I think it would make a lot of sense to add this. Currently there is a simple check in the SAML auth instance validation function (PluginAuthSaml::validate_instance_config_options()) which prevents you from enabling "We auto-create users" if you have also enabled "We use remote usernames". It was added with the initial support for remote usernames in commit 6389e53db814b7549527574463a57604e1666db3, but without any explanation why it was needed.
It seems pretty self-evident to me how this would work: 1. Logged-out user hits the Mahara login screen and clicks "SSO" 2. The user is sent to the SAML SSO login page, and logs in. 3. On their return (to auth/saml/index.php) we get their SAML attributes. 4. We identify the user's institution (and hence their auth instance) by the SAML institution attribute field and value (which are *required* settings for a SAML auth instance). We identify the user's remote username from the SAML username attribute field. 5. We look for a user with that auth instance and that remote username, in auth_remote_user. 6. If no user with that remote username and auth instance exists, we create an account, in the institution identified by the SAML institution attribute. We set its remote username (in auth_remote_user) based on the info from SAML. We give it a unique Mahara username derived from its remote username. There's only a conflict if two different institutions are configured to use the same SAML config (including the same institution attribute and value). But that's true of every auth method. I've tested this code on my local workspace (with only one institution) by just commenting out a couple of checks in the validation function, and it works fine. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/995681 Title: Allow for user auto-creation via SAML for multi-tenanted Mahara Status in Mahara: Triaged Bug description: SAML authentication in a multi-tenanted Mahara installation can only be used if "Match username attribute to remote username" is turned on, cf. http://manual.mahara.org/en/1.5_STABLE/site_admin/institutions.html #saml-authentication for security reasons. The current code base does not allow for auto-creation of accounts AND a secure setting in a multi-tenanted Mahara. The main problem would be sorting out what the username should be in the multi-tenant situation as they have to be unique, but all the names are coming in from different systems that almost certainly don't use the same or globally unique conventions. In a multi-tenanted Mahara instance it should also be taken into account what usernames that are created on the fly by SAML should be like to be unique. Using the email address as identifier might not be a good thing as users switch between institutions and thus they'd have to remember an old email address for internal login or even with SSO always have the old address show up in the user search. Another issue is that esp. in a multi-tenanted Mahara users might switch between institutions and thus should be able to keep their accounts. If accounts are always auto-created by SSO this might become less likely unless the "Auto-link accounts" option is turned on. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/995681/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
