search

catalyst / moodle-auth_saml2

SAML done 100% in Moodle, fast, simple, secure
https://moodle.org/plugins/auth_saml2
70 stars 132 forks source link

Complications with the "Allowed any auth type" setting and MNet accounts #689

Open jstilwell opened 2 years ago

jstilwell commented 2 years ago

We recently replaced an MNET integration with the SAML2 plugin. For the sake of failover, I decided to keep the MNET auth types set on each user, because I figured we could just toggle "Allowed any auth type" to true, and match on the e-mail field, to allow SAML2 to match those users.

However, we're running into duplicate accounts, because we're also allowing SAML2 to create new accounts.

The odd thing is that these duplicate accounts are using identical e-mail addresses, even though the site is set to not allow duplicate e-mail addresses.

So it seems like the auth_saml2 plugin A) cannot actually match on email for MNET accounts and B) creates users using the same e-mail address, even though the site is set to disallow that.

Is this expected behavior? If so, it may be prudent to add a warning note to the label for "Allowed any auth type" to cut down on confusion.

danmarsden commented 2 years ago

This is mostly just MNET and the way it works - mnet allows duplicate emails in the db with different mnet hosts - eg you can have a manual account with dan@example.com and then you can have a dan@example.com account that comes from an external host..

so if you have moodlesite1.com and moodlesite2.com connected via mnet moodlesite1.com can both have an account with dan@example.com emails - but... if you login to moodlesite2.com as dan@example.com and try to connect to moodlesite1.com with that account it won't log you in as the account already created on moodlesite1.com, it will create a new one with the same email, but "connected" to moodlesite2.com and flags that accont as an "external mnet" login.

So - when logging in with the saml2 plugin - it only looks for "local" accounts - rather than accounts connected to an external mnet auth.

If you have completely stopped using mnet - you should really update the mnethostid for all the users in the db to use the local mnethostid instead of the external one as it will likely cause you problems in future, and you'll need to be careful about any duplicate accounts with the same email.

If you wanted to modify this locally you could remove the mnethostid from this query: https://github.com/catalyst/moodle-auth_saml2/blob/ca88ab0b008b0cf7d35714fe80d64e76b89d3b89/classes/user_extractor.php#L62-L67

and if you wanted us to support something you could probably send us a pull request, but we'd probably need to control it somehow so that people could decide to match on all external mnet accounts or not.