erikbocks commented on PR #10868: URL: https://github.com/apache/cloudstack/pull/10868#issuecomment-3646645779
Hello, @DaanHoogland and @weizhouapache > @vits-hugs , do you still want to move this forwards? It need addressing @weizhouapache ’s comments and a test/review. Yes, I think we can move this PR forward. I will take care of it on behalf of Vitor. > if the SAML user is disabled, should we allow it to log into cloudstack ? It's not the SAML user that is disabled, but the possibility of logging in with SAML SSO. As an example, let's say the user used to log in with their own ACS credentials (username and password), and then SAML authentication was added to the environment by the operators. If, after a while, the operators decide to remove the SAML authentication from the environment, the user cannot log in anymore, neither with SAML (as it was removed), nor with their credentials. Thus, this PR allows users in these scenarios to log in with their credentials again, even if their SAML login was disabled. If the operator wishes to actually disable the user, they should use `lockUser` or `disableUser` instead. > what the default value of new global settings should be ? Personally, I think that the default value for the configuration should be `true`, as it doesn't make sense to disable all access when a dedicated API for it already exists, and the intuitive behavior would be to return to the state before it was enabled in the first place. However, I also understand that this PR implements a sensitive change and it could take operators by surprise. Therefore, I propose the change of the default value to `false` and letting operators decide whether they want it to be possible or not. What do you think about it? @DaanHoogland @weizhouapache -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
