Fix saml bug unable to login #10868
Fix saml bug unable to login #10868
Conversation
|
@blueorangutan package |
|
@vits-hugs a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. |
|
Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 13387 |
DaanHoogland
left a comment
DaanHoogland
left a comment
There was a problem hiding this comment.
clgtm, maybe this should be a setting allowing the operator to enable the ‘bypass’ login or not. What do you think @vits-hugs ?
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## 4.20 #10868 +/- ##
=========================================
Coverage 16.23% 16.23%
- Complexity 13371 13374 +3
=========================================
Files 5657 5657
Lines 498860 498864 +4
Branches 60543 60544 +1
=========================================
+ Hits 81003 81004 +1
- Misses 408824 408825 +1
- Partials 9033 9035 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
Could be a security risk - perhaps wrap around a global setting. Some orgs may not want that? |
|
I think that displaying warning would make more sense, after you disable the SAML login, since if an admin would want to unable a user to access the application, it should disable the account. What do you think about that? |
I think certain operators would want to be able to guarantee a user can only login via SSO. For some other operators your change makes sense. That is why we are asking to make the behaviour configurable. |
|
@DaanHoogland @rohityadavcloud, As requested i added a configuration to make the behaviour configurable, please review the changes. |
|
@blueorangutan package |
|
@vits-hugs a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. |
|
Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 13639 |
|
@blueorangutan test |
|
@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests |
|
[SF] Trillian test result (tid-13483)
|
|
I am not a SAML user, but I have two questions
|
|
@vits-hugs , do you still want to move this forwards? It need addressing @weizhouapache ’s comments and a test/review. |
|
Hello, @DaanHoogland and @weizhouapache
Yes, I think we can move this PR forward. I will take care of it on behalf of Vitor.
It's not the SAML user that is disabled, but the possibility of logging in with SAML SSO. As an example, let's say the user used to log in with their own ACS credentials (username and password), and then SAML authentication was added to the environment by the operators. If, after a while, the operators decide to remove the SAML authentication from the environment, the user cannot log in anymore, neither with SAML (as it was removed), nor with their credentials. Thus, this PR allows users in these scenarios to log in with their credentials again, even if their SAML login was disabled. If the operator wishes to actually disable the user, they should use
Personally, I think that the default value for the configuration should be However, I also understand that this PR implements a sensitive change and it could take operators by surprise. Therefore, I propose the change of the default value to |
|
I think your approach is sane @erikbocks . The only snag is that saml users may not have a local account at all. |
hsato03
left a comment
hsato03
left a comment
There was a problem hiding this comment.
clgtm, I agree changing the new global setting to have the default value as false to keep the current behavior.
yes, the default value should be @erikbocks |
erik-bock-silva
force-pushed
the
fix-saml2-bug-unable-to-login
branch
from
a578d56 to
49266dd
Compare
RosiKyu
left a comment
RosiKyu
left a comment
There was a problem hiding this comment.
LGTM
Tested PR #10868 which adds the enable.login.saml.unathourized setting to control login behavior when SAML SSO is disabled for a user.
Environment: CloudStack 4.19.3.0-SNAPSHOT, Keycloak 22.0 as SAML IdP
Test Execution Summary
| TC | Description | Result |
|---|---|---|
| TC1 | Password login succeeds when SAML disabled with setting=true (source changes to UNKNOWN) | PASSED |
| TC2 | Password login blocked when SAML disabled with setting=false (source changes to SAML2DISABLED) | PASSED |
| TC3 | SAML SSO login fails when user not authorized for SAML | PASSED |
| TC4 | SAML SSO login succeeds when user authorized for SAML | PASSED |
All test cases passed. The new setting correctly controls whether users can fall back to password authentication when their SAML authorization is disabled.
Detailed Test Report
TC1: Login with password after SAML disabled (setting=true)
Objective
Verify that when enable.login.saml.unathourized=true, a user whose SAML SSO has been disabled can successfully login using username and password. This is the core bug fix of PR #10868.
Test Steps
- Set global configuration
enable.login.saml.unathourizedtotrue - Disable SAML SSO for the test user using
authorizeSamlSso enable=false - Verify user source changed to
UNKNOWNin database - Attempt login via CloudStack UI Portal login with username/password
Expected Result:
- User source should change from
SAML2toUNKNOWN(notSAML2DISABLED) - User should be able to login successfully with username and password
Actual Result:
- User source changed to
UNKNOWN - User successfully logged in via Portal login
Test Evidence:
(admin) 🐱 > update configuration name=enable.login.saml.unathourized value=true
{
"configuration": {
"category": "Advanced",
"component": "SAML2-PLUGIN",
"defaultvalue": "true",
"description": "When enabled, if SAML SSO is disabled, enables user to login with user and password, otherwise a user with SAML SSO disabled cannot login",
"displaytext": "Enable login saml unathourized",
"group": "Access",
"isdynamic": true,
"name": "enable.login.saml.unathourized",
"subgroup": "SAML",
"type": "Boolean",
"value": "true"
}
}
(admin) 🐱 > authorizeSamlSso userid=13c22633-feff-4f9b-9b47-43319c8eb719 enable=false
{
"success": true
}
mysql> SELECT id, username, source FROM cloud.user WHERE username='samluser';
+----+----------+---------+
| id | username | source |
+----+----------+---------+
| 5 | samluser | UNKNOWN |
+----+----------+---------+
1 row in set (0.00 sec)
UI Login: Successfully logged in as "SAML TestUser" via Portal login
Event log shows: "26 Jan 2026 15:02:16 USER.LOGIN - samluser user has logged in from IP Address /10.0.3.251"
TC2: Login with password after SAML disabled (setting=false)
Objective
Verify that when enable.login.saml.unathourized=false, a user whose SAML SSO has been disabled CANNOT login using username and password. This confirms the configurable behavior works correctly - operators can choose to block password login for SAML-disabled users.
Test Steps
- Re-enable SAML for the test user (pre-requisite from TC1)
- Set global configuration
enable.login.saml.unathourizedtofalse - Disable SAML SSO for the test user using
authorizeSamlSso enable=false - Verify user source changed to
SAML2DISABLEDin database - Attempt login via CloudStack UI Portal login with username/password
Expected Result:
- User source should change from
SAML2toSAML2DISABLED - User should NOT be able to login with username and password
- Login should fail with authentication error
Actual Result:
- User source changed to
SAML2DISABLED - Login failed with error message
Test Evidence:
(admin) 🐱 > update configuration name=enable.login.saml.unathourized value=false
{
"configuration": {
"category": "Advanced",
"component": "SAML2-PLUGIN",
"defaultvalue": "true",
"description": "When enabled, if SAML SSO is disabled, enables user to login with user and password, otherwise a user with SAML SSO disabled cannot login",
"displaytext": "Enable login saml unathourized",
"group": "Access",
"isdynamic": true,
"name": "enable.login.saml.unathourized",
"subgroup": "SAML",
"type": "Boolean",
"value": "false"
}
}
(admin) 🐱 > authorizeSamlSso userid=13c22633-feff-4f9b-9b47-43319c8eb719 enable=false
{
"success": true
}
mysql> SELECT id, username, source FROM cloud.user WHERE username='samluser';
+----+----------+---------------+
| id | username | source |
+----+----------+---------------+
| 5 | samluser | SAML2DISABLED |
+----+----------+---------------+
1 row in set (0.00 sec)
UI Login Error: "Error 531: Failed to authenticate user samluser in domain 1; please provide valid credentials"
**Status: PASSED **
TC3: SAML SSO Login Fails When User Unauthorized
Objective
Verify that when SAML SSO authorization is disabled for a user, attempting to login via SAML SSO fails with an appropriate error message. This confirms that the SAML authorization check is working correctly.
Test Steps
- Ensure SAML IdP (Keycloak) is configured and working
- Disable SAML SSO for the test user using
authorizeSamlSso enable=false - Attempt login via CloudStack UI using "Single sign-on" option
- Authenticate with Keycloak (samluser/password123)
Expected Result:
- SAML authentication with IdP should succeed
- CloudStack should reject the login because user is not authorized for SAML SSO
- Error message should indicate user is not authorized
Actual Result:
- SAML authentication with Keycloak succeeded
- CloudStack rejected login with authorization error
Test Evidence:
(admin) 🐱 > authorizeSamlSso userid=13c22633-feff-4f9b-9b47-43319c8eb719 enable=false
{
"success": true
}
SSO Login Error:
<loginresponse cloud-stack-version="4.19.3.0-SNAPSHOT">
<errorcode>531</errorcode>
<errortext>Your authenticated user is not authorized for SAML Single Sign-On, please contact your administrator</errortext>
</loginresponse>
**Status: PASSED **
TC4: SAML SSO Login Works For Authorized Users
Objective
Verify that when SAML SSO authorization is enabled for a user with the correct IdP entity, the user can successfully login via SAML SSO. This confirms the baseline SAML functionality works correctly.
Test Steps
- Ensure SAML IdP (Keycloak) is configured and working
- Enable SAML SSO for the test user with specific IdP entity using
authorizeSamlSso enable=true entityid=<idp_url> - Attempt login via CloudStack UI using "Single sign-on" option
- Authenticate with Keycloak (samluser/password123)
Expected Result:
- SAML authentication with IdP should succeed
- CloudStack should accept the login and redirect to dashboard
- User should be logged in successfully
Actual Result:
- SAML authentication with Keycloak succeeded
- User redirected to CloudStack dashboard
- Dashboard shows "SAML TestUser" logged in
Test Evidence:
(admin) 🐱 > authorizeSamlSso userid=13c22633-feff-4f9b-9b47-43319c8eb719 enable=true entityid=http://10.0.35.115:8081/realms/cloudstack
{
"success": true
}
UI Login: Successfully logged in as "SAML TestUser" via SAML SSO
Event log shows: "26 Jan 2026 16:15:58 USER.LOGIN - samluser user has logged in from IP Address /10.0.3.251"
Screencast.from.2026-01-26.18-15-50.webm
**Status: PASSED **
9 participants
Description
After setting a user to login using SAML, and then disabling the login by SAML for the user, he cannot access the account anymore, neither by saml nor by username and password. So this PRs adds and verification to let a user with SAML authentication disabled login with username and password.
Types of changes
Bug Severity
How Has This Been Tested?
To test, i followed this process:
enable.login.saml.unathourizedset to true:enable.login.saml.unathourizedset to false: