Open vancouverdeveloper opened 2 years ago
vancouverdeveloper
commented
2 years ago I forgot to add that the authentication method is set/lest as LDAP. Changing them to SAML makes no difference
weird how a few have this problem (like mine) and a host of others whereas a lot don't have it!
danmarsden
commented
2 years ago what version of the plugin do you have installed? - also have you tried setting the saml2 "tolower" setting in the settings page to "case insensitive" ?
there were a couple of bugs with that setting in some of the earlier versions in the past few weeks depending on what user matching field you are using.
vancouverdeveloper
commented
2 years ago what version of the plugin do you have installed? - also have you tried setting the saml2 "tolower" setting in the settings page to "case insensitive" ?
there were a couple of bugs with that setting in some of the earlier versions in the past few weeks depending on what user matching field you are using.
2022060900
and yes already set to case insensitive
I noticed as well that for those that are able to sso in, their last login time was always set to "1969-12-31 16:00:00 " (from_unixtime)
The strange thing is that the username used is their email format and not the existing using account, because we set it as email address for "Mapping Moodle auth_saml2 | mdlattr"
I did a query on mine and deleted that entry from the mdl_user table and to my surprise it now works!
so for example if John Smith was already in as "jsmith" username.
They sso as jsmith@school.com, he now has 2 of them.. and that error comes up. I think once I delete their username of jsmith@school.com, it seems to work and the SSO is now tied to their usual jsmith account even though they login as jsmith@school.com!
vancouverdeveloper
commented
2 years ago SimpleSAMLphp version auth_saml2 | sspversion: 1.19.5
Moodle version: 4.1dev (Build: 20220603)
For some users when they login using our Azure SSO which they already exist for several years in Moodle, they still get "You have logged in succesfully as 'xyz' but do not have an account in Moodle"
for some it works no problem.
When i set autocreate to Yes, then of course, it would fail because the existing email is already in the system when they try to complete their "profile"
here is my test output
SP name: ourmoodle.school.com
Which IdP will be used? 6917bd2c748693f165a330899ece8e0d
IDP: https://sts.windows.net/9d83cfc7-6330-47d5-b12d-45bafe3b1d87/ md5: 6917bd2c745673f165a330817ece8e0d check: 6917bd2c745673f165a330817ece8e0d
Authed with IdP https://sts.windows.net/9d83cfc7-6330-47d5-b18d-45bafe3b1d39/ { "http:\/\/schemas.microsoft.com\/identity\/claims\/tenantid": [ "9d83cfc7-6330-47d5-b18d-45bafe3b1d87" ], "http:\/\/schemas.microsoft.com\/identity\/claims\/objectidentifier": [ "52d31651-4828-4d97-9dc8-e23198816e62" ], "http:\/\/schemas.microsoft.com\/identity\/claims\/displayname": [ "Jimmy Smith" ], "http:\/\/schemas.microsoft.com\/identity\/claims\/identityprovider": [ "https:\/\/sts.windows.net\/9d83cfc7-6330-47d5-b18d-45bafe3b1d87\/" ], "http:\/\/schemas.microsoft.com\/claims\/authnmethodsreferences": [ "http:\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/authenticationmethod\/password", "http:\/\/schemas.microsoft.com\/claims\/multipleauthn" ], "http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/givenname": [ "Jimmy" ], "http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/surname": [ "Smith" ], "http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/emailaddress": [ jsmith@school.com ], "http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/name": [ jsmith@school.com ] } You are logged in: Logout
They login using their username or student id (ie. jsmith for staff and 1234567 for students)
I expected that because the users are already there, they should be able to login directly.