mahara-contributors team mailing list archive

[Robert Lyon <robertl@xxxxxxxxxxxxxxx>]

Public bug reported:

Ok this is what I've found regarding the 'Allow users to link their own
account' option in SAML

One can only link their account if they are already logged in locally to
Mahara, and THEN try and log in via SAML and have that login fail then
we offer to link the SAML attempt -> local one

Which seems very bad having a failure allowed to login

Which seems to also contradict the manual, which says "Allow users to
link own account: Switch to “Yes” if you want to allow users to link
their own internal Mahara account to the authenticated SAML account."


On success login via SAML we never reach the loginlink code as we are redirected away.

This is in auth/saml/index.php
See https://reviews.mahara.org/#/c/483/7

What needs to happen is have the auth/saml/lib.php file
request_user_authorise() function (actually could be for all auth
methods) to check for the 'loginlink' config attribute and if on then we
could have a $user->find_by_email() option which checks if the email
exists and is only used for 1 user and if so join the account with that
user

The manual also mentions "match their username as well as the email for
example match an internal username, they can link their accounts" but
the problem is we can't always control what username is sent from
IdP/LTI integration so it would be better to just match on the email
address as that seems to be the only reliable constant when using
different auth methods in a parent/child relationship.

** Affects: mahara
     Importance: Wishlist
         Status: Confirmed

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1694175

Title:
  The loginlink option for SAML not working as expected

Status in Mahara:
  Confirmed

Bug description:
  Ok this is what I've found regarding the 'Allow users to link their
  own account' option in SAML

  One can only link their account if they are already logged in locally
  to Mahara, and THEN try and log in via SAML and have that login fail
  then we offer to link the SAML attempt -> local one

  Which seems very bad having a failure allowed to login

  Which seems to also contradict the manual, which says "Allow users to
  link own account: Switch to “Yes” if you want to allow users to link
  their own internal Mahara account to the authenticated SAML account."

  
  On success login via SAML we never reach the loginlink code as we are redirected away.

  This is in auth/saml/index.php
  See https://reviews.mahara.org/#/c/483/7

  What needs to happen is have the auth/saml/lib.php file
  request_user_authorise() function (actually could be for all auth
  methods) to check for the 'loginlink' config attribute and if on then
  we could have a $user->find_by_email() option which checks if the
  email exists and is only used for 1 user and if so join the account
  with that user

  The manual also mentions "match their username as well as the email
  for example match an internal username, they can link their accounts"
  but the problem is we can't always control what username is sent from
  IdP/LTI integration so it would be better to just match on the email
  address as that seems to be the only reliable constant when using
  different auth methods in a parent/child relationship.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1694175/+subscriptions