mahara-contributors team mailing list archive

Thread
Date

[Bug 1879594] [NEW] SAML role mapping removing ones manually set

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Robert Lyon <robertl@xxxxxxxxxxxxxxx>
Date: Wed, 20 May 2020 02:05:27 -0000
Reply-to: Bug 1879594 <1879594@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

With the new SAML role mapping it allows the seeting / removal of roles
to a user at login time based on what roles are passed through from the
IDP.

This has now highlighted the following problems

1) If the IDP does not send through role information then the user will
be stripped of admin / staff roles - so when we set them manually they
disappear in next login

2) The institution staff / admin roles don't seem to be removed when
user doesn't have that role

We need to fix problem (2) and we need to add some functionality that
deals with avoiding the problem in (1)

It has been suggested that we add a flag to the SAML auth so in the
config for SAML auth we need to add below the role prefix field a switch
so the following options will exist.

Switch ON
 - If roles array from IdP is set and 'SSO field for roles' is set -> Respect the IdP roles values on all logins - even if the roles array is empty
 - If roles array from IdP is not set and/or 'SSO field for roles' is not set -> Ignore setting roles from IdP

Switch OFF
 -> Ignore setting roles from IdP

** Affects: mahara
     Importance: Wishlist
         Status: New

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1879594

Title:
  SAML role mapping removing ones manually set

Status in Mahara:
  New

Bug description:
  With the new SAML role mapping it allows the seeting / removal of
  roles to a user at login time based on what roles are passed through
  from the IDP.

  This has now highlighted the following problems

  1) If the IDP does not send through role information then the user
  will be stripped of admin / staff roles - so when we set them manually
  they disappear in next login

  2) The institution staff / admin roles don't seem to be removed when
  user doesn't have that role

  We need to fix problem (2) and we need to add some functionality that
  deals with avoiding the problem in (1)

  It has been suggested that we add a flag to the SAML auth so in the
  config for SAML auth we need to add below the role prefix field a
  switch so the following options will exist.

  Switch ON
   - If roles array from IdP is set and 'SSO field for roles' is set -> Respect the IdP roles values on all logins - even if the roles array is empty
   - If roles array from IdP is not set and/or 'SSO field for roles' is not set -> Ignore setting roles from IdP

  Switch OFF
   -> Ignore setting roles from IdP

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1879594/+subscriptions

Follow ups

[Bug 1879594] Re: SAML role mapping removing ones manually set
From: Kristina Hoeppner, 2020-09-05
[Bug 1879594] Re: SAML role mapping removing ones manually set
From: Kristina Hoeppner, 2020-07-19