Forums | Mahara Community

Pedagogy /
User management


Richard Samson's profile picture
Posts: 9

22 September 2023, 20:40

Sorry, if this is not the best forum for this question...

We recently moved from LDAP to SAML authentication. This means, as I understand it, that user profiles are created on first SSO login to Mahara.

This is great because we no longer have non-users clogging up our Mahara system. But there is a bottleneck when teachers want to create groups in Mahara. The target members of each group may not yet be present in Mahara and, if so, they cannot be pre-assigned to a group.

What is the best practice to deal with this? I can think of a number of alternatives but I want to hear some community wisdom first.

Thanks in advance.

 

 

Kristina Hoeppner's profile picture
Posts: 4707

25 September 2023, 9:29

Hi Richard,

Usually, the organisations we work with resolve this by creating the missing accounts via a CSV file without sending students a welcome message or the need to change the password as the authentication method is SAML and not internal login in your case. That way, everything is set up when they enter the site for the first time.

Cheers

Kristina

Richard Samson's profile picture
Posts: 9

26 September 2023, 0:15

That's great advice, Kristina.

Just a clarification, please. Each student's password in the CSV file will remain unused, am I right? Once they enter via SAML their already-established SSO password would take over, I suppose, as long as they enter via the SSO link. Does the new CSV password remain valid then or not?

Thanks. Best regards,

Richard

Kristina Hoeppner's profile picture
Posts: 4707

26 September 2023, 11:15

Hi Richard,

Correct. The password added via CSV will not be used. Students won't be able to enter their account with it because the account is tied to SSO and requires that they use the SSO button. You could set the 'Force password change' option to 'Yes' to be on the extra cautious side or remove the passwords from the database, but I don't see how anybody could get into the account because that password would only be picked up if the authentication method were 'internal'.

When you remove someone from the institution, their SSO authentication method is dropped and they'll receive an email to set a password for their internal account.

Cheers

Kristina

4 results