18 April 2024, 8:42

Hi Robert,

I did a clean installation but still had the same error when I tried to view service provider metadata.  However, we found a work around.  This URL "/auth/saml/sp/metadata.php?output=xhtml" gives error, but "/auth/saml/sp/metadata.php" without the URL parameter doesn't.  It downloads a PHP page and it contains the metadata.

I have another related question.  Where can I find the shibboleth SP config file shibboleth2.xml?

Thank you for your help!

Jin

19 April 2024, 9:58

Hi Jin,

Mahara only uses the SimpleSamlPhp module in the SAML2.0 authentication way.

If you wish to connect a Mahara to a shibboleth Identity Provider then you would need to configure that to use SAML2.0 bridge as the way to connect.

Cheers

Robert

27 April 2024, 9:49

Hi Robert,

now we have SAML works partially.  Users can login via SSO if their accounts are created in Mahara by administrators, but will have error message "Invalid account selected Institution for connecting account not resolved" if the users' accounts don't exist.  Is that something to do account auto-creation (we have it enabled) or SAML institution attribute setting?

Thanks,

Jin

29 April 2024, 9:47

Hi Jin,

Looking at the error you are getting it sounds like you are using SAML with the OIDC module - is this correct?

If so, then the discovery of the institution value to be used for a new person should go through the htdocs/auth/oidc/classes/loginflow/authcode.php file detect_auth_instance() function on line 106.

You can check to see if anything is set by adding a new line at line 114:

log_debug($instances);

and check your error log to see what is set there.

It feels as though this function is returning false/null when it should return an instance ID

Cheers

Robert

30 April 2024, 9:26

Hello Robert,

we are not using SAML with OIDC module.  In face, our installation doesn't have htdocs/auth/oidc/ directory.

I enabled SAML debug in the config file and found that there is no user ID in database records when users try to login without existing accounts.  I guess that is normal since users' accounts/IDs don't exist.

I am wondering if there is anywhere else I can check to debug this issue.  Please advise.

Thanks,

Jin

02 May 2024, 11:15

Hi Jin,

I got confused about the OIDC stuff because there is a similar error message for that.

Ok so now what I'm thinking is happening is the 'institution' value coming through from the SAML identity provider for those new accounts is not matching a Mahara institution so authentication fails.

I'm looking at htdocs/auth/saml/index.php file and in there is the auth_saml_find_authinstance() function that tries to compare the pass in institution value to an existing SAML instance in Mahara.

To check what vallues are being passed in you can add the following to line 137 of this file the following line error_log(print_r($saml_attributes, true));

Then have an account that fails to log in and then check the error log for information to see what the institution value is.

This should match the institution attribute/value/regex data for the 'institution' found in the auth_instance_config database table. Eg if in the database we have:

        6 | institutionattribute           | eduPersonAffiliation
        6 | institutionvalue                 | group1
        6 | institutionregex                 | 

Then in the $saml_attributes array should contain something like

[eduPersonAffiliation] => 'group1'

Cheers

Robert