07 February 2025, 1:45

Hello community,

we are running Mahara 24.04.8 (Paid subscription, Standard Plan) and we are using Mahara Webservices (REST) to sync users from one of our systems to Mahara. 

Our users are always assigned to two institutions. Let's just call them 'Institution A' and 'Institution B'.

Both institutions have 'saml' authentication and 'internal' authentication. (Some users use 'saml' for single sign on, others use 'internal'.) In the Authentication plugin section on the institution config page (admin/users/institutions.php) the 'saml' authentication is ranked first and is displayed as the top authentication method.

We use the Mahara Webservices to check whether a user exists. For this we use the function 'mahara_user_get_users_by_id' with the 'remoteuser' parameter.

Everything works in terms of the connection. But when authentication method 'Institution A: saml' is set for a user, the webservice function doesn't find the user and returns an error like this: User with username "xyz" is not known at auth instance "2". (I redacted the username.)

In our case auth instance 2 is 'Institution A: internal'.

Why does it just look for the user in 'Institution A: internal' and then stop? And why does it look in 'Institution A: internal' first, where it doesn't find the user, although in the institution settings the 'saml' authentication is always set and ranked as the first authentication plugin?

In my opinion it should look for this user in all relevant auth instances (which in this case would be 'Institution A: saml', 'Institution A: internal', 'Institution B: saml' and 'Institution B: internal'). Only if the user was not found in any of these, it should stop and return an error stating that the user wasn't found.

I'm not sure if this is a bug or my assumptions are wrong?

When I look into the code (in the file /webservice/functions/mahara_user_external.php), I can see the 'checkuser' function. There is an if/else statement that differentiates by search criterion (id, username, email and remoteuser). For me the relevant part is the one that deals with the remoteuser.

As far as I understand it gets all the relevant auth instances and loops through them, trying to find the user by remoteuser. But what it does is the loop immediately stops, if the user isn't found in the first auth instance, and the error message stated above is returned.

What I did now is I edited the code and placed the 'find_by_instanceid_username' call (for me it is line 688 in /webservice/functions/mahara_user_external.php) in a try-block, and I catch the exception and set the $dbuser to false. With this change it continues the loop, and the user is eventually found. This solves the problem for me:

try
   {
       $dbuser = $user_factory->find_by_instanceid_username($dbinstance->id, $remote_user, true);
   }
   catch (Exception $e)
   { 
       $dbuser = false;
   }

But like I said, I am not really sure if this is a Mahara bug or I am I misunderstanding all this. And ideally, I would leave the core code untouched.

Could someone perhaps take a look at this or say something about it?

Cheers and thank you!

10 February 2025, 10:56

Hi Ma,

Thanks for spotting this. I've created an issue in our GitLab. If you or a representative of your organisation has an account on the Mahara GitLab, feel free to follow the progress and collaborate with us by answering the checks on the issue I've not filled in.

Kind regards,

Doris

11 February 2025, 4:52

Hello Doris,

thank you for creating an issue in the GitLab! I have added some details there.