SAML signature is optional #4519
Description
ISSUE TYPE
- Bug Report
COMPONENT NAME
UI: SAML login
CLOUDSTACK VERSION
4.14.0.0
CONFIGURATION
SAML authentication activated
OS / ENVIRONMENT
N/A
SUMMARY
The SAML signature is optional and not mandatory. A user can login into a domain where he's not allowed to.
STEPS TO REPRODUCE
Use a tool to intercept the web requests between your browser ant the cloudstack UI (our pentester used "burp"). Login to cloudstack using a SSO account (SAML).
Now, you're logged in successfully to your cloudstack domain.
Logout from cloudstack.
Now, log in again to cloudstack, but with the "interceptor" active. In the request, delete the whole saml-signature and change the username to another SSO user from within another tenant.
Run the modified request, and you're logged in into this foreign account.
EXPECTED RESULTS
User can't log in into foreign tenant
ACTUAL RESULTS
User can log in into foreign tenant