Forums | Mahara Community
LTI SSO Setup - What Have I Missed?
08 April 2022, 1:13
Looking to setup LTI SSO from Moodle 3.10v to Mahara 21.04v as it looks as though we will need to move away from using MNET from this coming summer due to the Moodle assignment plugin being outdated. We still currently have MNET enabled.
Followed guidance from here: https://manual.mahara.org/en/21.04/external/lti_mahara.html?highlight=lti
Though, when we add an LTI instance within Moodle and try and access, we receive this error:
What have I missed to cause this error?
08 April 2022, 1:30
My apologies, I found out why I was receiving this error - set 'Auto create accounts' within the institutions Web services config settings page.
Now have a new error:
08 April 2022, 10:06
Glad you could resolve the problem on your own. When you switch to OpenID Connect there are a few things that you may wish to keep in mind:
Mahara understands OpenID Connect via the SAML plugin as long as you enable the SAML Bridge in your IdP. Your IdP manager should know what they need to configure for that as I don't since we don't normally administer IdPs. ;-) This is of course only relevant if you allow your students to log in via Mahara itself.
Often when organisations switch authentication methods, the usernames change as well. If you only use LTI it's not a huge deal as LTI checks for the username and the email address, and if they find the latter but not the former, you'll get back into your account. Only if you have SAML / OpenID Connect in the mix will you potentially have to change the remote username (username for external authentication) for the SAML authentication if that has changed with OpenID Connect and then give it a thorough test of a few existing accounts and new accounts.
Usually, the tests I perform are after all changes have been made:
- Log in via SSO directly into Mahara (not via Moodle) → Check that you get into your existing account → If yes → Log out → Log in via LTI → Check that you are taken to your existing account. If a new account is created, check why, e.g. in most cases there's a problem with the remote username. Note that the account settings screen only gives you the remote username for the parent authentication, i.e. SSO. The database contains all.
- With a different account that already exists in Mahara and is linked to LTI and SSO: Log in via LTI → Check that you get into the existing account → If yes, log out → Log in via SSO → Check that you are taken to the existing account.
- With a different person (unless you can delete your account): Log in via SSO → Note down the ID for your account (usually the profile URL or if you use clean URLs and you want to be very certain, go to Admin menu → People search → Click the username. That'll give you the ID in the URL) → Log out → Log in via LTI → Check that you end up in the same account → Delete the account.
- Log in via LTI with a person who doesn't yet have an account on Mahara → Note down the ID for the account → Log out → Log in via SSO on the Mahara homepage → Check that you end up in the same account → Delete the account.
It is best to test with a few accounts as admin accounts tend to be somewhat problematic (often the email address is used multiple times, which LTI does not like).
04 May 2022, 22:46
Looks like we will hold off for the time being and staying with MNET for our Moodle 3.11 and investigate early 2023.