Notifications

11 views

Description

Admin users are forced to logout when connecting via SSO

Cause

There were 3 accounts for one single user, and two of them were using the same email.
Okta and ServiceNow don't allow duplicated emails.

 

The SAML request gets the information from OKTA, the SAML Responds is retuning/bringing the email; the database query is executed against the sys_user table and in this case returned multiple rows. The first one returned is used no matter if the active flags is true or false. The SSO script determines if the account is not active then refuse the login.

Resolution

Remove the email from one of the accounts.

At authentication time, Single Sign On Script queries the database sys_user table using the email address returned by the identity provider, and expect a user_name in return.


Email addresses when are used for authentication purposes, it must be unique. By default, instances are configured to use user_name as unique identifier for user record.

Article Information

Last Updated:2020-01-08 06:23:24
Published:2020-01-08