Closed Squirrel18 closed 5 years ago
Let's consider what we know at this point.
This change assumes that if the email address provided by the SSO service matches the email address in the platform then we should link and let them in. I think that could be insecure.
My suggestion in the ticket was that we should confirm that the new SSO service was the same as was already linked to the user's account before doing this, and that one way to do that was to confirm that the EntityId from the SAML config was the same. I think you need to do that.
Do you think I shouldn't be worried about that?
@ryangadams I made some changes to the code in order to support EntityId check.
This is ok. I think we should consider upstreaming it.
Description:
This PR enables the association of an existing account (by email) and a SSO account to enable login in multiples sites.
Reviewers: