| << Back to previous view |
|
[QB-3764] New SSO accounts can't authenticate with a security provider like ldap
|
|
| Status: | Resolved |
| Project: | QuickBuild |
| Component/s: | None |
| Affects Version/s: | 11.0.7 |
| Fix Version/s: | 12.0.0 |
| Type: | Improvement | Priority: | Major |
| Reporter: | Thrasys Admin | Assigned To: | Robin Shen |
| Resolution: | Fixed | Votes: | 0 |
| Remaining Estimate: | Unknown | Time Spent: | Unknown |
| Original Estimate: | Unknown | ||
| Description |
|
If the first time a user logs in is with SSO.
And then SSO is down, the users can't login with a fall back security provider like LDAP. That is the user doesn't click SSO but enters there username/password. They can't authenticate to ldaps. It would be nice to offer an option or try to use a security provider kind of like when a user isn't found, QB tries all security provider. Maybe something like: if user created by SSO and logging in with user/password, try all security providers. |
| Comments |
| Comment by Thrasys Admin [ 23/Jul/21 08:36 PM ] |
| Or allow setting an auth/security provider to use in SSO configuration for fall back. |
| Comment by Thrasys Admin [ 02/Aug/21 04:54 PM ] |
|
As a workaround until this issue is resolved. I created a script to run daily to set setAuthenticator on all users.
groovy: com.pmease.quickbuild.persistence.SessionManager.openSession(); try { def userMgr = com.pmease.quickbuild.entitymanager.UserManager.instance; for (usr in userMgr.getAll()) { if (usr.getName().endsWith("@<our domain>") ) { // don't want to set local accounts just those created by SSO if (usr.getAuthenticator() == null) { logger.info("Updating Authenticator for User:" + usr.getName()); usr.setAuthenticator("AzureAD-DS"); userMgr.save(usr); } else { logger.info("Authenticator already set User:" + usr.getName()); } } else { logger.info("Skipping User:" + usr.getName()); } } } finally { com.pmease.quickbuild.persistence.SessionManager.closeSession(); } |
| Comment by ChangSeop LEE [ 25/Jan/23 07:26 AM ] |
|
I think this query changed the login procedure, the "authenticate" function, to call the "findByAccessToken" function before authenticating with authenticators.
From my perspective, I need to update the group list user belongs to whenever a user logs in. However, this modification finishes the "authenticate" function before updating the group list. As QuickBuild changed to check all authenticators in case some of them are down( How about moving the calling of the "findByAccessToken" function to the end of the "authenticate" function instead of the beginning? I also needed a modification that authenticates users with saved IDs and passwords when all registered authenticators are out of service. |