Forums | Mahara Community

Support /
SSO Error


Yaju Mahida's profile picture
Posts: 131

19 March 2009, 3:38

Hi while experimenting with SSO we have successfully shared the Keys and even in Moodle the Network Server block display Mahara Link. When user clicks it jumps to Mahara. But gives error like below.

Sorry, could not log you in :(

Sorry, we could not log you into Mahara at this time. Please try again shortly, and if the problem persists, contact your administrator

 

anonymous profile picture
Account deleted
Posts: 1643

19 March 2009, 5:50

Hi - try having a look in both the Moodle and Mahara apache error logs - hopefully there will be a more detailed message in there.
Yaju Mahida's profile picture
Posts: 131

20 March 2009, 1:23

We got the solution - Time synchronisation issue. Configured both machine with Central NTP Server and now working fine.

[Fri Mar 20 13:19:33 2009] [error] [client 192.168.0.10] [WAR] 29 (api/xmlrpc/client.php:132) Time drift (1, 2473.5) is too large., referer: http://XXXXX/moodle/index.php

Thanks

 

Yaju Mahida's profile picture
Posts: 131

27 March 2009, 0:04

Anybody who have implemented SSO both ways ?

We have trouble with SSO from Mahara to Moodle. Many strange error messages.

While from Moodle to Mahara it is working properly. And even you can go back to moodle from mahara.

If anybody wants to share technical details of Moodle-Mahara integration will be great. Apart from Mahoodle pdf.


anonymous profile picture
Account deleted
Posts: 228

27 March 2009, 12:21

Hi Yaju!

That's definitely far less tested than the other direction. Perhaps if you posted all the error messages you were getting, we might be able to help further Smile

anonymous profile picture
Account deleted
Posts: 1643

29 March 2009, 22:12

Hi - note that you shouldn't set up both Moodle to Mahara SSO and Mahara to Moodle SSO on the same Moodle/Mahara pair. Otherwise, things will get very confused. You'll likely see lots of duplicate accounts being set up as people jump from one side to the other using the SSO jumplinks.

Mahara to Moodle SSO should work OK - as long as you're only doing it that way. I think Jamie has been doing that for the last while without too many issues.

It's probably a mistake in the UI for configuring SSO - it provides checkboxes for going both ways, but in reality only one way should be configured at a time.

You don't actually need SSO to go both ways - there's no reason why you can't provide links both ways, as long as the links on the 'main' side (where the user accounts are initially) are all 'jump links' - e.g. they point to jump.php, like the ones in the MNET sideblocks do.

Yaju Mahida's profile picture
Posts: 131

30 March 2009, 19:26

In our implementation we have a central LDAP server and both Moodle and Mahara use that as Authentication. All student accounts exist on Moodle.

From Moodle to Mahara SSO it works fine as expected. If user is new to Mahara account is created and next time they can use Mahara directly or from Moodle.

While from Mahara to Moodle SSO when in MNET the Auto add remote users is set to No Moodle says No local record exists for remote user. Although account already exists on Moodle.

And when in MNET the Auto add remote users is set to Yes Moodle creates duplicate accounts with extra attributes like RemoteId / MNETID. We want to prevent this as all accounts exists on Moodle.It should behave like Mahara instead of creating duplicate account it should use the regular account that exist on Moodle.

Any idea about this ? Thanks

 

 

 

anonymous profile picture
Account deleted
Posts: 1643

31 March 2009, 6:02

Hi - this is exactly the behaviour I would expect if you try and arrange SSO both ways, as I explained in my previous post.

I will try again.. Smile

Ok, so you have a Moodle with an account on it called 'bob'. And you have set up SSO from Moodle to Mahara, _and_ from Mahara to Moodle (which is what you've done, and what I am saying will cause problems).

When bob clicks the link to go to Mahara, he jumps across just fine. On the Mahara side, the first time bob jumps it grabs a free username (usually 'bob' unless there already is a bob, in which case it would be bob1, or bob2 etc..), and thus bob from Moodle has jumped to be bob in Mahara.

Now, the badness happens when you have SSO set up both ways. Now bob tries to jump back from Mahara, and Moodle sees that there is a 'bob' user coming from Mahara, not knowing that it's actually it's own bob user. It can't know that, because as explained before, the user might have been renamed bob1, which would mean that Moodle would be seeing 'bob1' come in from Mahara. Thus, Moodle does what it thinks it should do, and creates a new account.

If this new 'bob' in Moodle (who probably got called bob1 as there already was the original bob), then SSOs back to Mahara, there will be a bob2 account created! And so on...

The behaviour you're seeing with the 'auto add remote users' flag is then just like you' d expect. When it's set to 'no', there isn't a local record for the user because Moodle can't tell that the bob who is coming in is the same as the bob who jumped.

So... I hope that explains. And as I said before, the solution: Don't set up two way SSO. You just set it up one way, and then users can jump back and forth just fine. As mentioned, you make sure all the links from Moodle to Mahara are the special jumplinks, and then the login form will always be displayed when necessary.

Hope that helps!

8 results