Forums | Mahara Community
Support
/
SAML issue
26 April 2024, 19:23
Hi All,
Currently I'm trying to use saml as authentication method. I would like to ask if the accounts exist before (Use XMLRPC & LDAP to login) can be reused?
Another issue is that after I setup SAML, it shows below message.
Invalid account selected
Institution for connecting account not resolved
I have read other posts that this issue is related to the Institution attribute, is that means that a key return from the idp must be same as my Institution name? Is it the Institution Full name or short name?
Thanks.
Simon
26 April 2024, 20:49
Hi Simon,
In another thread you state that SAML now works perfectly for you. Is that not the case after all?
The attribute that the IdP returns does not have to be the same as your institution's short name.
As far as using existing accounts, yes, you can. You will need to change the authentication method though and potentially also the usernames if your Moodle / LDAP usernames were different from SAML. See the manual for information on how to change the auth method and usernames / remote usernames in your case.
Cheers
Kristina
26 April 2024, 21:04
Hi Kristina,
In the last thread, I'm able to get the metadata xml after reconfiguring the config.php with redis prefix. And I started to configure the SAML with my colleague who manages idp. However, during the setup, I found there is an error "Institution for connecting account not resolved" after login via SSO.
Actually, I'm quite confused about the setting of Institution attribute (contains "um") and Institution value to check against attribute. What should I fill in there to fix the issue? Thanks.
Simon
30 April 2024, 13:18
Hi Simon,
Those are values that your IdP needs to provide. Please see the 'Help' next to the fields. Since every IdP uses different terminology and field names, we wouldn't know what it's called in yours. Your person dealing with the IdP should know though from the example that is given.
Cheers
Kristina
It's also in the manual:
Institution attribute (contains ‘…’): Enter the attribute that will be passed from the Identity Provider (IdP) that shows which institution the account belongs to. This usually directly correlates to the LDAP attribute (the signin service of the IdP), e.g. eduPersonOrgDN. This field is required.
Institution value to check against attribute: Enter the value that will be checked against the institution attribute value as passed from the IdP. If the institution regex switch ‘Do partial string match with institution shortname’ is set to ‘Yes’, this value can be a regular expression that will be used to check against the institution attribute value. This field is required.
03 May 2024, 15:06
Hi Kristina,
Thanks for your reply. Now we're managed to login via SAML after following your suggestion.
Simon