Closed KernelPan1k closed 1 year ago
brendanheywood
commented
1 year ago hi @KernelPan1k
Passive mode is not quite what you want, you probably just want dual auth so that everyone see's the manual login screen and the button to select the saml idp. Sometimes people get confused by the choice and enter their saml credentials into the manual login form, you can improve the UX of this via this other plugin:
brendanheywood
commented
1 year ago Sorry to be clearer, you want duallogin set to yes rather than passive. If passive doesn't work there might be a lack of support for it with your idp. If you know that passive mode does work with your idp with other services but not with this plugin then please reopen this.
KernelPan1k
commented
1 year ago Hello,
Yes, I will try to clarify my request, my bad English doesn't help to make me understand, sorry.
To begin with I thank you for this other plug-in, it will certainly be useful to me in the future.
For this project, LMS Totara uses SAML2 authentication for users who are in their workplace. All users of the platform who are present at their workplace will only be able to and need to authenticate via SSO, they should ideally never see the LMS login/password form.
If users need to log into the platform from home, they will not have access to SSO. In this case, they should only see the Totara login/password form (and they should not see the IDP link)
For the moment, the Totara platform is not yet open to all learners, we are testing. I have temporarily set up the platform as follows:
When the client performs an SSO test using ?saml=on, it is able to authenticate itself. Without any URL parameter he can use his Totara credentials without any problem.
However, when I try the future configuration in passive mode, we are constantly redirected to the IDP.
I am a Totara administrator, but I do not have an account in the client IDP. When I put the configuration in passive mode, I am locked out of the platform. When I use ?saml=off it doesn't work either, I have to change the database configuration in command line (dual login: Yes) to be able to access the platform again.
Do you think that my problem comes from :
I thank you in advance and also for all your very useful plugins.
KP
brendanheywood
commented
1 year ago So when passive mode is on the LMS will redirect to the IdP, but if they are not logged in to the IdP then it should redirect back and then this plugin will remember and it won't redirect you a second time. If you're IdP is not redirecting you back then either it doesn't support passive mode, or it does but needs to be configured somehow, or there is a bug in passive mode in the plugin.
This plugin works fine in totara we have a bunch of them in prod. I don't think it is a configuration error in totara either what you have set looks correct to me. I would recommend the next steps for you to try is install a saml debugger like this one:
https://chrome.google.com/webstore/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch?hl=en
Then trace all the saml assertions in your browser and follow where it is going. If the saml assertions look correct going to your IdP with isPassive on, but your IdP isn't honoring it then you need to debug it on that side.
Beyond that it would be hard for me to do anything else without credentials and access to your site and pairing with the idp administrator. If you would like commercial support then please contact us via https://catalyst-au.net/contact-locations/sydney#email-us?location=Sydney
KernelPan1k
commented
1 year ago Ok thank you very much, I will follow your advice.
Have a nice day
Dear Catalyst team,
I am writing to you because I have a behavior with this plugin that I do not understand. I would like, that users who already have a session open in the SSO are directly connected to Totara (version 16) and that users who don't have sessions via saml can use the login/password form. From what I understand from the documentation, I need to use the "dual login" option on passive. The problem I have is that when I choose this option, if I don't have a session in SSO I am always redirected to SSO and I never see the login form from Totara. Did I forget something in the configuration? Is the problem due to the fact that the plugin is not totara compatible?
Could you help me ?
Have a nice day
kp