mahara-contributors team mailing list archive

Thread
Date

[Bug 724471] [NEW] SAML does not fail gracefully when Identity Provider does not provide require attribute

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Rich Trott <724471@xxxxxxxxxxxxxxxxxx>
Date: Thu, 24 Feb 2011 18:00:19 -0000
Reply-to: Bug 724471 <724471@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

When a Shibboleth Identity Provider does not provide a required
attribute, Mahara presents a page that says "Site Unavailable" and "A
nonrecoverable error occured. This probably means you have encountered a
bug in the system."  You also will get stuff in the error_log like
what's in the file attached.

By comparison, when this situation arises with Moodle, the page tells
the user something like this:

"You seem to be Shibboleth authenticated but Moodle didn't receive any
user attributes. Please check that your Identity Provider releases the
necessary attributes ('REMOTE_USER', 'givenName', 'sn' and 'mail') to
the Service Provider Moodle is running on or inform the webmaster of
this server."

Especially if people intend to run federated authentication, SAML should
fail gracefully if an Identity Provider doesn't provide all the
attributes Mahara requires.  If nothing else, it at least makes it clear
that the problem is probably with the Identity Provider and not one or
more bugs in Mahara.

** Affects: mahara
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/724471

Title:
  SAML does not fail gracefully when Identity Provider does not provide
  require attribute

Status in Mahara ePortfolio:
  New

Bug description:
  When a Shibboleth Identity Provider does not provide a required
  attribute, Mahara presents a page that says "Site Unavailable" and "A
  nonrecoverable error occured. This probably means you have encountered
  a bug in the system."  You also will get stuff in the error_log like
  what's in the file attached.

  By comparison, when this situation arises with Moodle, the page tells
  the user something like this:

  "You seem to be Shibboleth authenticated but Moodle didn't receive any
  user attributes. Please check that your Identity Provider releases the
  necessary attributes ('REMOTE_USER', 'givenName', 'sn' and 'mail') to
  the Service Provider Moodle is running on or inform the webmaster of
  this server."

  Especially if people intend to run federated authentication, SAML
  should fail gracefully if an Identity Provider doesn't provide all the
  attributes Mahara requires.  If nothing else, it at least makes it
  clear that the problem is probably with the Identity Provider and not
  one or more bugs in Mahara.

Follow ups

[Bug 724471] Re: SAML does not fail gracefully when Identity Provider does not provide require attribute
From: François Marier, 2011-06-14
[Bug 724471] Re: SAML does not fail gracefully when Identity Provider does not provide require attribute
From: François Marier, 2011-03-02
[Bug 724471] Re: SAML does not fail gracefully when Identity Provider does not provide require attribute
From: Carson, 2011-03-01
[Bug 724471] Re: SAML does not fail gracefully when Identity Provider does not provide require attribute
From: François Marier, 2011-02-24
[Bug 724471] Re: SAML does not fail gracefully when Identity Provider does not provide require attribute
From: Rich Trott, 2011-02-24
[Bug 724471] Re: SAML does not fail gracefully when Identity Provider does not provide require attribute
From: Rich Trott, 2011-02-24
[Bug 724471] [NEW] SAML does not fail gracefully when Identity Provider does not provide require attribute
From: Rich Trott, 2011-02-24

References

[Bug 724471] [NEW] SAML does not fail gracefully when Identity Provider does not provide require attribute
From: Rich Trott, 2011-02-24