Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-18387

API key for disabled OneLogin users remain active after user has been deleted.

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Open
    • Priority: High
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: SAML SSO
    • Labels:
      None
    • Environment:

      Reproduced using Artifactory Cloud hosted on AWS.

      Description

      The API key of SAML provisioned users remain active after the user has been deleted or suspended.

      Steps to reproduce:

      • (As Admin): Setup SAML SSO and use OneLogin as SAML provider.
        • Choose to automatically provision users and to automatically associate
        • Enable "Edit Profile" for users so users are able to create API keys.
      • (As SAML user): Login to Artifactory and provision an API key.
      • (As SAML user): Logout of Artifactory.
      • (As SAML user): Test that API key works by making any API call to Artifactory using the provisioned API key.
      • Disable the user in OneLogin.
      • (As SAML user): Try to log into Artifactory through the web interface - User should not be allowed to log in.
      • (As SAML user): Try to use the API key previously provisioned.

      Current behaviour:

      • The API key is still valid and the user still has access to Artifactory repositories even though the user has been disabled.

      Expected behaviour:

      • The API key should be revoked and the user should either be disabled and/or removed from Artifactory.

      Additional details:
      The bug my not be within Artifactory itself, but rather with the OneLogin App developed to enable SAML SSO with OneLogin. When configuring the integrations in OneLogin there's no "Provisioning" tab available as with other integrations (i.e. Office365). On the provisioning tab it allows the following options to be set (Create User, Delete User, Update user).
      Delete User can be used when a user is removed from or suspended in OneLogin.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            jstuart JD Stuart
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: