Forums | Mahara Community

Support /
Mahara and Liferay

29 April 2015, 8:39 PM

Hi guys.

For an experimental project, we are developing an e-learn platform whose components are mainly Liferay and Mahoodle, having Shibboleth as IAM for SSO.

I did search all over for someone who tried to integrate Mahara e-porfolio with Liferay, but it seems nobody did it in the past.
Well, now is my turn, and i'm facing several problems related with the nature of Mahara which is php-based.

First thing: we're going to try to have a single signon using shibboleth and an LDAP repository for the users; i'm quite sure we'll have not so many problems due to the presence of a plugin for both Liferay and Mahara (and Moodle too, that's the the other php application in our architecture), so the authentication would be guaranteed.

The problem we are facing now is that Mahara seems can't be embedde in a IFrame inside Liferay. Guess it could be related with security features, so i can't imagine how to solve it - maybe is more simple than i think: i'm a newbie about this.

Anyone tried to embed Mahara in a IFrame?
Any suggest will be appreciated.


Aaron Wells's profile picture
Posts: 896

30 April 2015, 5:19 PM

Hi Carlo,

Mahara issues the "X-Frame-Options: SAMEORIGIN" http response header, for security purposes. (See ) This prevents Mahara from loading in an iframe served by a different domain name, which would open it up to a so-called "clickjacking attack".

You can change this by editing your Mahara's htdocs/init.php file. Look for the line that sets that SAMEORIGIN header, and change it to instead serve an ALLOW-FROM header telling it the domain name of your Liferay server. For instance:

header('X-Frame-Options: ALLOW-FROM');

See for more details on that.

Once you've done that, the remaining gotcha is that in modern browsers, the iframe source and the surrounding page must both be HTTP, or both HTTPS. So if your Liferay site is HTTP, your Mahara site must also be HTTP. If your Liferay site is HTTPS, your Mahara site must also be HTTPS.



Aaron Wells's profile picture
Posts: 896

30 April 2015, 6:51 PM

Oh shoot, I just noticed that the "ALLOW-FROM" frame policy doesn't yet work in Chrome.

Well, in that case, your options are:

1. Serve Liferay and Mahara under different paths on the same domain name (i.e. and

2. Just comment out the "X-Frame-Options" header from Mahara entirely (though this will make your site less secure)

3. You might be able to make it work with the frame-ancestors directive of the Content-Security-Policy header. I haven't been able to find any good listings of how widely supported that is yet, though.



30 April 2015, 7:22 PM

True: It seems Chrome supports only ALLOWALL policy (at least that is what we noticed making some experiment).

Best thing will be have all the applications under the same domain - and probably this wil be the final configuration.

Thanks again.

Aaron Wells's profile picture
Posts: 896

01 May 2015, 10:53 AM

Yeah, I just noticed that this issue also affects the Mahara assignment plugin for Moodle (which uses iframes to preview Mahara pages). I guess it hadn't ever come up in my testing because my test sites are always under the same domain name, on my local machine.



30 April 2015, 7:11 PM

Thanks a lor, Aaron. I was investigating this option just yesterday and your post confirm i was on the right way.

Next step will be, for me, activate the integration between
Mahara and Moodle starting from Mahara (users can registrate to Mahara freely, but not in Moodle. When they will ask for an enrollment in some course in Moodle they will be registered in Moodle too, but to activate the export to portfolio i would need to change the auth mode in Mahara for those users from internal to xmlrpc. Guess i'll find a workaround about this).

Thanks again for your support.
Kristina Hoeppner's profile picture
Posts: 3441

03 May 2015, 9:12 PM

Hello Carlo,

To my knowledge, Moodle must be the primary and Mahara the secondary in the IdP if you want to use the export to portfolio feature. So for the MNet authentication method in Mahara, you'd have to select "They SSO in".

As for changing the remote username and authentication method for your internal users and make SSO users out of them, please look at the instructions at

Please note: If you set up Shibboleth AND MNet, the authentication method must be Shibboleth so that the users can use both the SSO button on the homepage of Mahara as well as Moodle authentication. Moodle authentication will also need to have Shibboleth set up as parent authentication method in Mahara for students to only have one account. More info is available at




7 results