mahara-contributors team mailing list archive

Thread
Date

[Bug 995681] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <995681@xxxxxxxxxxxxxxxxxx>
Date: Thu, 11 Aug 2016 05:19:26 -0000
Reply-to: Bug 995681 <995681@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/6632
Committed: https://git.mahara.org/mahara/mahara/commit/a3782238f1e2b80f84b57887e0af89ff44d0a026
Submitter: Robert Lyon (robertl@xxxxxxxxxxxxxxx)
Branch:    master

commit a3782238f1e2b80f84b57887e0af89ff44d0a026
Author: Aaron Wells <aaronw@xxxxxxxxxxxxxxx>
Date:   Tue Jun 28 13:03:33 2016 +1200

Bug 995681: Allow SAML account creation with remote usernames

There's no particular reason to prevent the SAML plugin from
creating auto-creating accounts if you're using remote usernames.
Even in a multi-tenanted situation with many tenants using the
same SSO, we can tell which institution a new user should go
into because each SAML auth instance requires an institution
identifier field from the SAML attributes.

Change-Id: I7d7fd592aafe3d01cd92098977be82793f3376dd
behatnotneeded: Requires external SAML IdP to test.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/995681

Title:
  Allow for user auto-creation via SAML for multi-tenanted Mahara

Status in Mahara:
  Fix Committed

Bug description:
  SAML authentication in a multi-tenanted Mahara installation can only
  be used if "Match username attribute to remote username" is turned on,
  cf.
  http://manual.mahara.org/en/1.5_STABLE/site_admin/institutions.html
  #saml-authentication for security reasons.

  The current code base does not allow for auto-creation of accounts AND
  a secure setting in a multi-tenanted Mahara.

  The main problem would be sorting out what the username should be in
  the multi-tenant situation as they have to be unique, but all the
  names are coming in from different systems that almost certainly don't
  use the same or globally unique conventions.

  In a multi-tenanted Mahara instance it should also be taken into
  account what usernames that are created on the fly by SAML should be
  like to be unique. Using the email address as identifier might not be
  a good thing as users switch between institutions and thus they'd have
  to remember an old email address for internal login or even with SSO
  always have the old address show up in the user search.

  Another issue is that esp. in a multi-tenanted Mahara users might
  switch between institutions and thus should be able to keep their
  accounts. If accounts are always auto-created by SSO this might become
  less likely unless the "Auto-link accounts" option is turned on.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/995681/+subscriptions

References

[Bug 995681] [NEW] Allow for user auto-creation via SAML for multi-tenanted Mahara
From: Kristina Hoeppner, 2012-05-06