SAML role mapping removing ones manually set
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
With the new SAML role mapping it allows the seeting / removal of roles to a user at login time based on what roles are passed through from the IDP.
This has now highlighted the following problems
1) If the IDP does not send through role information then the user will be stripped of admin / staff roles - so when we set them manually they disappear in next login
2) The institution staff / admin roles don't seem to be removed when user doesn't have that role
We need to fix problem (2) and we need to add some functionality that deals with avoiding the problem in (1)
It has been suggested that we add a flag to the SAML auth so in the config for SAML auth we need to add below the role prefix field a switch so the following options will exist.
Switch ON
- If roles array from IdP is set and 'SSO field for roles' is set -> Respect the IdP roles values on all logins - even if the roles array is empty
- If roles array from IdP is not set and/or 'SSO field for roles' is not set -> Ignore setting roles from IdP
Switch OFF
-> Ignore setting roles from IdP
Changed in mahara: | |
status: | New → Confirmed |