https://pulumi.com logo
Title
m

millions-train-91139

03/22/2023, 9:36 AM
After enabling SAML, I can still log in with password. Is this only because I’m admin?
Nope - our other non admin users can still log in with password and circumvent SAML policies
l

limited-rainbow-51650

03/22/2023, 3:29 PM
Hello @millions-train-91139. I received your message via MJ internally. After setting up SAML SSO integration, did you also change the Membership Requirements to use SAML here:
<https://app.pulumi.com/><your-org>/settings/access-management
m

millions-train-91139

03/22/2023, 3:30 PM
Yes
image.png
b

brainy-church-78120

03/22/2023, 3:32 PM
enabling saml sso does not disable other sign in methods, i think we have a feature issue in service-requests for this though, let me take a look
m

millions-train-91139

03/22/2023, 3:42 PM
What I did: 1. Enable SAML integration through Google Workspace 2. Log in with SAML 3. Get a message that my users are not connected 4. Go to Account Administration and Link my user-password to my SAML provider for my org 5. Login with SAML successfully 6. Tried to log in with password - worked a. I thought this was due to the fact that you allow Admins only to have an alternative manner, of logging in, but usually it is more explicit b. In Datadog they don’t safeguard you - so I had to manually select to allow password authentication on myself c. On GitHub they give you login codes for disaster recovery d. So I was still optimistic 7. Then I added other users to SAML, they went through the similar process 8. And still were able to login using github or password 9. I said okay, maybe you also verify somehow with the SAML provider - far fetched by I was optimistic 10. I moved some of the users out of the Engineering OU 11. And still they were able to login! even without being in the correct SAML OU From customer experience perspective, implementing SAML and marketing this an Enterprise Plan but not implementing the basic feature that is the reason for people being interested in SAML for the first place is VERY misleading - we could have used Github SSO before that, so we actually got nothing from the current SAML feature My team is pretty small, so we were fine with Team edition, but we moved to Enterprise just for the SAML SSO feature since we are under high security scrutiny (Working on our SOC2 in our first year since founding) - so not “too glad” However taking things into perspective, I’m sure that you will implement the correct SSO/SAML security guarantees in the near future (I hope - that issue is open for more than a year and only +2 on the votes!) - however I’m not too keen on paying for something with not much value. The impact on my business that if someone in my Org will set up a “email-password” authentication - they will be able to login even after leaving the company if we don’t pay attention to the Pulumi roles of our engineering teams. Thanks, Sam
Also not sure if it was not edited - but the example in the issue calls the actor “Sam” 🤯
b

brainy-church-78120

03/22/2023, 3:44 PM
haha noticed that too, heh
for what its worth, its not possible to add email/password to an account, unless its the very first identity you add when you create your account. but i understand the rest of your feedback, and im sure @limited-rainbow-51650 will get it passed on to all the right people.
m

millions-train-91139

03/22/2023, 3:46 PM
Thanks for the quick response - In Pulumi I Trust
As a sidenote: Not to be too dramatic, but I would label this as a security incident since customer expected controls can be bypassed and I hope it will get the right attention - Maybe should have disclosed it not on a slack channel 😛
(In case you want to delete this thread - one the other hand there’s an open GitHub issue on it)
l

limited-rainbow-51650

03/22/2023, 3:53 PM
I will definitely bring your write up to the right people on the team. This is valuable feedback.