We just achieved a small but efficient SSO layer in a full open Moodle Network. A "full open" Moodle Network is a set of moodle connected together in which multiple hops are allowed. In such a network, a user is always known as its username/origjn_mnethostid information pair.
Achieveing this was done by delegating the MNET session jumping to the origin host of the user, when he tries to jump from another node in the network. (Works perfectly, but will need some side effect fix on reports, as Nigel McNie suspected).
I finished the design of a new Auth plugin, that allows SSOing any user of the network, this very simple plusing does the following :
- Capturing (must be set very high in the auth stack) the username/password submission, using login_page_hook loop at start of login/index.php
- Applying an heuristic over the username syntax to check for a probable origin host. (this works fairly well when a moodle node is mapped adminsitratively to an email domain, and the username is the email address).
- Building a redirection to the remote login/index.php, with a required URL that points back the local landing page. (the effect is that the user is actually login on his own origin node, but requiring immediately a jump to where he was supposing going first !!)
- Execute the redirection
If none of the above works, the auth plugin let go through to try a local login (or other pethods in the stack).
The process is completely compatible with a backside LDAP authentication (so we are making it work) and encrypts the login delegation for security, making an SSO ticket encrypted stub with identification data in it (using registered Mnet keys).
I need some feedback upon possible security issues or something to care at that I might have not thought about. Thanks everyone.
The "multimnet" auth plugin is candidate for public publication.
Cheers.