SAML users replacing local user login.
Unless explicitly defined, we should not allow a SAML user to login to MAS using a local user userid.
The scenario is:
You have SAML configured.
userA is a local user;
userA is also a SAML user (in the company IDP) but not part of MAS.
userB is a SAML user in MAS.
1- Customer goes to MAS login page and input userB username;
2- MAS will redirect the user to SAML;
3- Customer inputs credentials for userA instead of userB in the IDP login page;
4- SAML assertion will return nameID as userA, which in MAS the user is a local user only.
What should happen?
In the step 4, user should get a not-authorized message as it does not exists in MAS as SAML user.
Reference Link : https://www.ibm.com/mysupport/s/defect/aCI3p000000bm8C/dt196144?language=en_US
No comments:
Post a Comment