Fix saml bug unable to login (apache#10868)

vits-hugs · Vitor Hugo Homem Marzarotto · erikbocks · dhslove · commit 8fac94f1bcc1 · 2026-03-03T13:30:23.000+09:00
* Fix check

* Adds configuration for behaviour, when SAML SSO is disabled for a user

* set default configuration value to false and rename it to enable.login.with.disabled.saml

---------

Co-authored-by: Vitor Hugo Homem Marzarotto &lt;vitor.marzarotto@scclouds.com.br&gt;
Co-authored-by: erikbocks &lt;erik.bock@outlook.com&gt;
diff --git a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAML2AuthManager.java b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAML2AuthManager.java
@@ -85,6 +85,9 @@ public interface SAML2AuthManager extends PluggableAPIAuthenticator, PluggableSe
     ConfigKey<Boolean> SAMLRequirePasswordLogin = new ConfigKey<Boolean>("Advanced", Boolean.class, "saml2.require.password", "true",
         "When enabled SAML2 will validate that the SAML login was performed with a password.  If disabled, other forms of authentication are allowed (two-factor, certificate, etc) on the SAML Authentication Provider", true);
 
+    ConfigKey<Boolean> EnableLoginAfterSAMLDisable = new ConfigKey<>("Advanced", Boolean.class, "enable.login.with.disabled.saml", "false", "When enabled, if SAML SSO is disabled, enables user to login with user and password, otherwise a user with SAML SSO disabled cannot login", true);
+
+
 
     SAMLProviderMetadata getSPMetadata();
     SAMLProviderMetadata getIdPMetadata(String entityId);
diff --git a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
@@ -451,8 +451,13 @@ public boolean authorizeUser(Long userId, String entityId, boolean enable) {
                 user.setExternalEntity(entityId);
                 user.setSource(User.Source.SAML2);
             } else {
+                boolean enableLoginAfterSAMLDisable =  SAML2AuthManager.EnableLoginAfterSAMLDisable.value();
                 if (user.getSource().equals(User.Source.SAML2)) {
-                    user.setSource(User.Source.SAML2DISABLED);
+                    if(enableLoginAfterSAMLDisable) {
+                        user.setSource(User.Source.UNKNOWN);
+                    } else {
+                        user.setSource(User.Source.SAML2DISABLED);
+                    }
                 } else {
                     return false;
                 }
@@ -542,6 +547,7 @@ public ConfigKey<?>[] getConfigKeys() {
                 SAMLIdentityProviderMetadataURL, SAMLDefaultIdentityProviderId,
                 SAMLSignatureAlgorithm, SAMLAppendDomainSuffix, SAMLTimeout, SAMLCheckSignature,
                 SAMLForceAuthn, SAMLUserSessionKeyPathAttribute, SAMLFailedLoginRedirectUrl, SAMLRequirePasswordLogin,
-                SAML2Config.SAMLIdentityProviderPortalUrl, SAML2Config.SAMLIdentityProviderPassword};
+                SAML2Config.SAMLIdentityProviderPortalUrl, SAML2Config.SAMLIdentityProviderPassword, EnableLoginAfterSAMLDisable
+            };
     }
 }
