Hidden login link when enabling SAML, but turning off Default Login Form

Description

When turning off the ‘Show Default Login Form’ because we are using SAML, is there a hidden URL somewhere that would allow the local admin to login if SAML breaks? Or is there another way to gain access?

Server Setup Information

  • Version of Rocket.Chat Server: 3.0.12
  • Operating System: Linux
  • Deployment Method: Docker
  • Number of Running Instances: 1
  • DB Replicaset Oplog: Enabled
  • NodeJS Version: v12.14.0
  • MongoDB Version: 4.0.17
  • Proxy: nginx
  • Firewalls involved: Yes, network perimeter. Server is NATed.

Any additional Information

image

Hi, any solution for this ? what if SAML does not work - how admin will login

Thanks

This would be a great feature. Has anyone figured this out?

You can have a fallback with LDAP but I am not sure with SAML.

A ‘hidden’ login is still available to anyone who knows and is really a security hole. I don’t believe there is this facility.

I guess ultimately you can get in to the DB and disable SAML?

How is this a security risk if it takes you to the local login prompt? You’d still need a username and password. It’s not a ‘backdoor’ to the administrator section with no authentication.

You do, but you bypass your SAML, and any other authent linked to it - eg does your SAML provider require it’s own 2FA (just thinking out loud here)?

I’m not sure if you can get in via the API to change the settings.

https://developer.rocket.chat/api/rest-api

And ultimately you could either disable SAML or enable Show Login Form in the DB.

I always flip on the local login box under Admin - > Accounts any time I do an upgrade. It’s my safety net to getting in in case things go sideways.

I know NextCloud does it with a ‘secret’ url that bypasses SAML.

Another option would be a .env type attribute that would alow you to flip the authentication type back to that default temporary.

I have a norther system I manage that does that, if a upgrade doesn’t let me log in after an upgrade, I can change a php file and allow the ‘local’ admin login.

Nice tips - I understand.

You could add a feature-request here: