Bug 1351859

Summary: Allow using aliases with RH SSO
Product: [Community] Bugzilla Reporter: Jeff Fearn 🐞 <jfearn>
Component: User AccountsAssignee: Jeff Fearn 🐞 <jfearn>
Status: CLOSED NEXTRELEASE QA Contact: tools-bugs <tools-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.0CC: cbredesen, huiwang, mtahir, nphilipp, qgong
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 5.0.3.rh34 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-20 04:12:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeff Fearn 🐞 2016-07-01 04:58:56 UTC 
Description of problem:
Currently when you ;log in viz SAML if there is no user accoutn with a matching email address it will simply create a new account for you.

It should offer you the choice of selecting and existing account (password required) or creating a new account.
Comment 1 Chris Bredesen 2016-07-14 11:15:03 UTC 
I definitely support this, folks at RHT will likely defer using SAML until they can preserve their existing account history. Would be great to see.
Comment 2 Jeff Fearn 🐞 2016-07-14 22:15:23 UTC 
Note that it is possible to have your Bugzilla email address changed to your default email address, to maintain account history. Still not optimal of course.
Comment 3 Chris Bredesen 2016-07-15 12:21:34 UTC 
Great to know; not sure if devops wants this level of operational burden though :)
Comment 4 Jeff Fearn 🐞 2016-07-17 22:01:01 UTC 
(In reply to Chris Bredesen from comment #3)
> Great to know; not sure if devops wants this level of operational burden
> though :)

hehe I could automate it mwahahahahah
Comment 6 Jeff Fearn 🐞 2016-11-06 22:46:26 UTC 
Unfortunately it appears that aliases are now being reallocated, this would mean that if someone with access to bugs that required elevated access left the company and someone else got the alias, that second user may then have inappropriate access to information.

Therefore due to this security issue we will not be allowing users to map bugzilla accounts to aliases.

People wanting to use SSO will therefore either have to have a second account configured or will need to email bugzilla-requests and request for their current account to have it's email changed to their LDAP user.

Currently we don't have access to MX records, if we did we could change the email change restriction to allow users to change their email address to/from their LDAP email or a valid alias, which would remove the need to contact bz-req. Anyone wanting this should open a new bug and we will ask if we can have access to the MX records for this purpose.
Comment 7 Jeff Fearn 🐞 2016-12-08 22:56:37 UTC 
w00t A unique field is being added to the user, so we will be able to do this once that field is in place.
Comment 9 Jeff Fearn 🐞 2017-06-15 03:17:15 UTC 
*** Bug 1459083 has been marked as a duplicate of this bug. ***
Comment 13 Jeff Fearn 🐞 2017-11-17 02:08:58 UTC 
Works as advertised, however it seems that users can not update rhatPrimaryMail, so users wanting that updated will need to email service desk.
Comment 14 Jeff Fearn 🐞 2017-11-20 04:12:19 UTC 
This bug has been fixed and is now deployed on the beta site.

https://beta-bugzilla.redhat.com/