Canonical SSO provider

sso prevents login when 2f required but user doesn't have 2F feature available

Bug #1073074 reported by Ricardo Kirkner
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Canonical SSO provider
Confirmed
High
Unassigned

Bug Description

After a user got his accounts merged, he lost the ability to login to any site, because he had 2F enabled on his account and set to be required for all sites. As a side-effect of the merge, his LP account got severed from his SSO account, therefore causing SSO team membership verification to fail.

Since SSO uses team membership to enable/disable the 2F feature, it was failing to present the user with the 2F aspects during login. Since his account required 2F for all sites, he couldn't login to any site.

This issue was fixed by

1. Disable 2F on his account temporarily so he could log into LP
2. User logged into LP, which caused his LP<->SSO link to be reestablished
3. User re-enabled 2F for all sites on his SSO profile
4. User confirmed he could still login to sites and 2F was again working.

Nevertheless, SSO should not block logins (even if they require 2F if the 2F feature is disabled for a user), which still needs to be fixed properly in SSO.

Haw Loeung (hloeung)
tags: added: canonical-webops-sso
Ricardo Kirkner (ricardokirkner)
Changed in canonical-identity-provider:
status: New → Confirmed
Ricardo Kirkner (ricardokirkner)
Changed in canonical-identity-provider:
importance: Undecided → High
todaioan (alan-ar06)
Changed in canonical-identity-provider:
status: Confirmed → Incomplete
status: Incomplete → Fix Committed
status: Fix Committed → Fix Released
Ricardo Kirkner (ricardokirkner)
Changed in canonical-identity-provider:
status: Fix Released → Confirmed
Revision history for this message
Dave Chiluk (chiluk) wrote :

I hit something very similar to this today. Logging in to Ubuntu SSO via a private browser window to login to launchpad I get a 2fa requirement. My 2fa was previously connected to my yubikey and now defunct @canonical.com address. Fortunately I was able to dig up my old yubikey that I used for authentication back in the day.

Logging directly into login.ubuntu.com also requires 2fa, but does not show the "Authentication Devices tab" for configuration.

Once I was added to https://launchpad.net/~sso-2f-testers, I can now see the Authentication Devices tab and configure 2fa. I hope this additional info helps someone else.

Revision history for this message
Dave Chiluk (chiluk) wrote :

Actually ignore my previous post. As I was added to sso-2f-testers in the middle of looking into what was going on. So I'll redescribe what I originally reported on ubuntu-devel. Here's a modified version of what I reported on irc.

------
So I discovered today that my ubuntu one login has 2fa enabled when enabling livepatch via "software & updates", but was not required when logging in directly via login.ubuntu.com or via launchpad OpenID. I suspect that has something to do with me no longer being at Canonical. Additionally when logging in directly to login.ubuntu.com *(with only user/pass), I do not see 2fa configuration tabs.

Once I was added to sso-2f-testers it seems that 2fa was re-enabled when logging in directly to login.ubuntu.com, and the configuration tab became visible again.

Revision history for this message
Dave Chiluk (chiluk) wrote :

I'm moving my issue to a separate bug.
https://bugs.launchpad.net/canonical-identity-provider/+bug/1815782

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.