Forums | Mahara Community

Security Announcements /
Insecure defaults in SAML plugin

This topic is closed. Only moderators and the group administrators can post new replies.
François Marier's profile picture
Posts: 411

15 February 2012, 8:52 PM

This security issue only affects sites which make use of the SAML authentication plugin and have more than one SAML identity provider.

By default, SAML authentication instances have the "Match username attribute to Remote username" setting unchecked.  This means that a user logging in using single sign-on will log in as the local Mahara user whose Mahara username matches their SAML username attribute.

In this configuration, someone with control over any SAML identity provider could gain control over any user account on that Mahara site by setting the username attribute appropriately. In other words, administrators of one institution could control users in other institutions.

To fix this, site administrators of multi-institution sites with SAML authentication in use should ensure that the "Match username attribute to Remote username" setting is enabled in each SAML-enabled institution, unless usernames are guaranteed to be unique across all SAML providers.

The next point releases of Mahara 1.3 and 1.4 will remove this insecure configuration.
1 result