20 September 2023, 22:11

Hi,

so far we have been using Mahara together with Moodle, which means that the login was always from Moodle to Mahara.
After the upgrade to Moodle 4.1 and the upcoming end of the MNet interface, we are currently testing the stand-alone login with SAML via our Shibboleth IdP (which also handles the Moodle login).
After we have configured the SAML plugin to talk to our IdP, we still need to set up authentication in the Mahara institution. Unfortunately I still have a (comprehension) problem here.
We should specify an attribute that the institution transmits from the IdP "Institution attribute (contains "mahoodle")" and the name of the institution (mahoodle). However, there is no such attribute that our IdP could convey and we only have one institution in our Mahara, so a distinction is not necessary here. Is there a way to bypass this institutional check?

I attached a screenshot to illustrate what I mean.

Thank you and best regards
Sven

PS: We also run the LTI interface between Moodle and Mahara successfully, only the submission plugin is still causing trouble.

20 September 2023, 23:20

We had the same issue. 

I'm going to start with a small moan - Mahara seems wedded to the idea of Institutions which I very much suspect that almost nobody uses. There's a variety of "pinch points" where Institutions get in the way or just cause confusion and this is one of them. This really should not be a required field. 

Anyway, we got around it by our authentication expert doing some coding in the idP that generated the field (as a fixed value). How, is completely outside of my knowledge but it may help you to know that it must be possible.

22 September 2023, 9:06

Hi Howard,

I can't answer the attribute question, but it's been in Mahara since we've implemented SAML and a field that seemed to come along from IdPs to make sure that Mahara checks the correct branch. It is not tied to the Mahara institutions, but allows for improved multi-tenancy. While most Mahara instances are run by a single organisation, we do have notable multi-tenanted instances that require a bit more flexibility.

I always recommend to set up an institution on Mahara and not use 'No institution' for everyone, even when you are the only institution on the site. That way you have more options available to you, including more granular admin permissions so that not every admin is immediately a site admin.

Thank you

Kristina

22 September 2023, 21:43

Hi Kristina,

thanks for your reply.

Undoubtedly there are installations that make use of institutions. We too do, we followed your advise and created one institution, but only one.

But our institutional IdP does not and will not transmit the needed attribute (which would not make sense for our mahara instance with ONE institution). So we need a way to circumvent this attribute and get saml working. 

Every authenticated user is or will be member of our single mahara institution, so we do not need a distinction.

Kind regards
Sven

25 September 2023, 10:24

Hi Sven,

You could make a customisation so as not to require the value. There are a number of places where the value is checked and compared to the auth instance in the Mahara database. So it's not a trivial change.

As far as making Mahara more flexible to not require an update to the IdP metadata, one idea that Robert had could be to set up a config.php option to allow a hard-coded value. We'd then need to have a number of logic checks, including that only one SAML instance could be used if that attribute is set.

Cheers

Kristina