26 June 2021, 3:36

Hello Robert, Kristina,

Thank you for your responses, both very much appreciated.

Over the last couple of weeks I've spent a significant amount of time learning about Linux and piecing together elements of the outdated 'Installing Mahara on Ubuntu' documentation with sections of the developer documentation Robert kindly linked to amongst other non-Mahara sources regarding configuration of apache, php, prostgre, saml ... etc.

Solely following the developer documentation produced (as one might expect) a 'dev' site, I figured it probably wasn't considered best practice to use a dev site for production use. So, with a bit of mixing and matching of guides and building, flattening & re-building of the server numerous times, I think I've hit upon what is hopefully an install of Mahara we can safely use in production ... If you could prioritise the update of the WiKi for a standard Mahara install on Linux on your ToDo list then I'm sure it will help save other admins, who might also be unfamiliar with Linux, a great deal of time, experimentation and uncertainty moving forwards.

Anyhow, I've configured the new site and established the SAML connection between Mahara and AzureAD, the first login with a test account worked perfectly, however upon logging out of Mahara I received an error, I must admit I failed to make a note of the error as I assumed it was a mis-configuration of the SAML plugin and instead logged into Mahara using the internal Admin account to investigate. I couldn't see anything amiss so I logged out and tried to log back in using the test SAML account, this time I received the following errors:

[WAR] 89 (auth/saml/extlib/simplesamlphp/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php:563) openssl_sign(): supplied key param cannot be coerced into a private key

[WAR] 89 (lib/errors.php:530) [SimpleSAML\Error\UnserializableException]: Failure Signing Data: error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error - SHA256 at /var/www/maharatestnew.domainname.ac.uk/auth/saml/extlib/simplesamlphp/lib/SimpleSAML/Auth/Source.php:214

In searching for help with the errors I came across the following, it feels very similar but it looks like the issue was considered to be fixed in Mahara 20.10 and we're currently running 21.04.1: https://bugs.launchpad.net/mahara/19.10/+bug/1889485

Would either of you have any ideas what the issue might be or how to resolve it? It feels like we're close now so I'm hoping you've experienced these errors previously and know of a relatively straightforward resolution.

Many thanks and have a good weekend!

Ben

26 June 2021, 13:01

Hi Ben,

That error sounds like the password used to encrypt the signature is not the one being supplied.

Can you try resetting the metadata with a new passphrase by doing the following:

Go to the Administration (wrench) -> Extensions -> Plugin administration page and click on the Configure for auth saml (cog) in the saml line.

If you see the button 'Delete old certificate' please click this to remove the double up of certificates.

Then on the configuration form make sure the 'Signature algorithm' is set to at least SHA256.

Then put in a new value in the 'Private key passphrase' field (say 16 random chars) and then click 'Create new key / certificate' button.

Just to make sure things are working right exit the page and come back in you should see the value for 'Private key passphrase' field is still set.

You can now hit the 'Delete old certificate' again so that you are left with one.

Then you will need to click the 'View metadata' link to get the metadata to give to the IdP (Asure AD) again.

Cheers
Robert

28 June 2021, 20:22

Hi Robert,

Thank you for the speedy response, I'm pleased to report your guidance worked perfectly!

There's a 'Save' button at the bottom of the SAML Plugin page which I think I had clicked on at some stage, this appears (from my limited testing) to remove the Private key passphrase or at least cause some havoc with the certificate or passphrase, simply exiting the page once a passphrase has been set, as you suggested, appears to retain the passphrase.

Many thanks,

All the best,

Ben