QA-T176

SAML : 06 - Deactivated users can still log into SAML with certain configuration

OBJECTIVE
  • SAML is the ultimate source of truth for user information. If a user is deactivated in Tulip, but is still able to successfully authenticate with SAML, Tulip will automatically reactivate them and allow them to log in.
PRECONDITION
  1. In the self-serve SAML configuration the "Access Control" fields must be filled out to fully control Tulip access through SAML -- this means even deactivated users can still log in as long as they have the correct SAML attribute

To work around a bug with OpenAM, you must open the OpenAM interface at https://openam-ec2.tulipintra.net/openam/ in a new tab after every time you log out of Tulip with a SAML user. Refer to the Test Plan for more information.

Covers

overview
models
urs