Forums | Mahara Community

Support /
Config SAML Azure AD


Harold DESGENS's profile picture
Posts: 5

30 April 2021, 21:14

Hi,

I try to configure SSO with SAML and Azure AD.

What i've done:

- wiki.mahara.org/wiki/Plugins/Auth/Saml

- Install and configure plugin SAML in Mahara

- Create and configure new APP in azure with "metadata.xml" created with saml Mahara

- add users to new azure app

- enable SAML in mahara institution and configure with xml given by azure ad (metadata URL, IDP url, all asked attributes in form), maybe i've made some mistakes here because all is not clear for me.

- enable saml authentication on my test user...

and multiples hours of research ;)

So when i try logging mahara with SSO button i see our Azure login page, i put my username and password....

and i see this error message "Institution for connecting user not resolved"

Please help me. I don't know what i have to check.

Thank in advance guys.

 

 

 

Robert Lyon's profile picture
Posts: 773

01 May 2021, 9:18

Hi Harold,

It sounds like it could be a problem with the data coming from the Identity Provider

Can you try the following?

Edit this file htdocs/auth/saml/index.php

and before the line

$instance = auth_saml_find_authinstance($saml_attributes);

and this line

log_debug($saml_attributes);

then try logging in and check the error log to see what values are coming to Mahara

Make sure the key / value for the institution information match what you set for the SAML instance's config for the institution (via Admin -> Institutions)

Cheers

Robert

Harold DESGENS's profile picture
Posts: 5

01 May 2021, 12:01

Yes i saw your old post about that (mahara.org/interaction/forum/topic.php?id=8478)  and i tried.

See the screenshot.

At my first check there were no key and no value for institution in error log, i had to add a new custom attribute in azure, i named it "institutionattribute" and gave the short name of my institution as value. Now i see them in the error log.

You can see that match with key/value in mahara database.

i'm wondering if in admin->institution->saml i put the good value for "institution value to check against attribute" effectively i entered the short name of institution. Can you tell me if i did right ?

 

Robert Lyon's profile picture
Posts: 773

03 May 2021, 10:57

Hi Harold,

This is what I have in my testing setup:

In the Admin -> Institution page for my test institution SAML config form:

Screenshot_2021-05-03 Institutions - Mahara.png

 

And in my database it saves as:

 instance |         field                  |                       value                        
--------------+----------------------------+----------------------------------------------------
        6      | institutionvalue       | group1
        6      | institutionattribute | eduPersonAffiliation

 

And when I try logging in via my IdP it sends through:

Array (

   ...

    [eduPersonAffiliation] => Array
        (
            [0] => group1
        )

   ...

)

 

The bit in the screenshot mentioning 'contains "thefirst"' is referring to the the short name of my institution - normally the short name of you institution would match what is coming from IdP, so would would be 'thefirst' rather than 'group1' but it doesn't have to.  What needs to match is the value for 'institutionattribute'  needs to match a key in the packet of data from IdP and the value for 'institutionvalue' needs to match the value that the key from IdP has

Hope that makes sense and helps

Cheers

Robert

 

Kristina Hoeppner's profile picture
Posts: 4863

03 May 2021, 13:35

Hi Harold,

Just to make sure: Did you enable the SAML bridge in your Azure AD?

Cheers

Kristina

Harold DESGENS's profile picture
Posts: 5

03 May 2021, 21:00

Hello Kristina,

I have created my entreprise app in azure and i have uploaded azure xml to mahara.

Is that what you call "SAML bridge" ? Sorry i'm not familliar with saml.

Kristina Hoeppner's profile picture
Posts: 4863

05 May 2021, 20:27

Hi Harold,

We both hold parts of the equation but don't know if that is enough. ;-)

I'm not familiar with Azure AD as we do not have access to one. I only remember that people who configured Mahara with Azure AD said they needed to enable a 'bridge' in Azure AD for it to provide the correct data that SAML requires as we can't deal with OpenIDConnect yet. If you have an XML that might be it.

Cheers

Kristina

7 results