The API key of SAML provisioned users remain active after the user has been deleted or suspended.
Steps to reproduce:
- (As Admin): Setup SAML SSO and use OneLogin as SAML provider.
- Choose to automatically provision users and to automatically associate
- Enable "Edit Profile" for users so users are able to create API keys.
- (As SAML user): Login to Artifactory and provision an API key.
- (As SAML user): Logout of Artifactory.
- (As SAML user): Test that API key works by making any API call to Artifactory using the provisioned API key.
- Disable the user in OneLogin.
- (As SAML user): Try to log into Artifactory through the web interface - User should not be allowed to log in.
- (As SAML user): Try to use the API key previously provisioned.
- The API key is still valid and the user still has access to Artifactory repositories even though the user has been disabled.
- The API key should be revoked and the user should either be disabled and/or removed from Artifactory.
The bug my not be within Artifactory itself, but rather with the OneLogin App developed to enable SAML SSO with OneLogin. When configuring the integrations in OneLogin there's no "Provisioning" tab available as with other integrations (i.e. Office365). On the provisioning tab it allows the following options to be set (Create User, Delete User, Update user).
Delete User can be used when a user is removed from or suspended in OneLogin.