@jmumby opened this Issue on January 8th 2023

Some changes made in admin ask for a password. This is the Matomo super user password not SAML password.

Summary

When a user makes some changes in admin the UI prompts for a password to confirm this change. It is expected this is the same as that used in LoginSAML but is in fact the Matomo password. They will then attempt to change their password after contacting support only to find the password reset also requires the original password. They then can not access the password reset feature without logging out or even then not have access as the Matomo is configured to not show the standard login.

Maybe this could be a general setting not to ask for password confirmation for all login types?

@bx80 commented on January 8th 2023 Contributor

Nice summary @jmumby :+1:

Another possible solution could be to allow the prompt for password check to be overridden by plugins, so the LoginSAML could handle the check using the expected user SAML password.

I'll assign this issue for prioritisation.

@sgiehl commented on January 9th 2023 Member

@jmumby This needs to be created as an issue of the plugin. Core already provides a possibility to overwrite/disable the password confirmations. In addition, that password check uses the PasswordVerifier class, to check if the password is correct. That one can be overwritten by a plugin, to perform custom password checks.

@AltamashShaikh commented on January 9th 2023 Contributor

@jmumby With the release of version 4.3.0 of the SAML plugin this is supported, Refer this faq

This Issue was closed on January 9th 2023
Powered by GitHub Issue Mirror