Forums | Mahara Community
SSO: Mahara to Moodle
13 July 2010, 4:23
Is it possible to have SSO from Mahara to Moodle? If so how? In particular, there doesn't seem to be the equivalent of Moodle's "network servers" block so you can pick the Moodle to jump to.
What I really want to do is for users who register on Mahara to be able to jump across to Moodle and for users who register in Moodle to jump across to Mahara and then be able to log into either. I suspect the last bit might be impossible as I'm pretty sure that the SSO process does not copy the password.
Any thoughts appreciated :)
13 July 2010, 14:34
Have a look at Mahoodle.pdf , from page 28 on. While the document is a bit outdated (the screen shots from Mahara 1.1 and Moodle 1.8), I'm pretty sure you'll find your way around it :-)
Pay attention to the note on page 32 talking about account duplication. This is a well know side-effect of allowing the users to log in locally at either end and then roam to the other (as there's yet no easy way for each end to recognise an existing local user roaming from a remote peer ). You have been warned
13 July 2010, 16:42
Ahhh.... I've read that documents loads but never right to the end :)
So, would I perhaps be better setting up an LDAP directory for my users and authenticating both against that. I trying to think if that solves to duplicate user issue but me head is hurting.
I already have a system running like that but it has multiple Moodles roaming to one Mahara with LDAP authentication as the parent to the SSO. I've never had a requirement to log into Mahara and jump to Moodle... until now.
14 July 2010, 3:39
> So, would I perhaps be better setting up an LDAP directory for my users
> and authenticating both against that. I trying to think if that solves
> to duplicate user issue but me head is hurting.
I don't think so. Even if you use LDAP (so your users don't have two different 'local' passwords in Moodle and Mahara), you can still have duplicate accounts in Moodle and/or Mahara.
When users log in locally in Moodle for the fist time, a "local" account is created. Then they log in locally in Mahara too and another "local" account is created. Then when they roam (SSO out) from any of the systems to the other, they appear as "remote" accounts. And neither Moodle nor Mahara know that they are in fact the same users that already have a local account, because there's no shared knowledge between the two about the user accounts. So a second account is created for the same users.
As far as I know, the MNET system is not designed to support "global identity" accounts across several installations. You only have a "user id + mnet host id" identifier, which implies that identity is tied to a given mnet host, and only resolvable locally at that system.
14 July 2010, 4:41
Ahh... but... there's a config option. I can't remember what it is but it's there because I paid Catalyst to put it in :) It tells Mahara that all usernames are guaranteed to be unique across all Institutions and authentication methods. I think this solves the problem.
It isn't a problem in Moodle in the first place. Moodle only allows unique usernames already (I think).
Found it: $cfg->usersuniquebyusername = true;
15 July 2010, 0:47
Actually usernames are NOT unique in Moodle. The unique field is a combination of username + mnethostid. So I think you'll find while this config option exists in Mahara, you're going to have a problem in Moodle anyway :(
15 July 2010, 4:04
You know when you are typing something and thinking "this probably isn't true". Sigh :-P
So - basically - the plan would be (a) use external authentication that guarantees unique usernames across the whole setup and (b) write a patch for Moodle to (without having looked or thought about it yet) ignore the mnethostid and enforce unique usernames.
Something like that....
Am I being weird? This sounds like a scenario many people would have.
15 July 2010, 6:23
It sounds like it's a comman scenario but I suspect it's not because most people seem to be aware of the design decisions for MNet to have a single IDP and the requirement to "chain" IDPs in one direction back to it.
I say "aware" and I don't mean in a technical sense, I guess people are just used to working within the confines of the system.
15 July 2010, 7:23
......or simply that Moodle came first and most users have all their users in Moodle already. So SSO from Moodle to Mahara is logical for the majority.
As soon as you start to think about a more general SSO structure then the fun and games start :) Oh well!
Thanks for the input... at least I think I understand what's going on now :)
17 November 2011, 9:30
We're trying to add in LDAP on top of moodle SSO and manual mahara logins. So I added your $cfg addition and it broke SSO.
I'm deploying a test moodle 2.0 and mahara 1.4 to another server to try and get shibboleth playing nicely with them all, and with a view to allowing logins from a mobile phone without going through moodle if possible).