Forums | Mahara Community

Support /
Possible bug in simplesaml plugin.


anonymous profile picture
Account deleted
Posts: 3

22 September 2011, 8:06

 

Hi all,

Rather this is a change in requirements of simplesaml. I just set up simplesaml 1.8 and mahara 1.4.0 with the folder updated from the git repo in trunk, folder : htdocs/auth/saml/.

 

Simplesaml changed their config and changed session.handler to store.type. I was getting errors from mahara auth saml, that session handler must not be phpsession, however it was null so I got the default message, maybe consider different messages for different errors?

Changed it, started memcache and changed line 91 in auth/saml/index.php to

$session_handler = $saml_config->getString('store.type', false);

Now I get this error message.

Mahara: Site unavailable

A nonrecoverable error occured. This probably means you have encountered a bug in the system

 

I zero in on the resulting function call that causes this exception, line 124

$as-requireAuth();

Result from calling print_r($as);

SimpleSAML_Auth_Simple Object ( [authSource:SimpleSAML_Auth_Simple:private] => default-sp )

So I try to comment this requireAuth out, not knowing if it absoultely vital and I get this message.

 

 

Not Found

The page you are looking for could not be found

There is already an existing authinstance with this institutionattribute and institutionvalue compination

 

Now I am confused to what to do. Is this a bug or a change in requirements ?
Can anyone help me out to get this saml plugin to work ?
regards
tomasgudm

 

Piers Harding's profile picture
Posts: 11

25 September 2011, 13:45

Hi Tomas -

Yes - I need to update auth/saml to cope with the change of SimpleSAMLphp configuration directives - thanks for pointing out the difference.

Where you have made changes at line 91 you should be able to use this instead:

// Check the SimpleSAMLphp config is compatible
$saml_config = SimpleSAML_Configuration::getInstance();
$session_handler = $saml_config->getString('session.handler', false);
$store_type = $saml_config->getString('store.type', false);
if ($store_type == 'phpsession' || $session_handler == 'phpsession' || (empty($store_type) && empty($session_handler))) {
    throw new AuthInstanceException(get_string('errorbadssphp','auth.saml'));
}

I'm not sure what your subsequent errors are due to - it maybe your actual configuration in SimpleSAMLphp  - have you checked the logs from this (you might need to rurn up debugging in config/config.php).?

Also - you may have some compatibility issues with using latest auth/saml and 1.4 - it relies on some changes that I think only made it into 1.5, so please be careful.

Cheers,

Piers Harding.

anonymous profile picture
Account deleted
Posts: 3

28 September 2011, 9:31

So I did what you suggested. I wiped the installation (a test server) and just used the trunk code. Works for me now, but a good practice on a simplesaml service provider side, is to use old configuration files in combination with the new, so that old keys are kept in there - but that wouldn't work for people who come with fresh installs. So this patch will probably be needed and maybe somewhere else ? Maybe I didn't have a wrong configuration, its just that Mahara is reading or fetching for the wrong keys ?

Piers Harding's profile picture
Posts: 11

29 September 2011, 18:34

I'll apply the above as a patch, to be safe, as people transition to the new config.

 

Cheers,

Piers Harding.

anonymous profile picture
Account deleted
Posts: 3

05 October 2011, 4:21

Also, on lines 83 and 85 in index.php there service provider is being set. However, this is prone to failure for people who are not using the default-sp. I don't want to be overly judgemental but I think this is a better way of doing it.

 

        $sp = param_alphanumext('as',$serviceProviderName);
        if (! in_array($sp, SimpleSAML_Auth_Source::getSources())) {
            $sp = 'default-sp';
        }

 

And people would be able to define serviceProviderName in some configuration file, in the interface on the administration page or in a text file doesn't really matter to me personally, but the ability to configure this would be helpful.

 

-tg

Piers Harding's profile picture
Posts: 11

05 October 2011, 20:09

Hi -

A configuration option could be specified at the plugin level (can't be at the institution level as we don't know what the institution is yet), but this is not strictly necessary.  The plugin config already allows you to specify a specific configuration directory, where you can vary what is being pointed at.  This only breaks down when you are managing multiple authsoures (ssphp) on the same vhost - which I'd expect to be a rare occurance (maybe to enable different pointers to different sets of IdPs or something similar - but ssphp IdP disco handles this OKish)?

Cheers,

Harding.

6 results