The loginlink option for SAML not working as expected
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Confirmed
|
Medium
|
Unassigned |
Bug Description
Ok this is what I've found regarding the 'Allow users to link their own account' option in SAML
One can only link their account if they are already logged in locally to Mahara, and THEN try and log in via SAML and have that login fail then we offer to link the SAML attempt -> local one
Which seems very bad having a failure allowed to login
Which seems to also contradict the manual, which says "Allow users to link own account: Switch to “Yes” if you want to allow users to link their own internal Mahara account to the authenticated SAML account."
On success login via SAML we never reach the loginlink code as we are redirected away.
This is in auth/saml/index.php
See https:/
What needs to happen is have the auth/saml/lib.php file request_
The manual also mentions "match their username as well as the email for example match an internal username, they can link their accounts" but the problem is we can't always control what username is sent from IdP/LTI integration so it would be better to just match on the email address as that seems to be the only reliable constant when using different auth methods in a parent/child relationship.
Changed in mahara: | |
importance: | Wishlist → Medium |
Ah unless the existing code is meaning the SAML auth at IdP end is good but fail to login into Mahara because we can't create new user so offers you to link to existing account if exists.