sso prevents login when 2f required but user doesn't have 2F feature available
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical SSO provider |
Confirmed
|
High
|
Unassigned |
Bug Description
After a user got his accounts merged, he lost the ability to login to any site, because he had 2F enabled on his account and set to be required for all sites. As a side-effect of the merge, his LP account got severed from his SSO account, therefore causing SSO team membership verification to fail.
Since SSO uses team membership to enable/disable the 2F feature, it was failing to present the user with the 2F aspects during login. Since his account required 2F for all sites, he couldn't login to any site.
This issue was fixed by
1. Disable 2F on his account temporarily so he could log into LP
2. User logged into LP, which caused his LP<->SSO link to be reestablished
3. User re-enabled 2F for all sites on his SSO profile
4. User confirmed he could still login to sites and 2F was again working.
Nevertheless, SSO should not block logins (even if they require 2F if the 2F feature is disabled for a user), which still needs to be fixed properly in SSO.
tags: | added: canonical-webops-sso |
Changed in canonical-identity-provider: | |
status: | New → Confirmed |
Changed in canonical-identity-provider: | |
importance: | Undecided → High |
Changed in canonical-identity-provider: | |
status: | Confirmed → Incomplete |
status: | Incomplete → Fix Committed |
status: | Fix Committed → Fix Released |
Changed in canonical-identity-provider: | |
status: | Fix Released → Confirmed |
I hit something very similar to this today. Logging in to Ubuntu SSO via a private browser window to login to launchpad I get a 2fa requirement. My 2fa was previously connected to my yubikey and now defunct @canonical.com address. Fortunately I was able to dig up my old yubikey that I used for authentication back in the day.
Logging directly into login.ubuntu.com also requires 2fa, but does not show the "Authentication Devices tab" for configuration.
Once I was added to https:/ /launchpad. net/~sso- 2f-testers, I can now see the Authentication Devices tab and configure 2fa. I hope this additional info helps someone else.