Public bug reported:
SAML authentication in a multi-tenanted Mahara installation can only be
used if "Match username attribute to remote username" is turned on, cf.
http://manual.mahara.org/en/1.5_STABLE/site_admin/institutions.html
#saml-authentication for security reasons.
The current code base does not allow for auto-creation of accounts AND a
secure setting in a multi-tenanted Mahara.
The main problem would be sorting out what the username should be in the
multi-tenant situation as they have to be unique, but all the names are
coming in from different systems that almost certainly don't use the
same or globally unique conventions.
In a multi-tenanted Mahara instance it should also be taken into account
what usernames that are created on the fly by SAML should be like to be
unique. Using the email address as identifier might not be a good thing
as users switch between institutions and thus they'd have to remember an
old email address for internal login or even with SSO always have the
old address show up in the user search.
Another issue is that esp. in a multi-tenanted Mahara users might switch
between institutions and thus should be able to keep their accounts. If
accounts are always auto-created by SSO this might become less likely
unless the "Auto-link accounts" option is turned on.
** Affects: mahara
Importance: Wishlist
Status: Triaged
** Tags: authentication
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/995681
Title:
Allow for user auto-creation via SAML for multi-tenanted Mahara
Status in Mahara ePortfolio:
Triaged
Bug description:
SAML authentication in a multi-tenanted Mahara installation can only
be used if "Match username attribute to remote username" is turned on,
cf.
http://manual.mahara.org/en/1.5_STABLE/site_admin/institutions.html
#saml-authentication for security reasons.
The current code base does not allow for auto-creation of accounts AND
a secure setting in a multi-tenanted Mahara.
The main problem would be sorting out what the username should be in
the multi-tenant situation as they have to be unique, but all the
names are coming in from different systems that almost certainly don't
use the same or globally unique conventions.
In a multi-tenanted Mahara instance it should also be taken into
account what usernames that are created on the fly by SAML should be
like to be unique. Using the email address as identifier might not be
a good thing as users switch between institutions and thus they'd have
to remember an old email address for internal login or even with SSO
always have the old address show up in the user search.
Another issue is that esp. in a multi-tenanted Mahara users might
switch between institutions and thus should be able to keep their
accounts. If accounts are always auto-created by SSO this might become
less likely unless the "Auto-link accounts" option is turned on.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/995681/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
