Bug 1440229

Summary: External Auth - SAML - Disabling local logins via appliance console, doesn't invalidate defualt admin session
Product: Red Hat CloudForms Management Engine Reporter: Matt Pusateri <mpusater>
Component: ApplianceAssignee: Joe Vlcek <jvlcek>
Status: CLOSED WONTFIX QA Contact: Mike Shriver <mshriver>
Severity: high Docs Contact:
Priority: medium    
Version: 5.6.0CC: abellott, dajohnso, jhardy, jvlcek, obarenbo
Target Milestone: GA   
Target Release: cfme-future   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: auth:externalauth:saml:security
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-08-22 20:24:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:

Description Matt Pusateri 2017-04-07 15:35:23 UTC 
Description of problem:
External Auth - SAML - Disabling local logins via appliance console, doesn't invalidate defualt admin session.  If the default admin user is logged in, and you then disable local logins via the appliance console, the session for the admin user is not expired. 

Version-Release number of selected component (if applicable):
5.6.4.2, 5.7.2, 5.8.0

How reproducible:


Steps to Reproduce:
1. Configure SAML, leave "disable local logins" unchecked
2. Log in with default DB user of Admin
3. Change "disable local Logins" to true either via web ui console or appliance_console.
4. Admin user session in step 2 is still active. 

Actual results:
Admin user session is still active

Expected results:
Admin user session should be expired as it's a local login that should be disabled. 

Additional info:
Comment 2 Matt Pusateri 2018-02-01 20:49:41 UTC 
Still valid in 5.8.3.2
Comment 4 Joe Vlcek 2018-08-22 20:24:59 UTC 
Disable/Enable Local Logins implies and only affects future logins.
The wording could be updated to include the word "future" but that seems unnecessary.
Invalidating existing sessions, although possible the technically accurate thing
to do given the current wording would be unnecessary complicated for the given result.

Closing WONTFIX.