-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 05/06/12 00:24, Richard Mansfield wrote:
On 01/06/12 21:30, Simon Story wrote:
So therefore, you can't set have auto user creation of SAML
users without usersuniquebyusername = 1. The manual says the
same.
Damn, I'm the one who's crazy, I
On 01/06/12 21:30, Simon Story wrote:
Hi Richard,
As it is, you can't enable (SAML) user auto-creation without also
setting usersuniquebyusername = 1. Honest. Please try it. I'm begging
you. You must think I am crazy. Maybe I am.
...you get the error 'You can only choose user auto
As it is, the SAML library will forbid the login if any institution has
registration enabled. Check link 124 of htdocs/auth/saml/lib.php .
I think Piers' was reasoning was that if registration is enabled there
is not much stopping someone creating a user with the same username as a
SAML
Yes, that's right - the code there was copied out of the xmlrpc plugin,
but it's only when usersuniquebyusername is on that it's necessary to
forbid the login in this way.
If usersuniquebyusername is off, and registration is on, someone *can*
create a user with the same username as a SAML
It kinda does, it logs it. But you only get the log message after you've
already configured it any everything looks fine.
I was thinking I could create a patch that comes back with the red
warning text the other options on that SAML screen can also come back
with if there is something wrong.
Well, that wasn't hard. Attached is patch to master made with git
format-patch.
** Patch added:
0001-Display-an-error-if-a-user-tries-to-enable-auto-crea.patch
Simon, awesome, thanks - just one thing - shouldn't it only be an error
when usersuniquebyusername is on? Under normal circumstances it's fine
to have one institution with weautocreateusers and another with
registration on, isn't it?
--
You received this bug notification because you are a
Error handling would be useful so when it falls over, there's some
indication of why.
** Changed in: mahara
Status: New = Triaged
** Changed in: mahara
Importance: Undecided = Wishlist
--
You received this bug notification because you are a member of Mahara
Contributors, which is
You shouldn't have to poke the database to make auto-creation work on
an existing installation.
Simon, I don't think it's too bad. If the site admin is willing to turn
on an undocumented option which is not recommended, has plenty of
security warnings around it, and which you can't do via the
Fair question, it's the SAML module that has this restriction. I thought
it was generic. Looking at the code, the XMLRPC probably also has this
restriction.
See line 154 of htdocs/auth/xmlrpc/lib.php and line 124 of
htdocs/auth/saml/lib.php . The plugin blocks auto-creation if any
institution
The problem is the configuration ends up in two different states,
depending on the order you do things in.
This is pretty minor, the docs do warn that you registerallowed needs to
be 0 once you set usersuniquebyusername = 1.
People attempting to add SAML (And probably XMLRPC) authentication to
11 matches
Mail list logo
