This is a firebauth authentication sample repo. I want to show that SAML login is not behaving as I think it should. When a email/password user exists in the system, and SAML is setup, and you try to log in with the same SAML user, firebase is automatically merging them without any verification.
I describe the steps I took below:
First, create a firebase project. I've deployed the code in this repo with ./node_modules/.bin/firebase deploy.
Next, I created an okta auth0 account at https://developer.okta.com/signup/. Its the Customer Identity Cloud one. I don't think idp matters, this one just allows me to create users easily.
In okta, I created an app. Under addons, I enable SAML:
The settings were:
{
"audience": "urn:mondoo:saml-sharp-vaughan-129621",
"nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"nameIdentifierProbes": ["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
}
Grab the Issuer, Identtiy Provider Certificate, and Identity Provider Login URL from the Usage page:
Back in firebase, create an email provider and SAML provider:
Create a user in the firebase console. Reset its password. You'll receive an email to set the password.
Create a user with the same email in Okta/Auth0.
In a private tab or with another browser,
navigate to the deployed app in firebase. For me, that was https://test-base-project-jaym.web.app/index.html.
Click the Sign In with SAML button. Login with the Okta/Auth0 idp.
Go back to the firebase console. Under users, the user is now listed with 2 providers. No authentication was requested.
