From a489d07bb0b9d0fb83c336637ca2d2c1e00c8d8e Mon Sep 17 00:00:00 2001 From: Vitor Hugo Homem Marzarotto Date: Wed, 14 May 2025 15:09:14 -0300 Subject: [PATCH 1/2] Fix check --- server/src/main/java/com/cloud/user/AccountManagerImpl.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/src/main/java/com/cloud/user/AccountManagerImpl.java b/server/src/main/java/com/cloud/user/AccountManagerImpl.java index 4e3a2e98564d..4dc2e1e532f4 100644 --- a/server/src/main/java/com/cloud/user/AccountManagerImpl.java +++ b/server/src/main/java/com/cloud/user/AccountManagerImpl.java @@ -2723,7 +2723,7 @@ private UserAccount getUserAccount(String username, String password, Long domain for (UserAuthenticator authenticator : _userAuthenticators) { final String[] secretCodeArray = (String[])requestParameters.get(ApiConstants.SECRET_CODE); String secretCode = ((secretCodeArray == null) ? null : secretCodeArray[0]); - if (userSource != User.Source.UNKNOWN && secretCode == null) { + if (userSource != User.Source.UNKNOWN && userSource != User.Source.SAML2DISABLED && secretCode == null) { if (!authenticator.getName().equalsIgnoreCase(userSource.name())) { continue; } From a578d564b76bc5e23e86a18b15448dbada1c51c7 Mon Sep 17 00:00:00 2001 From: Vitor Hugo Homem Marzarotto Date: Tue, 3 Jun 2025 17:03:29 -0300 Subject: [PATCH 2/2] Adds configuration for behaviour, when SAML SSO is disabled for a user --- .../org/apache/cloudstack/saml/SAML2AuthManager.java | 3 +++ .../org/apache/cloudstack/saml/SAML2AuthManagerImpl.java | 9 +++++++-- .../src/main/java/com/cloud/user/AccountManagerImpl.java | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAML2AuthManager.java b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAML2AuthManager.java index 523f694d80b2..e9e592408440 100644 --- a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAML2AuthManager.java +++ b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAML2AuthManager.java @@ -82,6 +82,9 @@ public interface SAML2AuthManager extends PluggableAPIAuthenticator, PluggableSe ConfigKey SAMLRequirePasswordLogin = new ConfigKey("Advanced", Boolean.class, "saml2.require.password", "true", "When enabled SAML2 will validate that the SAML login was performed with a password. If disabled, other forms of authentication are allowed (two-factor, certificate, etc) on the SAML Authentication Provider", true); + ConfigKey EnableLoginAfterSAMLDisable = new ConfigKey<>("Advanced", Boolean.class, "enable.login.saml.unathourized", "true", "When enabled, if SAML SSO is disabled, enables user to login with user and password, otherwise a user with SAML SSO disabled cannot login", true); + + SAMLProviderMetadata getSPMetadata(); SAMLProviderMetadata getIdPMetadata(String entityId); diff --git a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java index 92408141ef29..8d617a739be5 100644 --- a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java +++ b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java @@ -453,8 +453,13 @@ public boolean authorizeUser(Long userId, String entityId, boolean enable) { user.setExternalEntity(entityId); user.setSource(User.Source.SAML2); } else { + boolean enableLoginAfterSAMLDisable = SAML2AuthManager.EnableLoginAfterSAMLDisable.value(); if (user.getSource().equals(User.Source.SAML2)) { - user.setSource(User.Source.SAML2DISABLED); + if(enableLoginAfterSAMLDisable) { + user.setSource(User.Source.UNKNOWN); + } else { + user.setSource(User.Source.SAML2DISABLED); + } } else { return false; } @@ -543,6 +548,6 @@ public ConfigKey[] getConfigKeys() { SAMLCloudStackRedirectionUrl, SAMLUserAttributeName, SAMLIdentityProviderMetadataURL, SAMLDefaultIdentityProviderId, SAMLSignatureAlgorithm, SAMLAppendDomainSuffix, SAMLTimeout, SAMLCheckSignature, - SAMLForceAuthn, SAMLUserSessionKeyPathAttribute, SAMLRequirePasswordLogin}; + SAMLForceAuthn, SAMLUserSessionKeyPathAttribute, SAMLRequirePasswordLogin, EnableLoginAfterSAMLDisable}; } } diff --git a/server/src/main/java/com/cloud/user/AccountManagerImpl.java b/server/src/main/java/com/cloud/user/AccountManagerImpl.java index 4dc2e1e532f4..4e3a2e98564d 100644 --- a/server/src/main/java/com/cloud/user/AccountManagerImpl.java +++ b/server/src/main/java/com/cloud/user/AccountManagerImpl.java @@ -2723,7 +2723,7 @@ private UserAccount getUserAccount(String username, String password, Long domain for (UserAuthenticator authenticator : _userAuthenticators) { final String[] secretCodeArray = (String[])requestParameters.get(ApiConstants.SECRET_CODE); String secretCode = ((secretCodeArray == null) ? null : secretCodeArray[0]); - if (userSource != User.Source.UNKNOWN && userSource != User.Source.SAML2DISABLED && secretCode == null) { + if (userSource != User.Source.UNKNOWN && secretCode == null) { if (!authenticator.getName().equalsIgnoreCase(userSource.name())) { continue; }