search

snipe / snipe-it

A free open source IT asset/license management system
https://snipeitapp.com
GNU Affero General Public License v3.0
10.92k stars 3.16k forks source link

Able to login using normal login form with AAD SSO configured #11667

Open samotelf opened 2 years ago

samotelf commented 2 years ago

Debug mode

Describe the bug

I've managed to configure AAD SSO with Snipe-IT, and when in the browser I insert the snipe-it url the AAD SSO screen appears as it should. So far, so good, however, I think it's strange that when I logout (from the user top right menu) I'm able to login using the normal Login form, even with the option Make SAML the primary login (You can use '/login?nosaml' to get to the normal login page.) checked. I don't think this is normal behavior. As per documentation it says:

"SAML Force Login When this checkbox is enabled, you will not see a login form of Snipe-IT anymore when you go to the Snipe-IT website. Instead it will redirect you directly to the IdP SAML Login." and this is true, but imho it should also be true when you logout.

Any insights on this?

Thank you very much.

Reproduction steps

  1. Login in Snipe-IT using the Microsoft SSO (since it's configured with Azure).
  2. Logout from the user option in the top right corner.
  3. Being able to login using the normal Login Form. ...

Expected behavior

Not being able to login using the normal Login Form. In my opinion, the user shouldnt be able to login using the normal Login Form, or at least if he tries to do so, get an error/link to login via SSO again.

Screenshots

No response

Snipe-IT Version

6.0.9

Operating System

CentOS 7

Web Server

Apache

PHP Version

7.4.30

Operating System

Windows

Browser

Chrome

Version

101.0.4951.64

Device

No response

Operating System

No response

Browser

No response

Version

No response

Error messages

No response

Additional context

No response

samotelf commented 2 years ago

Update: If in the .env file there's the line "REQUIRE_SAML=true" I can only in fact login only with SAML, but unfortunately using https://assets.example.com/login?nosaml (this is useful in case SSO is down) won't let me login using the normal login form.

snipe commented 2 years ago

Well yeah, that's the point tho. REQUIRE_SAML=true literally disables any ability to login using the regular web UI, even with the /login?nosaml parameter.

samotelf commented 2 years ago

Well yeah, that's the point tho. REQUIRE_SAML=true literally disables any ability to login using the regular web UI, even with the /login?nosaml parameter.

Hello. Didn't know that. I was just going by trial and error, I'll take that line out and wait for feedback. Thank you.

uberbrady commented 2 years ago

Yeah, we actually allow our hosted customers do have that setting enabled, but we discourage it because it's hard for us to log in with our own user to look at their instance when they need us to.

Regardless, if it turns out that things are working as expected and your users are happy, please do close the issue once if they let you know that the system is working OK. Thanks!

snipe commented 2 years ago

Yeah, for hosted customers, if we enable that flag, we explain that our ability to provide support will be limited unless they want to create a user for us in their SAML provider (which a few have done.)

samotelf commented 2 years ago

Ok, I really don’t know what to say. If it’s supposed for the user login using the login form after logout when SAML is configured, I guess you could close the ticket. :) thank you all.

chais0n commented 1 year ago

I still think this is an issue.

When I enabled 'Make SAML the primary login' I'm always presented with the normal username/password login form with the little link undereath to login with SAML.

I would expect that I don't get the username/password login box at all.