Bug 1446704

Summary: Auth - External Auth - FreeIPA Disable local logins in black console should only work with SAML
Product: Red Hat CloudForms Management Engine Reporter: Matt Pusateri <mpusater>
Component: ApplianceAssignee: Joe Vlcek <jvlcek>
Status: CLOSED CURRENTRELEASE QA Contact: Antonin Pagac <apagac>
Severity: low Docs Contact:
Priority: medium    
Version: 5.8.0CC: abellott, dajohnso, jhardy, jvlcek, obarenbo, simaishi, smallamp
Target Milestone: GA   
Target Release: 5.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: auth:externalauth:freeipa:black
Fixed In Version: 5.10.0.14 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-18 17:29:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:

Description Matt Pusateri 2017-04-28 16:16:13 UTC 
Description of problem:

Disable local logins in black console should only work if SAML is enabled.  related to this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1389122   

Version-Release number of selected component (if applicable):
5.8.0.12-rc1

How reproducible:


Steps to Reproduce:
1. Configure external auth for FreeIPA via black console. Option 11
2. Select Option 12 Update External Authentication Options
3. Select Option 3 Disable Local Logins.

Actual results:
Disabling of local logins gives successful message and if you navigate back into the external options, Option 3 is now Enable Local logins.  Fortunately local logins are not really disabled as you can still log into the web UI with Admin. Navigating to the Authentication page SAML is still unchecked, if you check SAML disable local logins is checked.

Expected results:
Black console should not let you disbable local logins or try to if SAML is not enabled. 

Additional info:

related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1389122
Comment 2 Joe Vlcek 2017-11-06 19:59:19 UTC 
I would argue that the observed behavior is acceptable.

If one uses the black console to disable local logins for SAML logins but 
SAML is not yet configured then local logins still works until SAML is configured.

Perhaps the Black Console should be reworded to state:

"Disable Local Logins When Using SAML"  but that is a minor nit so I'm setting the
severity of this BZ to LOW.
Comment 3 CFME Bot 2018-08-17 18:34:11 UTC 
https://github.com/ManageIQ/manageiq-appliance_console/pull/61
Comment 4 CFME Bot 2018-08-20 13:39:19 UTC 
New commit detected on ManageIQ/manageiq-appliance_console/master:

https://github.com/ManageIQ/manageiq-appliance_console/commit/19be318f0424213175c68f0ee4b5de51b28ddacf
commit 19be318f0424213175c68f0ee4b5de51b28ddacf
Author:     Joe VLcek <jvlcek>
AuthorDate: Fri Aug 17 14:19:04 2018 -0400
Commit:     Joe VLcek <jvlcek>
CommitDate: Fri Aug 17 14:19:04 2018 -0400

    Reword Local Login prompt to indicate it's for SAML or OIDC

    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1446704

 lib/manageiq/appliance_console/external_auth_options.rb | 8 +-
 1 file changed, 4 insertions(+), 4 deletions(-)
Comment 6 Joe Vlcek 2018-08-23 17:00:06 UTC 
Moving back to POST.

https://github.com/ManageIQ/manageiq-appliance/pull/204#issuecomment-415492096
Comment 7 Antonin Pagac 2019-05-29 09:40:46 UTC 
Verified with 5.10.5.0 and 5.11.0.5.