Hi,
I want to integrate SSO from Other Application to Moodle 3.8.1.
We need to display list of Moodle courses for a particular user which he/she is enrolled (should be displayed in Other application).
When user want to view any course he/she will click on that link (from other application) and should be view the course in Moodle without putting his/her credentials again.
Other application means which doesn't include Moodle and it is viewed in web browser as well as in mobile app.
How to do SSO with Moodle to another Application (non - Moodle)
by Sunny Adhatrao -
Number of replies: 11
In reply to Sunny Adhatrao
Re: How to do SSO with Moodle to another Application (non - Moodle)
by Howard Miller -
Firstly, do you *really* need SSO? Will authenticating against the same source (e.g. LDAP) not be good enough?
Failing that, then it depends on the other application and how much effort/expense you want to put into this. Unless there's an existing integration (that supports SSO) for that application then it's probably going to be painful.
Failing that, then it depends on the other application and how much effort/expense you want to put into this. Unless there's an existing integration (that supports SSO) for that application then it's probably going to be painful.
In reply to Howard Miller
Re: How to do SSO with Moodle to another Application (non - Moodle)
by Mark Johnson -
Further to Howard's point, as well as authenticating from the same source, it's common to use an Identity Provider (IdP) that supports a standard authentication protocol such as SAML or OpenID Connect. This way your "Single Sign-On" is with the IdP, and your apps check that you're logged in there before logging you in automatically. Moodle supports both of these protocols via auth plugins, you will need to look at what your other system supports.
In reply to Mark Johnson
Re: How to do SSO with Moodle to another Application (non - Moodle)
by Howard Miller -
I was going to follow up with...
https://moodle.org/plugins/auth_saml2
https://simplesamlphp.org/
...and so on. But there's no simple solution, of course.
https://moodle.org/plugins/auth_saml2
https://simplesamlphp.org/
...and so on. But there's no simple solution, of course.
In reply to Howard Miller
Re: How to do SSO with Moodle to another Application (non - Moodle)
by Sunny Adhatrao -
Hi Howard and Mark,
Till now we were authenticating users through API which is provided from other application.
How it works in Moodle: When user hits the course URL from other application user get redirected to Moodle browser then Moodle checks through that API, if User is new then it insert the data in database new login creation. If user is old he/she just to login (put credentials again).
In reply to Sunny Adhatrao
Re: How to do SSO with Moodle to another Application (non - Moodle)
by Howard Miller -
This sounds like a custom solution - nothing wrong with that.
In reply to Howard Miller
Re: How to do SSO with Moodle to another Application (non - Moodle)
by Sunny Adhatrao -
Hi Howard,
Yes its custom solution but now they need SSO.
How should I implement ?
Yes its custom solution but now they need SSO.
How should I implement ?
In reply to Sunny Adhatrao
Re: How to do SSO with Moodle to another Application (non - Moodle)
by Mark Johnson -
If you want them to be automatically logged in to Moodle if the same user is already logged in to the other application, you'll have to implement some API Moodle can call to find out if the user is logged in, so it can log the user in. The most secure way to do this would be to implement an existing authentication protocol like the ones we have mentioned above, effectively making this other application the IdP, unless you are very confident you could do this securely yourself.
In reply to Mark Johnson
Re: How to do SSO with Moodle to another Application (non - Moodle)
by Sunny Adhatrao -
Hi Mark,
Actually we have tried with Create user token custom API:
username: abc
password: Abc@123
when we are creating token through API:
http://localhost/abc/local/auth_service.php?username=abc&password=Abc@123&service=mobile_web_service
Key Value
username abc
password Abc@123
servicename mobile_web_service
The above username password is from Third party API; but as per policies with Third party API they don't want to store their password in Moodle database so we are only inserting all details except password.
http://localhost/abc/local/auth_service.php?username=abc&password=Abc@123&service=mobile_web_service
Key Value
username abc
password
servicename mobile_web_service
But now password field is blank because of that we are not able to create token for a specific user.
Validation in Moodle for third party users:
1. We request data username, password (Hash password), SourceID, IP address we encrypt this in base_64
2. API URL (Third party API URL)
3. Create CURL
4. Setup request to send json via POST
5. Execute the POST request
6. response through curl
7. Decode the response and put it into array
8. If user already exist just make him login
9. If user is new in Moodle then enter data which we are getting through Response Array like: username, email, first name, last name(password is not present in Response Array).
Is there any process to create token without password or any way to user logged into external app then they will directly go inside Moodle without Moodle login page (avoid them to login again with their same credentials).
Actually we have tried with Create user token custom API:
username: abc
password: Abc@123
when we are creating token through API:
http://localhost/abc/local/auth_service.php?username=abc&password=Abc@123&service=mobile_web_service
Key Value
username abc
password Abc@123
servicename mobile_web_service
The above username password is from Third party API; but as per policies with Third party API they don't want to store their password in Moodle database so we are only inserting all details except password.
http://localhost/abc/local/auth_service.php?username=abc&password=Abc@123&service=mobile_web_service
Key Value
username abc
password
servicename mobile_web_service
But now password field is blank because of that we are not able to create token for a specific user.
Validation in Moodle for third party users:
1. We request data username, password (Hash password), SourceID, IP address we encrypt this in base_64
2. API URL (Third party API URL)
3. Create CURL
4. Setup request to send json via POST
5. Execute the POST request
6. response through curl
7. Decode the response and put it into array
8. If user already exist just make him login
9. If user is new in Moodle then enter data which we are getting through Response Array like: username, email, first name, last name(password is not present in Response Array).
Is there any process to create token without password or any way to user logged into external app then they will directly go inside Moodle without Moodle login page (avoid them to login again with their same credentials).
In reply to Sunny Adhatrao
Re: How to do SSO with Moodle to another Application (non - Moodle)
by Mark Johnson -
Rather than having Moodle log into the other system (IdP) with a username & password, you need a way for Moodle to ask the IdP "Is this user already logged in?" and then log them in to Moodle if they are. Usually this happends by redirecting the user to the IdP in the browser rather than a CURL request between the servers, so the IdP can read the user's cookies to determine whether they are logged in. Again, I will stress that there are already established standards for doing this securely, and it's not a good idea to try and reinvent this process yourself.
In reply to Mark Johnson
Re: How to do SSO with Moodle to another Application (non - Moodle)
by Sunny Adhatrao -
Hi mark,
I have checked some plugins in Moodle in which users are getting login in Moodle first then in external App.
I have also checked SAML2 configuring MINI ORANGE. It works like external login then broker then Moodle and vice versa
I have checked some plugins in Moodle in which users are getting login in Moodle first then in external App.
I have also checked SAML2 configuring MINI ORANGE. It works like external login then broker then Moodle and vice versa
In SAML2, I have seen that Mini Orange is checking Credentials in Moodle database if yes then log in, but in our system we are not saving password in Moodle database. (Passwords are already saved in Third party API).
Just to inform you Our system has already developed means 300 third party users are already logged in via two login pages i.e.
External App and Moodle login page.
Now we want SSO implementation those who have already logged in Moodle and for those who are new users in Moodle.
In reply to Sunny Adhatrao
Re: How to do SSO with Moodle to another Application (non - Moodle)
by Mark Johnson -
The example in this diagram is using Moodle as an IdP, which would require credentials to be stored in Moodle. If that's not what you want, then that's not a suitable solution for you.
I have no experience with Mini Orange so I cannot offer any advice there. However from Moodle's point of view there exists auth_saml2 and auth_oidc which authenticate against external IdPs. When a user configured to authenticate with those plugins attempts to access Moodle, they are redirected to the IdP, prompted to log in if they aren't already, then redirected back to Moodle and logged in. Moodle does not store the password in this scenario.