16 October 2014, 11:20

Quick question:

One Moodle, one Mahara, 40 schools, each would have their own institution. Can we do SSO from Moodle to Mahara and vice versa while using institutions? Accounts are authenticating against an LDAP server.

Thanks

16 October 2014, 17:48

Hi Dirk,

Sure, there are a few ways you could do this:

1. SAML: Set up a SimpleSAMLphp instance to handle the SSO, and use the SAML auth method in Moodle & Mahara to connect to it. SimpleSAMLphp has an LDAP module that should allow you to use your LDAP server to provider the user accounts.

2. MNet (aka Mahoodle aka XMLRPC) with Mahara as the identity provider

3. MNet with Moodle as the identity provider: The limitation here is that a Mahara site can have only one auth instance for any given MNet URL, sitewide. So it would not be possible to have a separate auth instance for the same Moodle site, in each of your 40 institutions. You could workaround this by either having Mahara be the identity provider, or by having an extra Mahara institution just for holding the Moodle auth instance, and have all students belong to that institution as well as their normal institution. Might require some additional scripting to set that up though.

4. Other SSO systems that Moodle & Mahara both have plugins for: CAS, Shibboleth, Persona/Browserid

Of these, MNet has the added benefit of working with a couple of Moodle-Mahara integration plugins in Moodle: The Mahara "portfolio" plugin, which allows students to export some Moodle content into their Mahara site; and the Mahara "assignment submission" plugin, which allows students to submit Mahara pages as a component of an assignment submission in Moodle.

Cheers,

Aaron

19 November 2015, 20:41

Aaron, can I just confirm your point (2) MNet (aka Mahoodle aka XMLRPC) with Mahara as the identity provider ...

We have a new installation of Mahara 15.10 and Moodle 3.0 with Mahara as the 'entry point' for our students and from which they link to Moodle.

I set up the XMLRPC connection using the "no institution" (site wide) institution and set the parent as "internal".

I am able to set up lots of new institutions and all the users (who have "internal" authentication) are able to log in to Moodle as well, which is exactly what I want.

It may sound odd, but I am worried that it works as all of the user manuals say you cannot have several institutions linking to one Moodle. Could you confirm this is correct.

Also ... when setting up new users you have a choice of authentication - there is one 'internal' for each institution, but it seems to make no difference which one you choose - they all seem to work equally well. Can you also confirm this is as expected.

Thanks a lot

Rick

20 November 2015, 10:57

Hi Rick,

Well, I think the limitation is that you can't set up more than one XMLRPC (mnet) auth instance that points to the same URL. You've just set up one XMLRPC instance, in the "No Institution" institution, so that's why you're not encountering any problems.

It is a bit odd that you could use the "Internal" auth instance from other institutions, and it will work with the XMLRPC instance from the "No Institution" inst. I think that actually may be a bug in Mahara, albeit one that is working out for you! It is like the old programmer parable, every bug is a feature to someone. ;)Cheers,Aaron

02 November 2014, 17:06

Hello Dirk,

As Aaron pointed out, this is not yet possible with MNet. However, if you only want to use authentication, you can achieve that with LDAP or SSO if the schools have their own identifier. But then you can't use the Mahoodle-specific functionality.

We started work on the MNet replacement (first off: getting the Mahara web services plugin into Mahara as that is a cornerstone for any further development and already a big piece of work in itself). One crucial component for this replacement will be to allow one Moodle to connect to multiple Mahara institutions on one Mahara instance. We don't yet have an ETA so I couldn't tell you whether it's going live in April or not. If your school district wanted to support the development of features, you know how to find us. ;-)

Cheers

Kristina

12 November 2014, 10:38

A design which may not belong in this thread ...

Imagine a school district has multiple subsidiary schools (mostly very small, 30 to 50 students) all of which want a ‘white-labelled’ Institution or community (meaning that they can choose their own theme/logo, can post their own static pages and can create new user accounts for only the Institution). They would also like to initiate groups that initially belong to only their institution. However these groups (focussed on developing projects, classes, topics, policies) could also be made accessible (thru key word searches) to members of other institutions or even the whole district if so desired.

The district also wants it’s own labelling and static pages and it’s own groups that can be made accessible to the institutions if desired - a Learn to use Mahara group is an example that is relevant to all Institutions and so this would be shared.

Individual students have their own accounts, usually associated with an Institution. This is the theme/configuration they see when they sign-in. However, as they can choose belong to multiple institutions according to the settings for these (open, moderated, closed) they can switch from institution to institution on demand.

When an individual clicks on their Institutions in the Groups menu they would see a live link to any Institution they are members of and, when they go to that Institution or go to a Group in an Institution, it should show up in its proper theme, not the theme of their ‘parent’ institution. Ideally a student should be able to ‘set’ their dashboard to show up in the Institution of their choice.

One key use of multiple institutions is that each person can choose to be a member of the district institution by opting in, in which case they become findable in a search by all the other people to who also opt-in to the district.

So far I cannot get this design to work. I can’t find out how a user swaps from one Institution to another, for example. When a user finds their Institution membership under the Groups menu, whilst there is a list, there are no links. So, if the target institution has some static pages that are important for the visitor to see, they can’t get there to see them. And, if a user navigates to a group they belong to that was created through Institution A (getting there by clicking on the group in the My Groups block) they see this group displayed in the theme of their primary institution, not the theme of Institution A.

Can this be done?

14 November 2014, 10:58

Hello Andrew,

Anything can be done. :-) It's just a matter of how long it takes and how much it costs. ;-)

You are touching on a number of things that are already possible in Mahara (but could be made better) and a number of things that are not possible because we do not yet have "isolated institutions", i.e. where institutions can prevent others to see their groups, group memberships, contact users etc.

What can be done already?

• White labelling: Every school that is set up as separate institution can change the theme and upload its logo. Members of that institution will see that theme if they are only in one institution.
• Institution static pages: Possible since Mahara 1.9.
• Create new user accounts only within institution: Institution admins can only administer their institution users. User acounts themselves are created on the system (but associated with an institution or more). This is beneficial because when someone is removed from an institution, they still have their account and can use that in another institution.
• Institution-only groups: If an institution admin wants to set up groups via a CSV file, they can only add institution members. Groups themselves are technically system wide because you can add other users manually, but it is up to the group admin to not do that when it is supposed to be an institution-only group. We'd need "isolated institutions" to make a stronger demarcation.
• If a user is a member of more than one institution, they can switch their theme in their account settings and decide in which theme they want to work. Since they belong to multiple institutions, it would be very difficult for Mahara to know when to display theme A and when to display theme B as pages can be created no matter whether a member of A or B and group participation as well.
• If you want students to be able to be members of multiple institutions, you will need to enable that in Administration -> Configure site -> Site options -> Institution settings. If it's not enabled, students will need to leave / be removed from their institution in order to join another. If an institution allows a user to join also depends on their registration settings. If they don't allow registration, users cannot ask to join, but can only be added by admins.

What is not yet possible?

• Institutions do not have a welcome page per se because the welcome page is your dashboard. The only "Institution page" would be where you see the contact details for staff and administrators. If you are a member of multiple institution that then becomes a problem.
• Seeing only members from your school / only your school's groups: That would require isolated institutions. You can find the basic information about it on the wiki.

I hope you can see that a number of things are already possible (with some tweaks maybe) while others cannot yet be done without additional development.

Cheers

Kristina

14 November 2014, 13:59

Hi Kristina,

Thanks so much for the comprehensive reply. I followed up the isolated institutions wiki (almost exactly what I am after) and the forum threads you sent. It seems as if the development of this feature has stalled?

What would it take to wake it up again and, how far away from implementation is it?

All the best

Andrew

17 November 2014, 8:34

Hello Andrew,

The isolated institution feature is quite a large one of a few weeks of development effort for sure as it touches upon a huge number of permissions, needs to create new rules and all that needs to be tested to ensure that people can't accidentally see what they are not supposed to see.

Since its implementation back in the day, the requirements may have changed and as a post by Richard a few years ago pointed out, there are a few things not yet governed by isolated institutions.

It's one of those features that a lot of people would like to see implemented, but it is too large for one funding partner to finance as they often also want other things to have done instead of just one huge feature. It would probably take a few organizations (and a grant?) to get together to support the development work. If you have ideas of how to accomplish that, please share.

Cheers

Kristina