Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove password validation for SAML users #20171

Closed
jmumby opened this issue Jan 8, 2023 · 3 comments
Closed

Remove password validation for SAML users #20171

jmumby opened this issue Jan 8, 2023 · 3 comments
Labels
answered For when a question was asked and we referred to forum or answered it. c: Usability For issues that let users achieve a defined goal more effectively or efficiently. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Milestone
For Prioritization

Comments

@jmumby
Copy link

jmumby commented Jan 8, 2023
edited

Some changes made in admin ask for a password. This is the Matomo super user password not SAML password.

Summary

When a user makes some changes in admin the UI prompts for a password to confirm this change. It is expected this is the same as that used in LoginSAML but is in fact the Matomo password. They will then attempt to change their password after contacting support only to find the password reset also requires the original password. They then can not access the password reset feature without logging out or even then not have access as the Matomo is configured to not show the standard login.

Maybe this could be a general setting not to ask for password confirmation for all login types?
@jmumby jmumby added Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. To Triage An issue awaiting triage by a Matomo core team member labels Jan 8, 2023
@bx80
Copy link
Contributor

bx80 commented Jan 8, 2023

Nice summary @jmumby 👍

Another possible solution could be to allow the prompt for password check to be overridden by plugins, so the LoginSAML could handle the check using the expected user SAML password.

I'll assign this issue for prioritisation.

@bx80 bx80 added this to the For Prioritization milestone Jan 8, 2023
@bx80 bx80 added c: Usability For issues that let users achieve a defined goal more effectively or efficiently. and removed To Triage An issue awaiting triage by a Matomo core team member labels Jan 8, 2023
@sgiehl
Copy link
Member

sgiehl commented Jan 9, 2023

@jmumby This needs to be created as an issue of the plugin. Core already provides a possibility to overwrite/disable the password confirmations. In addition, that password check uses the PasswordVerifier class, to check if the password is correct. That one can be overwritten by a plugin, to perform custom password checks.

@sgiehl sgiehl closed this as completed Jan 9, 2023
@AltamashShaikh
Copy link
Contributor

@jmumby With the release of version 4.3.0 of the SAML plugin this is supported, Refer this faq

@justinvelluppillai justinvelluppillai added the answered For when a question was asked and we referred to forum or answered it. label Jan 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
answered For when a question was asked and we referred to forum or answered it. c: Usability For issues that let users achieve a defined goal more effectively or efficiently. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Projects
None yet
Milestone
For Prioritization
Development

No branches or pull requests
5 participants
@justinvelluppillai @sgiehl @jmumby @AltamashShaikh @bx80