the email address in the platform then we should link and let them in. I think that could be insecure.

My suggestion in the ticket was that we should confirm that the new SSO service was the same as was already linked to the user's account before doing this, and that one way to do that was to confirm that the EntityId from the SAML config was the same. I think you need to do that.

Do you think I shouldn't be worried about that?

Squirrel18 commented 5 years ago

@ryangadams I made some changes to the code in order to support EntityId check.

ryangadams commented 5 years ago

This is ok. I think we should consider upstreaming it.