History | Log In     View a printable version of the current page.  
Issue Details (XML | Word | Printable)

Key: QB-3764
Type: Improvement Improvement
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Robin Shen
Reporter: Thrasys Admin
Votes: 0
Watchers: 1

If you were logged in you would be able to see more operations.

New SSO accounts can't authenticate with a security provider like ldap

Created: 23/Jul/21 08:30 PM   Updated: 25/Jan/23 07:26 AM
Component/s: None
Affects Version/s: 11.0.7
Fix Version/s: 12.0.0

Original Estimate: Unknown Remaining Estimate: Unknown Time Spent: Unknown

 Description  « Hide
If the first time a user logs in is with SSO.
And then SSO is down, the users can't login with a fall back security provider like LDAP.
That is the user doesn't click SSO but enters there username/password.
They can't authenticate to ldaps.

It would be nice to offer an option or try to use a security provider kind of like when a user isn't found,
QB tries all security provider.

Maybe something like:
if user created by SSO and logging in with user/password, try all security providers.

 All   Comments   Work Log   Change History      Sort Order:
Thrasys Admin [23/Jul/21 08:36 PM]
Or allow setting an auth/security provider to use in SSO configuration for fall back.

Thrasys Admin [02/Aug/21 04:54 PM]
As a workaround until this issue is resolved. I created a script to run daily to set setAuthenticator on all users.


try {
def userMgr = com.pmease.quickbuild.entitymanager.UserManager.instance;

for (usr in userMgr.getAll()) {

if (usr.getName().endsWith("@<our domain>") ) { // don't want to set local accounts just those created by SSO
if (usr.getAuthenticator() == null) {
logger.info("Updating Authenticator for User:" + usr.getName());
} else {
logger.info("Authenticator already set User:" + usr.getName());
} else {
logger.info("Skipping User:" + usr.getName());

} finally {

ChangSeop LEE [25/Jan/23 07:26 AM]
I think this query changed the login procedure, the "authenticate" function, to call the "findByAccessToken" function before authenticating with authenticators.

From my perspective, I need to update the group list user belongs to whenever a user logs in.
However, this modification finishes the "authenticate" function before updating the group list.

As QuickBuild changed to check all authenticators in case some of them are down(QB-3836),
How about moving the calling of the "findByAccessToken" function to the end of the "authenticate" function instead of the beginning?

I also needed a modification that authenticates users with saved IDs and passwords when all registered authenticators are out of service.