← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #42846

[Bug 1694175] Re: The loginlink option for SAML not working as expected

  Thread PreviousDate PreviousThread Next 
** Changed in: mahara
   Importance: Wishlist => Medium

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1694175

Title:
  The loginlink option for SAML not working as expected

Status in Mahara:
  Confirmed

Bug description:
  Ok this is what I've found regarding the 'Allow users to link their
  own account' option in SAML

  One can only link their account if they are already logged in locally
  to Mahara, and THEN try and log in via SAML and have that login fail
  then we offer to link the SAML attempt -> local one

  Which seems very bad having a failure allowed to login

  Which seems to also contradict the manual, which says "Allow users to
  link own account: Switch to “Yes” if you want to allow users to link
  their own internal Mahara account to the authenticated SAML account."

  
  On success login via SAML we never reach the loginlink code as we are redirected away.

  This is in auth/saml/index.php
  See https://reviews.mahara.org/#/c/483/7

  What needs to happen is have the auth/saml/lib.php file
  request_user_authorise() function (actually could be for all auth
  methods) to check for the 'loginlink' config attribute and if on then
  we could have a $user->find_by_email() option which checks if the
  email exists and is only used for 1 user and if so join the account
  with that user

  The manual also mentions "match their username as well as the email
  for example match an internal username, they can link their accounts"
  but the problem is we can't always control what username is sent from
  IdP/LTI integration so it would be better to just match on the email
  address as that seems to be the only reliable constant when using
  different auth methods in a parent/child relationship.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1694175/+subscriptions

References

  Thread PreviousDate PreviousThread Next