Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-72986

Make username field compatible with SAML subject-id

    XMLWordPrintable

Details

    • Improvement
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 3.11.3
    • None
    • None
    • MOODLE_311_STABLE

    Description

      We want students from other universities to be able to log in to our moodle site using their universities' Shibboleth IdP. The foreign IdPs provide us with a pairwise ID instead of a username. This pairwise ID is formatted as a SAML subject identifier:

      <value> = <uniqueID> "@" <scope>
      <uniqueID> = (ALPHA / DIGIT) 0*126(ALPHA / DIGIT / "=" / "-")
      <scope> = (ALPHA / DIGIT) 0*126(ALPHA / DIGIT / "-" / ".")

      See https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html#_Toc536097227.

      The problem is that we cannot save this subject identifier in the moodle username field for two reasons:

      1. The value may contain an equals sign ("="), which isn't allowed in moodle usernames.
      2. The value may be up to 255 characters long, far exceeding the moodle username length limit of 100 characters.

      We are aware that the first problem can probably be worked around by enabling the extendedusernamechars config option, although we'd prefer only allowing the equals sign, not any special character. The second problem is more problematic anyway, since the database field for the username is only 100 characters long and cannot be extended using a config option.

      Therefore, we suggest that the username field should be extended to allow for SAML subject identifiers to be saved in it. We think that this is a use case that should be accounted for by Moodle, since Moodle even offers it's own Shibboleth WAYF service, encouraging admins to allow users from multiple IdPs.

      We propose the following changes:

      1. Extend the username database field to 255 characters.
      2. Add a config option to set the maximum username length (up to 255, defaults to 100).
      3. Add a config option to specify the list of characters allowed in usernames (defaults to a-z, 0-9 and "-.@_").

      Attachments

        Activity

          People

            Unassigned Unassigned
            bonczek Lars Bonczek
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Laurent David, Raquel Ortega, Sara Arjona (@sarjona)
            Votes:
            2 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: