Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with Password Handling During JIT Provisioning in IS 7.0 with "Prompt for Password and Consent": User Unable to Log In with Provided Password Until Admin Reset #21094

Open
AfraHussaindeen opened this issue Sep 12, 2024 · 1 comment
Open

Issue with Password Handling During JIT Provisioning in IS 7.0 with "Prompt for Password and Consent": User Unable to Log In with Provided Password Until Admin Reset #21094

AfraHussaindeen opened this issue Sep 12, 2024 · 1 comment
Assignees
@mpmadhavig

Comments

@AfraHussaindeen
Copy link
Contributor

Describe the issue :

In IS 7.0, when a user provides a password during the JIT provisioning flow (with the provisioning scheme set to "Prompt for password and consent"), the user is successfully provisioned. However, if the user tries to log in to the MyAccount portal using the provisioned local user account and the password provided during the JIT flow, the login fails. If the password is reset by the admin via the console, the user can successfully log in to MyAccount.

Steps to Reproduce:

  1. Log in to the IS console as an admin.
  2. Set up a Google federated authenticator and enable JIT provisioning with the provisioning scheme set to "Prompt for password and consent."
  3. Create an application configured to use the Google federated authenticator.
  4. Perform a login to the application.
  5. Observe that a password prompt is displayed.
  6. After successfully logging in, open an incognito window and try to log in to the MyAccount portal using the username and the provided password. Notice that the login fails.
  7. Go back to the console, navigate to the User Management section, and click on Users. Select the provisioned user and click on the Reset Password button.
  8. Try to log in to the MyAccount portal using the new password. Observe that the login is successful.

Expected Behavior:

The user should be able to log in to MyAccount with the password provided during the JIT provisioning flow without needing a password reset.

Actual Behavior:

The user cannot log in with the password provided during the JIT provisioning flow. A password reset is required for successful login.

Possible Cause:

A random password may still be set despite the user's input during JIT provisioning.

Optional Fields

Related issues:

Suggested labels:
@mpmadhavig mpmadhavig self-assigned this Sep 12, 2024
@mpmadhavig
Copy link
Contributor

mpmadhavig commented Sep 12, 2024
edited
Loading

Analysis

The rootcause for this issue was the password field getting sent from the FE does not have a field password. It has been renamed to password2 in a later effort. This has lead to password field being null for the BE and when the field is null it genarates a random password for the user.

Fix:
Send a field called password in the request.

@mpmadhavig mpmadhavig mentioned this issue Sep 12, 2024
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mpmadhavig mpmadhavig

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AfraHussaindeen @mpmadhavig