QA-T176
SAML : 06 - Deactivated users can still log into SAML with IdP Control Mode
OBJECTIVE
- When IdP Control Mode is enabled, SAML is the ultimate source of truth for user information. If a user is deactivated in Tulip, but is still able to successfully authenticate with SAML, Tulip will automatically reactivate them and allow them to log in.
PRECONDITION
- In the self-serve SAML configuration the "Attribute Update Behavior" section must be set to "IdP Control Mode" to fully control Tulip access through SAML -- this means even deactivated users can still log in as long as they have the correct SAML attribute
To work around a bug with OpenAM, you must open the OpenAM interface at
https://openam-ec2.tulipintra.net/openam/ in a new tab after every time you log out of Tulip with a SAML user. Refer to the Test Plan for more information.
Covers