Commit e50acd41 authored by Kristina Hoeppner's avatar Kristina Hoeppner
Browse files

Reword the usersuniquebyusername section on the SAML auth

and add it as experimental feature
parent 2d0a6324
......@@ -88,3 +88,21 @@ If you want to import user portfolios into one institution using their Leap2A fi
| ``"petra","mahara-export-leap-user4-1334451885.zip"``
| ``"polly","mahara-export-leap-user5-1334451888.zip"``
.. index::
pair: Experimental features; usersuniquebyusername
.. _usersuniquebyusername:
usersuniquebyusername variable
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*usersuniquebyusername* is a ``config.php`` setting that should be used with extreme caution as it could be misused.
Below is the documentation that can be found in the code. This feature is discussed for example in the discussion topics `Mahara Moodle integration and bug? <https://mahara.org/interaction/forum/topic.php?id=1118>`_ and `SSO: Mahara to Moodle <https://mahara.org/interaction/forum/topic.php?id=2022>`_.
.. note::
When turned on, this setting means that it doesn't matter which other application the user SSOs from, they will be given the same account in Mahara.
This setting is one that has security implications unless only turned on by people who know what they're doing. In particular, every system linked to Mahara should be making sure that same username == same person. This happens for example if two Moodles are using the same LDAP server for authentication.
If this setting is on, it must NOT be possible to self register on the site for ANY institution - otherwise users could simply pick usernames of people's accounts they wished to steal.
......@@ -322,10 +322,10 @@ Choose this authentication method for your institution when you have a SAML 2.0
#. **Institution value to check against attribute**: Enter the value that will be checked against the institution attribute value as passed from the IdP. If the institution regex check box "Do partial string match with institution shortname" is selected, this value can be a regular expression that will be used to check against the institution attribute value. This field is required.
#. **Do partial string match with institution shortname**: Check this check box to treat the value in "Institution value to check against attribute" like a regular expression.
#. **User attribute**: Enter the name of the attribute passed by the IdP that contains the username. This field is required.
#. **Match username attribute to remote username**: Check this box if you want to match the user attribute value to the remote username field assigned to a given user (not the internal Mahara username).
#. **Match username attribute to remote username**: This box is selected by default and needs to stay selected. It matches the user attribute value to the remote username field assigned to a given user (not the internal Mahara username). Only if you have the :ref:`experimental feature of "usersuniquebyusername" <usersuniquebyusername>` turned on can you deselect this check box. We do not recommend this unless you are very experienced and have control over all applications in question.
#. |new15| **Allow users to link own account**: Check this box if you want to allow users to link their own internal Mahara account to the authenticated SAML account. This depends on the "Match username attribute to remote username" option being enabled. If this setting is turned on when users try to log in via SSO and their username as well as the email for example match an internal username, they can link their accounts. That would allow them to log in either via the SSO login or via the regular login box into the same account and avoid account duplication.
#. **Update user details on login**: Check this box to update the first name, last name and email address with the corresponding IdP values passed through at each login.
#. **We auto-create users**: Check this box to create user accounts on Mahara automatically when a user authenticates successfully but does not yet have an account. This cannot be used if the option "Match username attribute to remote username is enabled.
#. **We auto-create users**: This is unselected by default and needs to stay unchecked if the option "Match username attribute to remote username" is enabled. Check this box to create user accounts on Mahara automatically when a user authenticates successfully but does not yet have an account. Only if you have the :ref:`experimental feature of "usersuniquebyusername" <usersuniquebyusername>` turned on can you select this check box. We do not recommend this unless you are very experienced and have control over all applications in question.
#. **SSO field for First Name**: Enter the name of the attribute passed by the IdP that contains the user's first name.
#. **SSO field for Surname**: Enter the name of the attribute passed by the IdP that contains the user's last name.
#. **SSO field for Email**: Enter the name of the attribute passed by the IdP that contains the user's email address.
......@@ -333,12 +333,10 @@ Choose this authentication method for your institution when you have a SAML 2.0
#. Click the *Cancel* button to abort your changes.
.. warning::
By default, SAML authentication instances have the "Match username attribute to remote username" setting checked. This prevents a user logging in using single sign-on to log in as the local Mahara user whose Mahara username matches their SAML username attribute.
If that setting were unchecked, someone with control over any SAML identity provider could gain control over any user account on that Mahara site by setting the username attribute appropriately. In other words, administrators of one institution could control users in other institutions.
By default, SAML authentication instances have the "Match username attribute to remote username" setting selected. If that setting were unchecked, someone with control over any SAML identity provider could gain control over any user account on that Mahara site by setting the username attribute accordingly. In other words, administrators of one institution could control users in other institutions. |new15| You would only be able to deselect this setting if you set the "usersuniquebyusername" variable to "true" in ``config.php``. However, you should not do that on a Mahara instance to which multiple SAML providers connect and you are not in control of all usernames that are created.
.. seealso::
If you deselect "Match username attribute to remote username", you get an error message which talks about a config setting for "usersuniquebyusername". Please refer to the discussion topics `Mahara Moodle integration and bug? <https://mahara.org/interaction/forum/topic.php?id=1118>`_ and `SSO: Mahara to Moodle <https://mahara.org/interaction/forum/topic.php?id=2022>`_ for more information.
If you deselect "Match username attribute to remote username", you get an error message which talks about a config setting for "usersuniquebyusername". Please refer to the :ref:`experimental feature of the "usersuniquebyusername" variable <usersuniquebyusername>` for more information.
.. index::
single: MNet
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment