20 May 2022, 23:40

Hello,

we are having problems that users are automatically removed from their institutions except one. 

We are using SAML authentication which is configured in 'Institution X', so users are in this institution. Additionally we add users to multiple other institutions, let's say 'Institution Y' and 'Institution Z'.

When a user logs in via SAML, he is automatically removed from all institutions except 'Institution X'.

This problem does exist on our mahara test-instance which is version 22.04.1, but  doesn't exist on our live-instance which is version 21.04.5.

We tracked the problem down to the file /auth/saml/lib.php and think this is a bug. We looked at the code here https://github.com/MaharaProject/mahara/blob/986299dfb779d98e4b87bf24b553b74a7e017601/htdocs/auth/saml/lib.php This is the newest version of this file right now.

As far as we understand the code, on line 498 a function 'removeMember' gets called, which removes users from all institutions except one. It removes users from '$oldaffiliations', which depend on '$affiliations', which depend on the function 'get_affiliation_map'.

We think it is not meant to do that, but it all breaks down to the function 'get_affiliation_map'. This function doesn't contain any logic and always returns 'false' and just contains a comment saying 'If you need any affiliation mapping you can add it here' and an example to that.

As far as we understand the code it is impossible to function properly like that. It is impossible for SAML user to stay in all their institutions. They will get removed except from one institution with this code.

Yes, there is a comment saying that we can add any affiliation mapping here if we need it. In reality it is not a 'can add' but a 'must add', otherwise it can't work properly. Apart from this im not sure if this custom affiliation mapping is sufficient. All our SAML users have the same email-domain, so we can't  add them to institutions by email-domain. Our SAML IDP also doesn't return any additional affiliations or roles etc. we could use.

Also it is not really a nice solution to customise a mahara core file which then gets replaced with the next update and all customisations are lost.

I wouldn't even implement any logic, which is able to remove users from institutions on login. 

We hope I have understood the code correctly. If so, then all our 5000 users would have been removed from all their institutions except one, if we would have already updated our mahara live-instance to the newest version 😱

23 May 2022, 11:08

Hi Ma,

Thank you for your detailed response as it has enabled me to track down the problem and create a fix.

The code logic for the affiliated institutions on SAML authentication is meant to add the person to affiliated institutions (over and above the one that the SAML instance is connected to) if that information is supplied from the Identity Provider (IdP) and remove them from the institutions they no longer are affiliated with.

But the bad part of the code was removing people from the institutions not connected with the SAML instance even if the SAML instance was not actually requiring /using affiliated institutions.

I now have a fix for this where we only do the $oldinstitutions check / removal if we have $affiliations to be gin with.

Please see, and feel free to try, the patch for this issue at https://reviews.mahara.org/c/mahara/+/12788

Cheers

Robert

24 May 2022, 8:54

Hello Robert,

thank you for the quick response and the patch!

After our first tests this is looking good. 

Cheers