Forums | Mahara Community

Developers /
SAML email requirement


anonymous profile picture
Account deleted
Posts: 26

29 January 2012, 19:31

It appears to me (based on both using it and perusing the code, but I haven't stepped through with a debugger or anything) that the SAML plugin requires that the identity provider assert an email address.  I would like for that to be optional.  

Is the email address a requirement of Mahara or just something that is particular to the way the SAML plugin is coded?  

I notice (from the documentation) that the Janrain plugin has the user enter an email themselves if one is not provided by the authentication source.  Any reason not to make it possible for SAML to behave the same way?

Piers Harding's profile picture
Posts: 11

29 January 2012, 22:05

Hi Rich - It shouldn't require an email address, if it is exhibiting that behaviour then it is a bug.

Typically I would expect the eduPersonPrincipalName to be used which looks like an email address, but it doesn't have to be.

In the institution level config for auth/saml the main options are:

 * Institution attribute - the SAML assertion attribute that contains something to identify the institution eg: "department"
 * Institution value to check against attribute - an expected value in the above assertion to map to this institution eg: "hogwarts.school.nz"
 * Do partial string match with institution shortname - do a simple regex check for the above matching  - this helps out in cases where the assertion attribute is something like an email address or eduPersonPrincipalName
 * User attribute - assertion attribute containing the username

 * Match username attribute to Remote username - instead of matching to the usr table username field - match to remote username field

It could be possible to enable users to enter an email - this would be implementing something more like user controlled registration/provisioning.  Not sure how much it would be used though, as SAML is usually a much more tightly coupled authentication scheme than OpenID/OAuth.

Cheers,

Piers Harding.

 

anonymous profile picture
Account deleted
Posts: 26

30 January 2012, 0:02

It appears that it requires an email address if it is creating or updating an account. So if one turns on "Update user details on login" then an email address is required or else login will fail, even if the user has already been created in Mahara.  (An exception is thrown on what is currently line 219 at http://bazaar.launchpad.net/~vcs-imports/mahara/master/view/head:/htdocs/auth/saml/lib.php .)  

I wonder if, rather than throw an exception, that code should update each value if an only if the relevant value is sent by the identity provider.  Previous code sets the relevant variable to null if the value is not asserted.  So, if the variable is not null, update; otherwise, do nothing with it.

Kristina Hoeppner's profile picture
Posts: 4717

30 January 2012, 3:33

Hello Rich,

In general, I think, it is good that Mahara requires an email address for every account as that way notifications can be sent and it is another way for an administrator to authenticate a user. Though it seems that this is not strictly handled and that due to external authentication methods and Leap2A imports, some email addresses can appear twice or more often.

Currently, I am performing an account audit on one of our installations and having the email address is a tremendous help in figuring out who the users might be. Without it, it would not be possible to either contact the institution administrators or the users themselves (except for the ones where the address doesn't work anymore).

Cheers

Kristina

anonymous profile picture
Account deleted
Posts: 26

30 January 2012, 11:24

Kristina,

Everything you say is true.  I would add:

1) If a user doesn't have an email address provided via SAML, I believe they don't get a useful error message to that effect. I believe they get a generic message, causing support problems.

2) If a user already has an account and that account has an email address associated with it and the institution is configured to update information from SAML and the user does not have an email address in SAML, the login fails.  And again, I believe it's with a generic message.  

3) It might be nice if, in the condition described in #2 above, Mahara simply ignored the absent email in SAML and just kept whatever value it already had for email, rather than failing on login.

4) It might be a nice feature if it were possible for users to enter an email address manually if SAML does not provide one upon account creation, like the Janrain plugin does (at least according to the wiki page documentation for it).

#3 in particular seems like it would be easy to address, and I might just do that in my own installation and send a patch in, hoping that others find it a useful enough change to incorporate into the code base.  I'll open an issue in the issue tracker now for that....

anonymous profile picture
Account deleted
Posts: 26

30 January 2012, 12:13

What I said about the error message is incorrect.  The error message does, in fact, indicate that attributes are missing.  Sorry about that.

A post by Kristina Hoeppner was deleted

Kristina Hoeppner's profile picture
Posts: 4717

30 January 2012, 12:38

Hello Rich,

It would be best if you sent a patch through the Mahara review system as that would allow others to test it more easily and give you feedback.

Cheers

Kristina

P.S. For the record, the tracker item is https://bugs.launchpad.net/bugs/923854

anonymous profile picture
Account deleted
Posts: 26

30 January 2012, 13:34

It's in the review system at  https://reviews.mahara.org/#change,1017 

9 results