Public bug reported: SAML authentication in a multi-tenanted Mahara installation can only be used if "Match username attribute to remote username" is turned on, cf. http://manual.mahara.org/en/1.5_STABLE/site_admin/institutions.html #saml-authentication for security reasons.
The current code base does not allow for auto-creation of accounts AND a secure setting in a multi-tenanted Mahara. The main problem would be sorting out what the username should be in the multi-tenant situation as they have to be unique, but all the names are coming in from different systems that almost certainly don't use the same or globally unique conventions. In a multi-tenanted Mahara instance it should also be taken into account what usernames that are created on the fly by SAML should be like to be unique. Using the email address as identifier might not be a good thing as users switch between institutions and thus they'd have to remember an old email address for internal login or even with SSO always have the old address show up in the user search. Another issue is that esp. in a multi-tenanted Mahara users might switch between institutions and thus should be able to keep their accounts. If accounts are always auto-created by SSO this might become less likely unless the "Auto-link accounts" option is turned on. ** Affects: mahara Importance: Wishlist Status: Triaged ** Tags: authentication -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/995681 Title: Allow for user auto-creation via SAML for multi-tenanted Mahara Status in Mahara ePortfolio: Triaged Bug description: SAML authentication in a multi-tenanted Mahara installation can only be used if "Match username attribute to remote username" is turned on, cf. http://manual.mahara.org/en/1.5_STABLE/site_admin/institutions.html #saml-authentication for security reasons. The current code base does not allow for auto-creation of accounts AND a secure setting in a multi-tenanted Mahara. The main problem would be sorting out what the username should be in the multi-tenant situation as they have to be unique, but all the names are coming in from different systems that almost certainly don't use the same or globally unique conventions. In a multi-tenanted Mahara instance it should also be taken into account what usernames that are created on the fly by SAML should be like to be unique. Using the email address as identifier might not be a good thing as users switch between institutions and thus they'd have to remember an old email address for internal login or even with SSO always have the old address show up in the user search. Another issue is that esp. in a multi-tenanted Mahara users might switch between institutions and thus should be able to keep their accounts. If accounts are always auto-created by SSO this might become less likely unless the "Auto-link accounts" option is turned on. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/995681/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp