Rally - SSO: Users can login to Rally by using any password

book

Article ID: 141401

calendar_today

Updated On:

Products

CA Agile Central SaaS (Rally)

Issue/Introduction

We have observed that although we are set up to use SSO (single sign on), users can login to Rally (CA Agile Central) by using any password (like ABCD.. anything which is not as per set password). 

This compromises the data security for us and is seen as a security vulnerability. 

Cause

The indicated scenario is not accurate, and SSO authentication works as expected.
 
The scenario that may be confusing/alarming is likely that the user is already logged in to Rally.  Then, the user goes to https://rally1.rallydev.com/slm/login.op and of course will see a login screen. To be clear, if the user just went to https://rally1.rallydev.com, they would just see their start page (logged in). Then they are entering their username/pw but since they are already logged in, it is just taking them to their account. 
 
The only time this will not occur in an SSO subscription is if/when the username is in the SSO exceptions list, or the user is a subscription administrator on the account. If either of those is true, Rally will check the password regardless of an authenticated session. 

Environment

Rally SaaS

SSO authentication (with or without exceptions)

Resolution

When a user is logging in to a subscription set to SSO authentication, Rally does not even look at the password being entered if the user does enter username/password from the login screen. This is not due to a security loophole, but rather because Rally is recognizing the username is associated with a subscription set to use SSO, so simply passes the authentication over to the IDP. Rally then gets a SAML token from the customer's IDP (identity provider) that says "this user is OK" and lets the user in to Rally.