diff -Nru mahara-1.2.7/debian/changelog mahara-1.2.7/debian/changelog
--- mahara-1.2.7/debian/changelog	2011-11-15 09:11:04.000000000 +0000
+++ mahara-1.2.7/debian/changelog	2012-03-12 23:49:23.000000000 +0000
@@ -1,3 +1,11 @@
+mahara (1.2.7-1ubuntu0.3) natty-security; urgency=low
+
+  * SECURITY UPDATE: Fix default config for sites with multiple SAML instances
+    - Default configuration changed to prevent impersonation
+    - debian/patches/saml_multi_default_config.patch: upstream patch
+
+ -- Melissa Draper <melissa@catalyst.net.nz>  Mon, 12 Mar 2012 23:31:20 +0000
+
 mahara (1.2.7-1ubuntu0.2) natty-security; urgency=low
 
   * SECURITY UPDATE: XSS in unvalidated URI attributes
diff -Nru mahara-1.2.7/debian/patches/saml_multi_default_config.patch mahara-1.2.7/debian/patches/saml_multi_default_config.patch
--- mahara-1.2.7/debian/patches/saml_multi_default_config.patch	1970-01-01 00:00:00.000000000 +0000
+++ mahara-1.2.7/debian/patches/saml_multi_default_config.patch	2012-03-12 23:49:23.000000000 +0000
@@ -0,0 +1,87 @@
+From 2e5a22996612d88f8797d4c87b2abbf8a11abf43 Mon Sep 17 00:00:00 2001
+From: Francois Marier <francois@catalyst.net.nz>
+Date: Mon, 20 Feb 2012 14:50:32 +1300
+Subject: [PATCH] 1.2 patch for saml stuff
+
+Change-Id: I8ffa45e3dc8f5b13f12f726ded728387f6e781a6
+---
+ htdocs/auth/saml/lang/en.utf8/auth.saml.php |    3 ++-
+ htdocs/auth/saml/lib.php                    |   19 +++++++++++++++----
+ 2 files changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/htdocs/auth/saml/lang/en.utf8/auth.saml.php b/htdocs/auth/saml/lang/en.utf8/auth.saml.php
+index b1e66e2..15179f5 100644
+--- a/htdocs/auth/saml/lang/en.utf8/auth.saml.php
++++ b/htdocs/auth/saml/lang/en.utf8/auth.saml.php
+@@ -35,7 +35,8 @@ $string['errnosamluser'] = 'No User found';
+ $string['errorbadlib'] = 'SimpleSAMLPHP lib directory %s is not correct.';
+ $string['errorbadconfig'] = 'SimpleSAMLPHP config directory %s is in correct.';
+ $string['errorbadcombo'] = 'You can only choose user auto creation if you have not selected remoteuser';
+-//$string['idpidentity'] = 'IdP Identity Service';
++$string['errormissinguserattributes'] = 'You seem to be authenticated but we did not receive the required user attributes. Please check that your Identity Provider releases these SSO fields for First Name, Surname, and Email to the Service Provider Mahara is running on or inform the webmaster of this server.';
++$string['errorremoteuser'] = 'Matching on remoteuser is mandatory if usersuniquebyusername is turned off';
+ $string['institutionattribute'] = 'Institution attribute (contains "%s")';
+ $string['institutionvalue'] = 'Institution value to check against attribute';
+ $string['institutionregex'] = 'Do partial string match with institution shortname';
+diff --git a/htdocs/auth/saml/lib.php b/htdocs/auth/saml/lib.php
+index 4e2ab67..32ed408 100644
+--- a/htdocs/auth/saml/lib.php
++++ b/htdocs/auth/saml/lib.php
+@@ -47,7 +47,7 @@ class AuthSaml extends Auth {
+         $this->config['institutionregex'] = 0;
+         $this->config['institutionvalue'] = '';
+         $this->config['updateuserinfoonlogin'] = 1;
+-        $this->config['remoteuser'] = false;
++        $this->config['remoteuser'] = true;
+         $this->instanceid = $id;
+         
+         if (!empty($id)) {
+@@ -105,6 +105,7 @@ class AuthSaml extends Auth {
+ 
+         // Retrieve a $user object. If that fails, create a blank one.
+         try {
++            $isremote = $this->config['remoteuser'] ? true : false;
+             $user = new User;
+             if (get_config('usersuniquebyusername')) {
+                 // When turned on, this setting means that it doesn't matter 
+@@ -135,9 +136,15 @@ class AuthSaml extends Auth {
+                         . "somewhere else. Please turn this setting on in Site Options");
+                     throw new AccessDeniedException();
+                 }
+-
+             }
+-            $isremote = $this->config['remoteuser'] ? true : false;
++            else {
++                if (!$isremote){
++                    log_warn("usersuniquebyusername is turned off but remoteuser has not been set on for this institution: $institutionname. "
++                        . "This is a security risk as users from different institutions with different IdPs can hijack "
++                        . "each others accounts.  Fix this in the institution level auth/saml settings.");
++                    throw new AccessDeniedException();
++                }
++            }
+             if ($isremote) {
+                 $user->find_by_instanceid_username($this->instanceid, $remoteuser, $isremote);
+             }
+@@ -280,7 +287,7 @@ class PluginAuthSaml extends PluginAuth {
+         'institutionattribute'  => '',
+         'institutionvalue'      => '',
+         'institutionregex'      => 0,
+-        'remoteuser'            => 0,
++        'remoteuser'            => 1,
+             );
+ 
+     public static function has_config() {
+@@ -473,6 +480,10 @@ class PluginAuthSaml extends PluginAuth {
+                 $form->set_error('simplesamlphpconfig', get_string('errorbadconfig', 'auth.saml', $values['simplesamlphpconfig']));
+             }
+         }
++        // only allow remoteuser to be unset if usersuniquebyusername is NOT set
++        if (isset($values['remoteuser']) && !get_config('usersuniquebyusername') && !$values['remoteuser']) {
++            $form->set_error('remoteuser', get_string('errorremoteuser', 'auth.saml'));
++        }
+         if (isset($values['weautocreateusers'])) {
+             if ($values['weautocreateusers'] && $values['remoteuser']) {
+                 $form->set_error('weautocreateusers', get_string('errorbadcombo', 'auth.saml'));
+-- 
+1.7.9
+
diff -Nru mahara-1.2.7/debian/patches/series mahara-1.2.7/debian/patches/series
--- mahara-1.2.7/debian/patches/series	2011-11-15 09:11:04.000000000 +0000
+++ mahara-1.2.7/debian/patches/series	2012-03-12 23:49:23.000000000 +0000
@@ -7,3 +7,4 @@
 CVE-2011-2771.patch
 CVE-2011-2773.patch
 mnet_masquerading.patch
+saml_multi_default_config.patch