Forums | Mahara Community

Support /
Managing users via webservice API


Ma's profile picture
Posts: 14

11 May 2022, 1:28

Hello,

we want to sync users from our student portal to Mahara into multiple institutions (according to their study programme) via webservices API.

We are using SAML authentication which is configured on the "No Institution" institution. We have configured one webservices API access token for the "No Institution" institution.

We are checking if a user exists via webservices API call "mahara_user_get_users_by_id". If the user isn't found, it should be created and added to the correct institution (according to their study programme). Technically all the API calls are working but we are still having problems understanding how this could be done. Let me give you an example:

 

Example

User Tom is in institution "No institution" and "Institution X". Searching for this user via webservices  API (mahara_user_get_users_by_id) doesnt return a result. I think it has something to do with Tom being in institution "No institution" and "Institution X". As soon as Tom is also in "Institution X", the webservices API doesn't find him any more and just tells something like "User not found in auth instance 1". (Auth instance 1 is "No institution", but with internal authentication and not SAML authentication.)

So because Tom isn't found, our logic tries to create a user for hihm, but this fails because his user exists but just wasn't found earlier.

 

At some other point I got an error like: "add_members |  access denied to institution "ABC" for account "XYZ" because there is no equivalent auth method". Maybe this helps?

 

In earlier Mahara versions our logic was working. (This was years ago!) It seems like Mahara got a lot stricter in the segregation of institutions.

 

How could we achieve what we want?

Isn't it possible to just have one webservices API access token, sort of just one global webservices API admin that can find users in every institution and is able to create users and add members to institutions?

Edits to this post:

Robert Lyon's profile picture
Posts: 773

11 May 2022, 9:23

Hi Ma,

The way that institutions work in Mahara is as follows, a person can be in "no institution" (a waiting area before being assigned to an institution) OR in one or more actual institutions, so the following is allowed

Person "No institution" Institution One Institution Two Institution Three
Alpha      
Beta      
Gamma    
Delta  
Epsilon      

 

But this is not allowed

Person "No institution" Institution One Institution Two Institution Three
Eta Image of Red icon   Image of Red icon  
Nu Image of Red icon Image of Red icon    

 

Cheers

Robert

Ma's profile picture
Posts: 14

11 May 2022, 20:38

Hello Robert,

thank you for your reply.

1) If it is not allowed for users to be in "No institution" and in an actual institution, how is it possible that we have hundreds of users like this? I can see this under /admin/users/search.php and also in the account settings of those users like /admin/users/edit.php?id=XXXX. Some of those users were just created months ago, others are older users, but all of them were created via webservices API, if that helps.

2) If I open the account settings (/admin/users/edit.php?id=XXXX) of one of those users that are in "No institution" and in an actual institution and try to remove the user from "No Institution" by clicking on "Remove from this institution", it doesn't work. It looks like it works and shows "Person removed from institution "No Institution".", but it doesn't. The user still ist in "No institution" and in the actual institution and nothing changed.

3) If we manage to set it up so that a user is in "no institution" OR in one or more actual institution, how would it be possible to achieve what we originally wanted? The plan is to have an application that syncs users from our student portal to Mahara into different institutions. The application has to check if a users exists, create users that don't exist and add them to their study programme institution.

Is this possible with a single service access token or does a token really only refer to one institution and is only able to find users in this one institution? 

4) As already mentioned, we use SAML (Shibboleth SSO) authentication for our users. Is it okay to have the authentication set up in just one institution and put every user in this institution in addition to his other study programme institutions? Would 3) above still work that way?

Thank you!

Ma's profile picture
Posts: 14

18 May 2022, 4:54

Hello Robert,

 

could you at least say something to 1) and 2) ?

We are having hundreds of users that are in "No institution" AND in one or more actual institutions. 

 

For testing purposes I created one user in the "No institution". The "No institution" has internal authentication and SAML authentication. (SAML authentication  being the one that is really used.)

I then add this user to an actual institution called "Institution X". 

From now on the user is in "No institution" AND in "Institution X".

Also I'm not able to remove the user from "No institution". The GUI tells me it succeeded removing the user from "No institution", but nothing changes and the user still is in "No institution".

 

How is this possible if it isn't allowed for a user to be in "No institution" AND in one or more actual institutions?

Kristina Hoeppner's profile picture
Posts: 4863

19 May 2022, 7:49

Hi Ma,

It is not possible to remove someone from 'No institution' unless you delete the account. Therefore, I'm not sure what you are referring to on how you can remove them from 'No institution'. Can you please provide screenshots of the following to make it easier for us to know what you are talking about?

  • Entire accounts settings page of a person that shows what you want to show us (remove email address, name, and profile pic though please)
  • Admin menu → People → People search page (again, without names and email addresses) to show in the institution column that people are in both 'No institution' and another institution?
  • Admin menu → Institutions → Settings page showing at least one institution and the 'No institution'. We will need to see the shortnames of the institutions as well.

Mahara never allowed someone to be in 'No institution' and another institution at the same time.

Thank you

Kristina

P.S. A similar discussion is happening elsewhere in case others wan to check out that thread there.

Ma's profile picture
Posts: 14

19 May 2022, 10:25

Hi Kristina,

I tried this again in our newly set up Mahara development instance and it shows the same issue. A user is in "No institution" and another institution at the same time. Please see the screenshots attached. 

I didn't change much in this new Mahara instance. I just created some users and institutions. In "No institution" I configured SAML authentication with our Shibboleth IDP. I logged in per SAML with one user and after that I added this user to another institution as an admin. From now on this user is in "No institution" and another institution at the same time.

  • Admin_people_search.png
  • Site_account_settings.png
  • Admin_institution_settings.png
Kristina Hoeppner's profile picture
Posts: 4863

19 May 2022, 13:35

Hi Ma,

Standard Mahara does not show 'No institution' in the institution settings area on the account settings page as it is not really an institution and you wouldn't be able to give someone institution admin or institution staff permissions. It does sound to me like there is some sort of customisation going on.

Cheers

Kristina

Ma's profile picture
Posts: 14

19 May 2022, 21:11

Hi Kristina,

did you see my other reply below? https://mahara.org/interaction/forum/topic.php?id=9111#post35980 (I had to write a new reply, couldn't edit my previous one.)

I think I found out why it shows "No institution" in the institution settings area on the account settings page. Everything is standard, no customisation. I just set up our SAML authentication.

But now another problem arise. I have described it below. 

Ma's profile picture
Posts: 14

19 May 2022, 11:58

I think I just found out why there are users in "No institution" and another institution at the same time!

As I said we have configured SAML authentication with our Shibboleth IDP in the "No institution". Please see the attached screenshot of the SAML configuration in "No institution".

We set the field "Institution value to check against attribute" to "No institution", because that is what we configured our Shibboleth IDP to return as the institution attribute. And this is what is causing users to also stay in "No institution" even after they were added to another institution. (I believe that a user has to be logged in at least once via SAML for this problem to show.)

I don't really know how to deal with that!? But since you mentioned in another thread (https://mahara.org/interaction/forum/topic.php?id=9113&offset=0&limit=10#post35972) that it would be better anyway to set everyone up in an institution that hold everyone (not "No institution"), I just tried that.

So instead of configuring SAML authentication in "No institution", I configured SAML in an actual institution "Institution X". If I now add a user to "Institution X", then he is only in this institution and not in "No institution" anymore. Like it should be and like you and Robert told me. Great!

BUT, another problem: I just added this user to another 2 institutions, so he is now in "Institution X", "Institution Y" and "Institution Z". Everything seems to work, but if this user now logs in again via SAML (or logs out and logs in again if he was online) suddenly he is only in "Institution X", and was removed from "Institution Y" and "Institution Z" automatically.

So, after logging in via SAML the users are only in "Institution X" where SAML is configured, but no longer in the other institutions to which i have added them. They were automatically removed.

 

  • What am I doing wrong here? 
  • How can I have users in multiple institutions, with one institution being configured for SAML authentication and the others being just in standard, untouched (internal authentication) configuration?
  • Should I create a new thread for this problem?
  • Institution_SAML_configuration.png
Kristina Hoeppner's profile picture
Posts: 4863

20 May 2022, 7:45

Hi Ma,

It would be better if this were a new thread as this doesn't pertain to the web services any more.

I can't tell from the screenshot and your post why people would be removed from other institutions automatically as there is not enough information to go from since we don't see the rest of the SAML configuration screen, e.g. if you used the affiliated fields in particular.

Cheers

Kristina

10 results