mahara-contributors team mailing list archive

Thread
Date

Re: [Bug 1003980] Re: Authentication plugin user autocreation can become impossible

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Simon Story <simon.story@xxxxxxxxxxxxxxx>
Date: Mon, 18 Jun 2012 09:00:05 -0000
Reply-to: Bug 1003980 <1003980@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 05/06/12 00:24, Richard Mansfield wrote:
> On 01/06/12 21:30, Simon Story wrote:

>> So therefore, you can't set have auto user creation of SAML
>> users without usersuniquebyusername = 1. The manual says the
>> same.
> Damn, I'm the one who's crazy, I didn't know about that error
> message. I'll submit the patch. Guess I just assumed it'd work the
> same as the xmlrpc plugin.  It's a shame we are encouraging people
> to turn usersuniquebyusername on, because it really sucks. Maybe
> there's no way around it, though, I'm not too sure.  With other 
> external id providers (e.g. ldap) you can make the ldap auth the
> 'parent method' of your SSO (xmlrpc), and that usually gives you
> enough to leave usersuniquebyusername off and autocreation on.  But
> SAML is trying to do both the id provision & the SSO, which maybe
> makes it impossible.

Maybe talk to Piers and ask him what his thinking was. Surely
Username+institution is unique enough?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk/e7hUACgkQ0t2asVgsCgBenwEA1hK8TuPmljOw5mjLnP3saeD0
VePa7Si/3ZwYzgMuaSAA/1doghEXfN7Ibl2WtT9Dc1AF98DEFbi0RRcLT25gY/+O
=ljzj
-----END PGP SIGNATURE-----

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/1003980

Title:
  SAML user autocreation can become impossible

Status in Mahara ePortfolio:
  Triaged

Bug description:
  It is possible to put yourself in a situation where users having users
  auto-created by an authentication plugin is impossible.

  By design, for auto-creation to happen, all institutions must be
  registerallowed = 0 .

  By design, when an authentication plugin is added to an institution,
  registerallowed is set to 0. But it is not set for all institutions,
  if multiple exist.

  Once an authentication plugin is added to an institution, via the web
  interface the control to toggle registerallowed for an institution is
  hidden.

  To reproduce from a fresh installation of Mahara:
  Create an institution
  Set config item usersuniquebyusername = 1
  Add and configure an authentication plugin
  Attempt to login with with a new user that should autocreate, which will fail because the 'mahara' institution will still have registerallowed = 1

  To workaround:
  Connect to the database and set registerallowed = 0 for all institutions, eg 'UPDATE institution set registerallowed = 0 ;'.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1003980/+subscriptions

References

[Bug 1003980] [NEW] Authentication plugin user autocreation can become impossible
From: Simon Story, 2012-05-24
[Bug 1003980] Re: Authentication plugin user autocreation can become impossible
From: Richard Mansfield, 2012-06-04