This message was deleted.
# pulumi-cloud
s
This message was deleted.
m
Nope - our other non admin users can still log in with password and circumvent SAML policies
l
Hello @millions-train-91139. I received your message via MJ internally. After setting up SAML SSO integration, did you also change the Membership Requirements to use SAML here:
<https://app.pulumi.com/><your-org>/settings/access-management
šŸ™Œ 1
m
Yes
b
enabling saml sso does not disable other sign in methods, i think we have a feature issue in service-requests for this though, let me take a look
m
What I did: 1. Enable SAML integration through Google Workspace 2. Log in with SAML 3. Get a message that my users are not connected 4. Go to Account Administration and Link my user-password to my SAML provider for my org 5. Login with SAML successfully 6. Tried to log in with password - worked a. I thought this was due to the fact that you allow Admins only to have an alternative manner, of logging in, but usually it is more explicit b. In Datadog they don’t safeguard you - so I had to manually select to allow password authentication on myself c. On GitHub they give you login codes for disaster recovery d. So I was still optimistic 7. Then I added other users to SAML, they went through the similar process 8. And still were able to login using github or password 9. I said okay, maybe you also verify somehow with the SAML provider - far fetched by I was optimistic 10. I moved some of the users out of the Engineering OU 11. And still they were able to login! even without being in the correct SAML OU From customer experience perspective, implementing SAML and marketing this an Enterprise Plan but not implementing the basic feature that is the reason for people being interested in SAML for the first place is VERY misleading - we could have used Github SSO before that, so we actually got nothing from the current SAML feature My team is pretty small, so we were fine with Team edition, but we moved to Enterprise just for the SAML SSO feature since we are under high security scrutiny (Working on our SOC2 in our first year since founding) - so not ā€œtoo gladā€ However taking things into perspective, I’m sure that you will implement the correct SSO/SAML security guarantees in the near future (I hope - that issue is open for more than a year and only +2 on the votes!) - however I’m not too keen on paying for something with not much value. The impact on my business that if someone in my Org will set up a ā€œemail-passwordā€ authentication - they will be able to login even after leaving the company if we don’t pay attention to the Pulumi roles of our engineering teams. Thanks, Sam
šŸ‘šŸ¼ 1
šŸ‘šŸ» 1
Also not sure if it was not edited - but the example in the issue calls the actor ā€œSamā€ 🤯
b
haha noticed that too, heh
for what its worth, its not possible to add email/password to an account, unless its the very first identity you add when you create your account. but i understand the rest of your feedback, and im sure @limited-rainbow-51650 will get it passed on to all the right people.
m
Thanks for the quick response - In Pulumi I Trust
As a sidenote: Not to be too dramatic, but I would label this as a security incident since customer expected controls can be bypassed and I hope it will get the right attention - Maybe should have disclosed it not on a slack channel šŸ˜›
100 rainbow 1
(In case you want to delete this thread - one the other hand there’s an open GitHub issue on it)
l
I will definitely bring your write up to the right people on the team. This is valuable feedback.
šŸ™ 1