Single Sign On With Forefront

Single Sign On With Forefront

by Paul Lindgreen -
Number of replies: 7
Picture of Particularly helpful Moodlers

I would like to enable single sign on so Moodle already signing in with Forefront for authentication do not need to login to moodle again.

My current moodle system uses LDAP for authentication on a Microsoft server 

Has anyone else done this before?  I don't know where to start.

========my environment===========

My environment is Moodle 2.5.4 Windows 2008 server, IIS 7.5 , php 5.5, 14gb Memory, 4 cpu
Mysql1 on seperate server, same specs as above: Mysql server 5.1, windows 2008 64 bit
Zend Extension Build API220090626,NTS,VC9 PHP Extension Build API20090626,NTS,VC9 Thread Safety disabled System Windows NT MOODLE2TEST 6.1 build 7601 (Windows Server 2008 R2 Standard Edition Service Pack 1) i586 Build Date Aug 15 2012 19:57:50 Compiler MSVC9 (Visual C++ 2008) Architecture x86

Average of ratings: -
In reply to Paul Lindgreen

Re: Single Sign On With Forefront

by Dave Perry -
Picture of Testers

Our TMG admin managed to make it work, pointing to a test moodle instance. I'll ask if he can dump the settings that he used (no promises).

But we decided Shibboleth was better for us (as it handles our eResources logins, so a win for us) so we're switching to that over summer.

Average of ratings: -
In reply to Dave Perry

Re: Single Sign On With Forefront

by Paul Lindgreen -
Picture of Particularly helpful Moodlers

Great, would be much appreciated

Average of ratings: -
In reply to Paul Lindgreen

Re: Single Sign On With Forefront

by Dave Perry -
Picture of Testers

Unfortunately the settings export includes stuff in hex, and we can't be sure there isn't anything confidential or security-related in there. So we're not happy to pass it on.

What he did say was, he set it up like any other website that requires an AD login (I think it was actually based on the rules that publish ProMonitor) - so if your TMG admin has something like this they can clone then tinker with the authentication part that's my suggestion.

HTH

Average of ratings: -
In reply to Dave Perry

Re: Single Sign On With Forefront

by Paul Lindgreen -
Picture of Particularly helpful Moodlers

Maybe a simpler request would be 'What does Forefront need to pass to Moodle and which url do I send it to?'


I'm guessing my moodle login page needs to redirect to Forefront for authentication, then after entering a username/pwd 1 or 2 general messages are sent to moodle and it includes some cookies for the moodle website which is a subdomain of our main website:

1] Login failed, (stay on forefront login page?)

2] Login succeeded, redirect to moodle webpage (ie. login/index.php) and pass along username, set cookie(s)


I administer Moodle and someone else administers Forefront, at the moment I don't know what to ask the Forefront admin to pass to moodle .

Average of ratings: -
In reply to Paul Lindgreen

Re: Single Sign On With Forefront

by Paul Lindgreen -
Picture of Particularly helpful Moodlers

re: http://sourceforge.net/projects/moodleldapsso/

I see on old LDAP plugin update POSTS the following parameters:
username=johndoe1&passwd=pass123&email=johndoe1@mail.myschool.edu&firstName=John&lastName=Doe&institution=MySchool&key=sdRYx23xcvFx72xJ..'

I'm guessing after a successful logon Forefront passes these variables to the moodle login page to create an account in moodle.

We create our accounts with daily csv uploads so it shouldnt be necessary to send all this information.

What is then minimum information required by moodle login page from Forefront (or any other authentication service), ie LoggedIn=yes, username=johndoe

Average of ratings: -
In reply to Paul Lindgreen

NTLM configuration with Forefront

by Paul Lindgreen -
Picture of Particularly helpful Moodlers

Rather than Forefront passing information to moodle login page could I enable moodle's NTLM to achieve SSO?

Currently I am in the process of trying this and was wondering if this is the way to go in a Forefront/Windows Server/IIS environment?

Average of ratings: -
In reply to Paul Lindgreen

Re: NTLM configuration with Forefront

by Dave Perry -
Picture of Testers

I think that's how we had it. I added a link to the siteroot/login/ path on the homepage, then when you clicked that (and had NTLM Enabled = Yes set, and the right subnet mask - e.g. 10.0.0.0/8 if all your desktop's IP addresses start 10.) forefront kicked in. I had to adjust the moodle wwwroot in the config.php file to match what Forefront changed it to (in our case, testmoodle.srv.hull-college.ac.uk) and we had to add this hostname to internal DNS.

Remember to do tell IIS to require Windows Authentication on a certain file:
https://docs.moodle.org/24/en/NTLM_authentication (replace /24/ with the moodle version you have, e.g /25/ for moodle 2.5).

HTH

Average of ratings: -