mahara-contributors team mailing list archive

Thread
Date

[Bug 548061] Re: Multiple authinstances with parents - potentially needs UI work.

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Kristina Hoeppner <548061@xxxxxxxxxxxxxxxxxx>
Date: Sat, 04 May 2019 10:10:48 -0000
Reply-to: Bug 548061 <548061@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: mahara
Status: Triaged => Won't Fix

--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/548061

Title:
Multiple authinstances with parents - potentially needs UI work.

Status in Mahara:
Won't Fix

Bug description:
An example situation: Two Moodles are SSOing into Mahara. They are
both set up as XMLRPC with an LDAP parent.

This breaks when each Moodle has a user of the same username. For
example aaron. Because one is given the name 'aaron' when they SSO in,
and the other is given the name 'aaron1' - which will never work for
the parent authentication, as it doesn't know about an 'aaron1' user.

Therefore, that means either:

1. Only one of the xmlrpc authinstances can have a given LDAP server as parent authentication, across all institutions in Mahara, or
2. Usernames would have to be unique across BOTH Moodles, to prevent this situation occuring, or
3. You need to turn on the usersuniquebyusername configuration setting - which assumes that users with the same name in different moodles are the same person and thus SSO into the same Mahara account.

There's no other way around this, as far as I can see.

The upshot of this is:

You can't use two parent authentication instances that will answer
for the same username, unless they're actually the same person in the
remote applications. And if that is the case, you have to turn on
"usersuniquebyusername". If that is not the case, then the XMLRPC
authinstances can't really have parents - users have to sign in
through SSO.

If you're only MNETting with one moodle, then the authinstance can
safely have a parent.

Richard suggests that we could somehow display to people in Mahara
their username (perhaps on first login, sent to them by e-mail and in
the profile sideblock), which _might_ work as long as we use the
auth_remote_user table to look up what their username in the parent
authinstance actually is when trying to sign them on. But it also
relies on users understanding when they are using the Mahara login
form instead of the Moodle one, and thus that they should use the
correct username.

So, in short, this bug is about:

* Do we change the admin UI somehow based on these limitations? I.e.
only allow one authinstance to have a parent unless
usersuniquebyusername is on/the admin is given a warning about having
more than one parent?

* Do we tell users their username in Mahara so they can log in there?

Low prio cos I don't think an answer is needed right now, but at least
the problem is documented while I have it all in my head :)

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/548061/+subscriptions