Forums | Mahara Community

Open Discussion /
SSO with SAML


09 January 2017, 9:09 PM

Hello,

 

I've configured Mahara to work with an external IdP in order to have SSO with SAML.

I could add my IdP metadata in Mahara (from the Institution section), configured the Mahara Entity Id (from Plugin administration: auth: saml), installed memcache extension and everything is fine. The SSO button is present on the login form.

My IdP it's a simpleSAMLphp acting as an IdP app (not the one that comes with Mahara).

When I click on the SSO button, Mahara redirects to my IdP sending the needed Parameters (SAMLRequest, RelayState etc)

 

Now, in my IdP I would have to configure the AssertionConsumerService for the Mahara Entity Id (from Plugin administration: auth: saml). So that after a successful login in the IdP, the IdP should redirect back to Mahara with the SAMLResponse.

I've tried to set the URL like <server>/mahara/auth/saml/index.php, but after the login in the IdP, the IdP redirects back to the index.php and Mahara will redirect back to the IdP without trying to log the user in.

What URL I should add there? Or I have to do some more configurations?

 

I'm using Mahara version 16.10.0 (2016090207)

 Thank you very much

 

Later edit:

- I would also want to have the possibility to do an IdP initiated login on Mahara. So what would be the URL to send directly the SAMLResponse? Thanks a lot

10 January 2017, 4:02 AM

I've found out what's the URL that I have to set, by seeing the generated metadata from Mahara at: /auth/saml/sp/metadata.php?output=xhtml.

 

I could configure it, but I afterwards I had some issues with Storing a session in the Memcached Server (memcached 1.4.4-14-g9c660c0). The error was: [WAR] 93 (lib\errors.php:536) [SimpleSAML_Error_NoState]: NOSTATE

I don't know if this apply for everything, but in my case, the Memcached Server did not store the session object cache if the expire time it's a timestamp. Instead, I had to set the expiry time in seconds (like 8h = 28800s).

 

My changes were in: auth\saml\extlib\simplesamlphp\lib\SimpleSAML\SessionHandlerStore.php, modifying the saveSession method as:

 public function saveSession(SimpleSAML_Session $session) {
     $sessionId = $session->getSessionId();
     $config = SimpleSAML_Configuration::getInstance();
     $sessionDuration = $config->getInteger('session.duration', 8 * 60 * 60);
     $this->store->set('session', $sessionId, $session, $sessionDuration);
  }


 I hope it helps someone :-)

Robert Lyon's profile picture
Posts: 346

16 January 2017, 11:12 AM

Hi Alexandru,

Good to hear you were able to create a solution to your problem.

As that file is part of SimpleSAMLphp itself that we include via the 'make ssphp' command we will not be able to change it in core Mahara

But hopefully others will use your work around if they get this problems as well

Cheers

Robert

3 results