Hello all,
I have my own SSO system which I'd like to connect to Moodle.
The flow I am interested in is:
0. user authenticates via SSO
1. user is automatically signed in to Moodle
I
have looked into the webservices and was able to use that mechanism for
creating a Moodle account but its not quite what I want..
is there a
way to use webservices so that, post authentication using my own SSO, a
token is passed to Moodle and the user is logged in?
Thanks,
I am not sure if the Web Services provide authentication services - I did a quick search through the functions under for "auth" or "log" and came back with nothing.
I guess the proper way to do this would be to develop an auth plugin.
I implemented a slightly more hacky version for the company I work for which I will describe below in case it is of assistance.
Scenario
User logs onto our bespoke web platform , when they click across to MOODLE they are background authenticated at that point (or new account created if they do not have a local MOODLE account).
Process
- On login to our bespoke web platform cookie is assigned to user (this relies on shared sub domains - but other mechanisms could be substituted).
- When a user hits MOODLE config.php checks for this cookie - if present it makes note of page user was trying to go to and forwards user to custom background login page.
- Custom login page calls user details via our own web services using cookie as ID.
- User is loaded via a common id to both systems (we use id number as the shared field) using the MOODLE function :
$user = get_complete_user_data('idnumber', $returned_id); - If a result is returned then call MOODLE function
complete_user_login($user); - Following this the user is forwarded to the original page they were requesting.
This is a replacement for a previous even hackier authentication method where on login to our bespoke system the username would be saved in a database with a guid key and then the user forwarded to a specific MOODLE key which would retrieve the user details from aforementioned database, used to log user into MOODLE, and then return user to bespoke system.
Sorry if kind of track - but thought there might be a chance it is of use to you.
Thank you, Nathan. Appreciate your reply. I suppose I will implement something similar. Too bad there's no way to achieve this using the webservices but.. such is life
Just to update the thread in case anyone else is interested in a similar solution, what I ended up doing was:
0. use my SSO system to auth
1. use Moodle webservices to check whether a user with the same email as in the SSO system already exists and if not, create a proper user entry in Moodle's own DB
2. redirect to a custom page I created on the moodle end passing along a nonce param
3. on the custom page, the HTTP_REFERER is checked to verify it matches the SSO system and if not, die() is called
4. the nonce is checked to ensure its valid and die() is called is not
5.
// Prohibit login if email belongs to the prohibited domain.
if ($err = email_is_not_allowed($useremail)) {
throw new moodle_exception($err, 'auth_kaltura_sso');
}
$user = $DB->get_record('user',array('email' => $useremail, 'deleted' => 0, 'mnethostid' => $CFG->mnet_localhost_id));
complete_user_login($user);
// redirect to moodle's index page with:
header('location: https://my.moodle.index');