We are disabling the SSO Login feature in production IPAM until further notice. We apologize for the inconvenience.
Please use the Alternative Login Method with your full Active Directory userPrincipalName (typically yournetid@illinois.edu) and 2FA.
You may need to append a passcode or factor name to your password for 2FA purposes; see go.illinois.edu/ipamlogin for more information, and contact hostmgr if you still have trouble logging in.
Please note that any user profile customizations you have previously made while using SSO Login will not carry over, as explained in Known Issues.
Why is this necessary?
We recently received a report that one user (A) went into IPAM and was erroneously given a session as a different user (B) who moments before had performed a legitimate SSO Login of their own, from a completely different workstation.
Our analysis of the IPAM audit logs (dating back to 2021-07-13 when we enabled the SSO Login feature) identified a very few other occasions when this may have occurred, and in all of those cases no suspicious record changes were made. The behavior does not appear to be easily reproducible. However, at this time we cannot rule out the possibility that it could be exploited maliciously to make unauthorized record changes in the future.
We have opened a support case with the vendor and are hopeful that a root cause analysis and a fix will be forthcoming, but that process is likely to take a considerable amount of time. In the meanwhile, our only certain defense against this apparent vulnerability in IPAM's SSO implementation is to disable the feature entirely.
