SSO across Active Directory forests

SSO across Active Directory forests

by Colleen Romero -
Number of replies: 4

Our client's network has three AD forests - myorg.ac.uk, ad.myorg.ac.uk, students.myorg.ac.uk.  Staff accounts are in the staff.ad.myorg.uk domain.  Student accounts are in the students.myorg.ac.uk root domain.  Moodle runs on  Windows Server 2008 / IIS and is a member of the resource.myorg.ac.uk domain.  The resource domain trusts the students and staff.ad domains.  They are currently running Moodle 1.9, and have modified the LDAP plugin so that two instances are installed for authenticating against the staff and student domains. 

The client wants to upgrade to Moodle 2.5 and implement true SSO.  Any suggestions as to the best way to go about this?

 

Average of ratings: -
In reply to Colleen Romero

Re: SSO across Active Directory forests

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers
Hi,

I've never tried it with several forests, only with several domains in the same forests, so it might or might not work. The trick is using a global catalog server as the LDAP server Moodle uses, and query the Global Catalog service instead of the LDAP service. See http://docs.moodle.org/26/en/LDAP_authentication#Using_a_multi-domain_AD_environment for some details.

I've never used NTLM SSO with a setup like that, so I can't say whether it'll work or not. To start with, NTLM doesn't work if you have users with the same sAMAccountName in different domains, as it's unable to tell them appart (doesn't use the domain part at all). You could overcome this using SSPI/Kerberos instead of NTLM, but the setup is a bit more complicated.

A second option worth exploring is using the SAML authentication plugin against ADFS. I've never used it myself, but several people in the forums have talked about its possibilities.

A third option is keeping the same strategy your client is using right now: have several LDAP auth plugins, each querying a different LDAP server. There's a patch to the standard LDAP auth plugin (maintained by me) to do this. I currently have versions of the patch for Moodle 2.2 onwards. I publish new or updated versions from time to time in a forum discussion here at Moodle.org. If you don't find it or don't find the version you need, feel free to send me a private messege here on Moodle.org.

Saludos.
Iñaki.
Average of ratings: -
In reply to Iñaki Arenaza

Re: SSO across Active Directory forests

by Colleen Romero -

Thanks Iñaki.

Can you please send me a link to your LDAP patch?

Regards

Colleen

Average of ratings: -
In reply to Colleen Romero

Re: SSO across Active Directory forests

by Dave Perry -
Picture of Testers

If your you or your client has Shibboleth experience / an Identiy Provider (IdP - think of it as open source ADFS that doesn't require AD,if you're not familiar with it) or is willing to buy it in,  then you could use that - it is certainly possible to have that work across multiple AD domains. It's basically a well-documented use of SAML.

You would then need to set something up on the IdP so that it can use Kerberos to do SSO using tokens from the user's desktop. And the Service Provider software on the server(s) running moodle - I've set up a couple of the SPs, and they are far easier than the IdPs to implement from scratch.

Average of ratings: Useful (2)