moodle-auth_saml2 icon indicating copy to clipboard operation
moodle-auth_saml2 copied to clipboard
verified publisher icon catalyst

Complications with the "Allowed any auth type" setting and MNet accounts

Open jesse-dot-id opened this issue 3 years ago • 1 comments

We recently replaced an MNET integration with the SAML2 plugin. For the sake of failover, I decided to keep the MNET auth types set on each user, because I figured we could just toggle "Allowed any auth type" to true, and match on the e-mail field, to allow SAML2 to match those users.

However, we're running into duplicate accounts, because we're also allowing SAML2 to create new accounts.

The odd thing is that these duplicate accounts are using identical e-mail addresses, even though the site is set to not allow duplicate e-mail addresses.

So it seems like the auth_saml2 plugin A) cannot actually match on email for MNET accounts and B) creates users using the same e-mail address, even though the site is set to disallow that.

Is this expected behavior? If so, it may be prudent to add a warning note to the label for "Allowed any auth type" to cut down on confusion.

jesse-dot-id avatar May 11 '22 17:05 jesse-dot-id

This is mostly just MNET and the way it works - mnet allows duplicate emails in the db with different mnet hosts - eg you can have a manual account with [email protected] and then you can have a [email protected] account that comes from an external host..

so if you have moodlesite1.com and moodlesite2.com connected via mnet moodlesite1.com can both have an account with [email protected] emails - but... if you login to moodlesite2.com as [email protected] and try to connect to moodlesite1.com with that account it won't log you in as the account already created on moodlesite1.com, it will create a new one with the same email, but "connected" to moodlesite2.com and flags that accont as an "external mnet" login.

So - when logging in with the saml2 plugin - it only looks for "local" accounts - rather than accounts connected to an external mnet auth.

If you have completely stopped using mnet - you should really update the mnethostid for all the users in the db to use the local mnethostid instead of the external one as it will likely cause you problems in future, and you'll need to be careful about any duplicate accounts with the same email.

If you wanted to modify this locally you could remove the mnethostid from this query: https://github.com/catalyst/moodle-auth_saml2/blob/ca88ab0b008b0cf7d35714fe80d64e76b89d3b89/classes/user_extractor.php#L62-L67

and if you wanted us to support something you could probably send us a pull request, but we'd probably need to control it somehow so that people could decide to match on all external mnet accounts or not.

danmarsden avatar May 11 '22 22:05 danmarsden