ISC: Allows unauthenticated users to check if username exists

What problem are you observing?

You can determine if a username exists in ISC.

What is the correct behavior?

Unauthenticated users should not be able to determine if an account with a specific username exists in ISC.

What product feature is this related to?

ISC Passwort Reset

What are the steps to reproduce the issue?

  • Open the ISC login page
  • Click on Problems signing in?
  • Click on Reset password
  • Type some test Username, click on Continue
  • Click on Send an email if the option is visible, and check the API response:

Do you have any other information about your environment that may help?

No.

Other issues

  • When you land on the page /r/default/reset-password the UI seems to make a bunch of useless requests.

  • You can reset the password, not only by using the ISC username, but also the account name. In contrast, you can only log on with the username, not the account name.
1 Like

Hi @adamian ,

For security concerns, please open a support ticket.

2024-12-04:

We have received a case related to security concerns related to users when they are not authenticated.
Please allow me to reproduce these cases in my tenant and get back with a result.
As part of design, we have a flow where if user enter wrong username and send an email, it will show them that an email has been sent so that they don’t do brute force trial.


2024-12-10:

SailPoint Support says that is by design to display the message that the identity does not exist.

Thanks for your patience, I took my time and had a look at code and this is by design where we display the message ‘Referenced IDENTITY “tres.more” was not found.’ }
I have reached out to the product team through message to see what they have to say about this behaviour.

I am confused, how can the design be checked in code? Is there any separation between code and the design documentation?
If there is a bug in the code, is it then by design?

I checked and the fix for this issue lies in backlog and will be deployed in some time.

Since there is no action pending on sailpoint support team, I will mark this as a proposed resolution and I will request you to check for an update on this development with your CSM or reply on this email thread in next quarter using the reference case ISCANT-8422.