Does anyone have experience setting up a single sign on for Moodle, with Linux and MS Active Directory Authentication (LDAP) ?
We have 4 front end servers running on Linux with php 5.5.9 and Apache using Baracuda as our load balancer which spreads the load over are 4 web servers, the backend of Moodle is running on a windows server using mysql v5.5.41
We are currently running Moodle 2.97 (20160711)
Yes, I know that many organizations use authentication with Active Directory.
I always like to point out some clarifications when talking about single sign on.
First, the Moodle LDAP authentication plugin does not necessarily accommodate true SSO without doing a bunch of extra setup and work. Just basic LDAP authentication works pretty well, where users would use the same username and password but it is not SSO in the sense that they still have to enter their username and password. If you are fine with users having to enter their LDAP username and password into Moodle, then that is fine (but I don't consider it true SSO)
The Moodle LDAP auth plugin can be used to provide true SSO capability with AD, but in my opinion it is a bunch of extra hard work with varying degrees of success.
I like to recommend using the ADFS (Active Directory Federation Services) component from Microsoft. However if you aren't already using this and have it set up, it might not be an option. However if you are using ADFS, you can then use the SAML2 auth plugin to provide true SSO capability to users.
Also, a consideration for LDAP authentication, is that many organizations have security policies or prohibitions on allowing external applications connect to the organizations' LDAP/AD services. In order for the Moodle LDAP auth plugin to work, it needs to "talk" to your AD server and your server/network team usually need to be ok with this and open firewalls to allow it.
I hope that helps you out!
Jamie
What I just said there was an awful lot to consume, sorry about that.
The built in Moodle LDAP auth plugin works just fine under these circumstances and caveats:
Hi,
Thanks for your response. We did have SSO working on our previous installation which was configured to work with Windows IIS but then we moved to Linux and Apache due to speed issues and we also went from Moodle 1.9 to 2.97.
Unfortunately we have never used ADFS so i am not sure how you would install this and getting it working with Moodle and our systems.
I did try to turn on SSO this week on our test server which is an exact copy of our production server, but we got an error when trying to log back into the Moodle system so it was not working. So we had to roll it back to a previous version before I turned it on.
We already have our system using LDAP and Active Directory and this works pretty well using Samaccountname.
Other systems in out network already use SSO in IE but they all use windows IIS not Linue and Apache.
Would there be any documentation on how to get ADFS to work with Moodle?
Thanks
Mark
When most people talk about "SSO with Windows AD", they usually mean NTLM (or "pass-through") authentication. But as Jamie said, this is only true SSO for PCs on the same network as the AD server, and in scenarios where the Moodle (Linux) server is a member of the AD forest. For others, it is "same sign on", in the sense that they use their AD username and password, but don't do "pass-through" authentication.
You can find documentation on how to configure NTLM authentication with Moodle at https://docs.moodle.org/33/en/NTLM_authentication#How_to_Turn_Integrated_Authentication_on.
To get SSO working with ADFS and Moodle, you'll need a SAML authentication plugin (https://moodle.org/plugins/?q=saml%20type:auth). Information on how to actually get it working is available at these links -- https://groups.google.com/forum/?fromgroups=#!topic/simplesamlphp/I8IiDpeKSvY and http://download.microsoft.com/download%2F8%2F8%2F3%2F883C0889-72A8-4766-8D07-4BF2F048BE36%2FMoodleAndOffice365WithADFS.pdf
