Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-514

Admin portal SSO allows user to create an account with 3scale without receiving an invitation

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Major Major
    • None
    • 2.0 GA, SaaS
    • Documentation
    • +
    • Hide

      Configure the admin portal to integrate with RH SSO 7.1 and test the flow. Once successfully signed in, check the list of users for the new account.

      Sign out.

      Sign in via RH SSO with a different user (kill the previous session via RH SSO first), you will find the new user is signed in and account created in 3scale. This should not be allowed.

      Show
      Configure the admin portal to integrate with RH SSO 7.1 and test the flow. Once successfully signed in, check the list of users for the new account. Sign out. Sign in via RH SSO with a different user (kill the previous session via RH SSO first), you will find the new user is signed in and account created in 3scale. This should not be allowed.

      Admin portal SSO integration allows any user with the login URL to sign in to 3scale via RH SSO without an invitation. This was discovered when using the "Test the authentication flow" feature and it created a user in 3scale as a result.

      Additionally this was attempted once the SSO feature was published and again a user was created in 3scale as described above.

      Also the fact that the invitation is not needed means that the admin portal is potentially open to buyer accounts being able to sign in via the SSO server. There is no distinction made on the IdP level if the same realm is used and very few API providers will want to manage multiple realms, however, I suspect the fix is just to ensure an admin user can only create the account via the signup link.

              Unassigned Unassigned
              rhn-support-keprice Kevin Price
              Votes:
              3 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: