Commit e0638fd4 authored by Kristina Hoeppner's avatar Kristina Hoeppner
Browse files

Add info about linking of accounts & usersuniquebyusername

parent 68da3f47
......@@ -323,9 +323,9 @@ Choose this authentication method for your institution when you have a SAML 2.0
#. **Do partial string match with institution shortname**: Check this check box to treat the value in "Institution value to check against attribute" like a regular expression.
#. **User attribute**: Enter the name of the attribute passed by the IdP that contains the username. This field is required.
#. **Match username attribute to remote username**: Check this box if you want to match the user attribute value to the remote username field assigned to a given user (not the internal Mahara username).
#. |new15| **Allow users to link own account**: Check this box if you want to allow users to link their own internal Mahara account to the authenticated SAML account. This depends on the "Match username attribute to remote username" option being enabled.
#. |new15| **Allow users to link own account**: Check this box if you want to allow users to link their own internal Mahara account to the authenticated SAML account. This depends on the "Match username attribute to remote username" option being enabled. If this setting is turned on when users try to log in via SSO and their username as well as the email for example match an internal username, they can link their accounts. That would allow them to log in either via the SSO login or via the regular login box into the same account and avoid account duplication.
#. **Update user details on login**: Check this box to update the first name, last name and email address with the corresponding IdP values passed through at each login.
#. **We auto-create users**: Check this box to create user accounts on Mahara automatically when a user authenticates successfully but does not yet have an account.
#. **We auto-create users**: Check this box to create user accounts on Mahara automatically when a user authenticates successfully but does not yet have an account. This cannot be used if the option "Match username attribute to remote username is enabled.
#. **SSO field for First Name**: Enter the name of the attribute passed by the IdP that contains the user's first name.
#. **SSO field for Surname**: Enter the name of the attribute passed by the IdP that contains the user's last name.
#. **SSO field for Email**: Enter the name of the attribute passed by the IdP that contains the user's email address.
......@@ -333,13 +333,12 @@ Choose this authentication method for your institution when you have a SAML 2.0
#. Click the *Cancel* button to abort your changes.
.. warning::
This security issue only affects sites which make use of the SAML authentication plugin and have more than one SAML identity provider.
By default, SAML authentication instances have the "Match username attribute to remote username" setting unchecked. This means that a user logging in using single sign-on will log in as the local Mahara user whose Mahara username matches their SAML username attribute.
By default, SAML authentication instances have the "Match username attribute to remote username" setting checked. This prevents a user logging in using single sign-on to log in as the local Mahara user whose Mahara username matches their SAML username attribute.
In this configuration, someone with control over any SAML identity provider could gain control over any user account on that Mahara site by setting the username attribute appropriately. In other words, administrators of one institution could control users in other institutions.
If that setting were unchecked, someone with control over any SAML identity provider could gain control over any user account on that Mahara site by setting the username attribute appropriately. In other words, administrators of one institution could control users in other institutions.
To fix this, site administrators of multi-institution sites with SAML authentication in use should ensure that the "Match username attribute to remote username" setting is enabled in each SAML-enabled institution, unless usernames are guaranteed to be unique across all SAML providers.
.. seealso::
If you deselect "Match username attribute to remote username", you get an error message which talks about a config setting for "usersuniquebyusername". Please refer to the discussion topics `Mahara Moodle integration and bug? <https://mahara.org/interaction/forum/topic.php?id=1118>`_ and `SSO: Mahara to Moodle <https://mahara.org/interaction/forum/topic.php?id=2022>`_ for more information.
.. index::
single: MNet
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment