SAML : 06 - Deactivated users can still log into SAML with certain configuration
- SAML is the ultimate source of truth for user information. If a user is deactivated in Tulip, but is still able to successfully authenticate with SAML, Tulip will automatically reactivate them and allow them to log in.
- In the self-serve SAML configuration the "Access Control" fields must be filled out to fully control Tulip access through SAML -- this means even deactivated users can still log in as long as they have the correct SAML attribute
To work around a bug with OpenAM, you must open the OpenAM interface at https://openam-ec2.tulipintra.net/openam/
in a new tab after every time you log out of Tulip with a SAML user. Refer to the Test Plan for more information.