Forums | Mahara Community

Support /
Mahara SAML not auto creating accounts


Duncan Ruddock's profile picture
Posts: 9

25 November 2020, 11:04

Hi again :)

I am having an issue with our dev instance of Mahara where new accounts are not being created when a new user logs in via SAML.

The error I am receiving is:

 

Unable to sign in via external authentication (SSO)

Invalid account selected

No account found

 

Our aim is to migrate our existing users (LDAP -> SAML), and all future users to use SAML auth. If I change the authentication method manually in Mahara for existing users, they are able to successfully log in via SAML. If I delete the users entirely, the above message is displayed when  they try and log in.

 

I have ensured that the 'We auto-create accounts' setting is enabled, but it seems to be being ignored. 

 

Any help that you can provide on this would be hugely appreciated.

Thanks

Robert Lyon's profile picture
Posts: 774

25 November 2020, 12:47

Hi Duncan,

That error message is displayed if SamlUserNotFoundException is called and it is called when there is not a saml instance related to the information returned from the Identity Provider - line 162 of htdocs/auth/saml/index.php

Can you check that the data passed back from Identity Provider has the info in it that you are trying to match against.

In you database run the following SQL query to find out what settings you have for the saml instances:

SELECT * FROM auth_instance_config aic, auth_instance ai WHERE ai.id = aic.instance AND ai.authname = 'saml' AND ai.active = 1 AND aic.field = 'institutionattribute';

Then in htdocs/auth/saml/index.php add after the line:

  global $instance;

Add the line:

  log_debug($saml_attributes);

And try logging in again and check the parameter that comes from the IdP that the institution needs to match on is the same as what Mahara expects

eg for one of my sites, in Mahara the 'institutionattribute' = 'eduPersonAffiliation'

and so the parameter 'eduPersonAffiliation' from the IdP contains the value for the institution it wants to log into ,

eg for my site

    [eduPersonAffiliation] => Array
        (
            [0] => institution1
        )

 

So it is trying to login to 'institution1'

And from the SQL call before there should be a line that matches up and that has active = 1

Can you check that your site is trying to login to the correct institution?

Cheers

Robert

 

 

Duncan Ruddock's profile picture
Posts: 9

26 November 2020, 12:46

Hi Robert,

 

Thanks for your prompt reply. I should have mentioned that before reaching this error, I had applied the PHP debugging to display the $saml_attributes because Mahara could not identify which institution the user belonged to. Because none of our LDAP attributes contained the shortcode of our institution, I added a custom attribute to the test users containing the institution value.

After adding the custom attribute and linking it to the institution value, these users can log on successfully via SAML and land in the correct institution, but ONLY if they previously existed as LDAP users in Mahara and if I changed their auth method manually to SAML under 'People'.

 

I manually deleted the same users and tried to log back in via SAML and receive the 'user not found' message in the OP. 

 

I have also tested accounts who have never been in Mahara and receive the same message.

 

The SQL output is as you described - institution values are correct and set to 1 (active). The issue is that the accounts are not auto-creating even though the setting is enabled

 

Sorry this is a bit confusing, please let me know if anything needs clarifying.

 

Thanks again,

Duncan

Kristina Hoeppner's profile picture
Posts: 4866

28 November 2020, 18:44

Hi Duncan,

Which version of Mahara do you use? Please only post the first two numbers, e.g. 20.04 or 20.10 but not the last, the minor point. Also please ensure that you are on the latest minor point release for your version of Mahara. You can check that in Admin menu -> Admin home -> Overview -> Site information.

Thank you

Kristina

Duncan Ruddock's profile picture
Posts: 9

01 December 2020, 10:18

Hi Christina, I am running Mahara 20.10.

I decided to remove the current SAML settings and set up the auth again from scratch, but now I unfortunately can't get past this error:

[WAR] 64 (auth/saml/extlib/simplesamlphp/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php:499) openssl_sign(): supplied key param cannot be coerced into a private key

Last time when I got this error, I regenerated the certificate under Configure Site > Networking and was able to reach the ADFS login page. Regenerating the cert doesn't work this time :(

Looking at the openssl_keypair in the config table, the private key is preceded by "@@@@@@@@" and am wondering whether this has anything to do with the error (see below)

                 | -----END CERTIFICATE-----                                                                                                 +
                 | @@@@@@@@-----BEGIN PRIVATE KEY-----

 

Sorry to add a problem on a problem!

 

Duncan

 

Kristina Hoeppner's profile picture
Posts: 4866

06 December 2020, 18:43

Hi Duncan,

To my knowledge, the 'Networking' certificate is only used for Moodle Networking connections. SAML has its own signing and encryption certificate in the plugin administration in the 'SAML' settings at /admin/extensions/pluginconfig.php?plugintype=auth&pluginname=saml Can you please renew the cert there and see if that resolves the problem?

Thank you

Kristina

Duncan Ruddock's profile picture
Posts: 9

07 December 2020, 16:06

Hi Kristina,

Regenerating the certificates under Plugin Administration > SAML does not work. (Tried SHA256, 384 and 512 - all same error)

 

I have managed to get around this error by explicitly setting the passphrase on line 375 of /htdocs/auth/saml/extlib/simplesamlphp/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php

 

< Line 375>                    $this->key = openssl_get_privatekey($this->key, $this->passphrase);

 

After replacing the bold text above with our cert passphrase, I am able to get to our ADFS login page.

 

It seems like the openssl_get_privatekey function does not call the passphrase correctly and causes the auth plugin to fail. Have you seen behaviour like this before?

 

Cheers,

Duncan

 

Kristina Hoeppner's profile picture
Posts: 4866

08 December 2020, 8:22

Hi Duncan,

Thank you for this additional test. We hadn't seen this behaviour before. Can you please let us know what operating system (and version) you use? This is a bit of a stab in the dark, but I know that Ubuntu 20.04 has some changes that affect how things are installed or for SSH for example, what algorithms are available and am thus wanting to make sure that it's not one of those things.

Thank you

Kristina

Duncan Ruddock's profile picture
Posts: 9

10 December 2020, 9:37

Hi Kristina,

I have set up 2 dev instances, one with CentOS 8 and the other with Ubuntu 20.04.1. Ideally we would like to use CentOS within our organization, but I know that Ubuntu is the officially supported OS. Both receive this error, however.

 

[WAR] b3 (auth/saml/extlib/simplesamlphp/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php:499) openssl_sign(): supplied key param cannot be coerced into a private key

 

Cheers,

Duncan

Duncan Ruddock's profile picture
Posts: 9

15 December 2020, 10:16

I have managed to get around this error on CentOS, but am now back the issue in the OP.


Unable to sign in via external authentication (SSO)

Invalid account selected

No account found

 


I believe the institution value is being passed and received correctly because I get this error when I change the attribute in AD.

Unable to sign in via external authentication (SSO)

Invalid account selected

Institution for connecting account not resolved 

 

Again, I think this setting is being ignored in the SAML auth settings: We auto-create accounts, but I am struggling to debug this.

Cheers,

Duncan

 

 

 

12 results