Quantcast
Channel: Authentication
Viewing all 8272 articles
Browse latest View live

SSO to a specific page

April 20, 2020, 1:59 am
$
0
0
by Kieran Briggs.  

Hi All,  Hope you can help.

I'm running on version 3.5.4 Using SAML2 for authentication.  What i'm trying to do is get a user to click a link on our main website which takes them to a coursepage with auto enrol turned on.  If they have already signed into Moodle it works fine, but if it is the first time that they have logged into Moodle, SAML2 pulls across their details, sets up their account but takes them to their profile page. 

Is there a way I can stop this happening so that it creates the account and then just sends them straight to the course that was linked to?

Thanks

Kieran

Search

Using Multiple Authentication Methods

April 20, 2020, 6:29 am
$
0
0
by Kieran Briggs.  

Hi, 

I'm on Moodle 3.5.4 and currently using SAML2 for Single Sign-on.  We currently have all our user details stored on a Postgresqldatabase.  What i'm wondering is if I can use the external database authentication plugin to bring over the users and keep them in sync, can I still use the SAML2 for single Signon also as it refers to the same database.

Thanks

Kieran

Re: User not available on this site LDAP Moodle 3.8 Error ID 5???

April 20, 2020, 9:56 pm
$
0
0
by Malcolm Beasley.  

So of course its solved , checking the prevent account creation when authenticating to yes.
authpreventaccountcreation
Default: No
When a user authenticates, an account on the site is automatically created if it doesn't yet exist. If an external database, such as LDAP, is used for authentication, but you wish to restrict access to the site to users with an existing account only, then this option should be enabled. New accounts will need to be created manually or via the upload users feature. Note that this setting doesn't apply to MNet authentication.

 I was so worried about corrupting the AD, when integrating Office365, that anything with the words external database or LDAP I said no and went with default (after years of it working fine in a configuration I set up!!)  
Of course as I drilled into it, all a flutter,  ---  did I scroll past ldap or openidconnect and read under all the authentication options??? 
I, of course did not. 
A simple solution and I am kicking myself - it took a fresh pair of eyes from a non Moodle person to see it.
It is a salient lesson that the more sophisticated we get with the innards of this project, the more forest we see, the simpler trees often hide in plain view.
If you have read this and had a laugh please respond, I guess we are feeling all a bit isolated and hugely responsible for others at the moment.

Re: Shibboleth Suddenly Stops Working

April 21, 2020, 7:04 am
$
0
0
by Leon Stringer.  

In my Shibboleth experience "suddenly stopped working" often means metadata expiry, so the first thing I'd check is that the identity provider (IdP) has the current metadata for the service provider (SP), i.e. Moodle in this case.

The logging output appears to be the IdP complaining that it can't match an SP AssertionConsumerService URL with that listed in the SP's metadata.

I'm guessing something like this is happening:

  1. The unauthenticated user goes to Moodle and tries to log in.
  2. Moodle redirects the user to the IdP for authentication
  3. The IdP authenticates the user.
  4. The IdP then wants to send user information to the SP via the URL that the SP provided in step 2. But the IdP can't match this URL to any it knows about so the process fails.
2020-04-16 16:59:59,177 - WARN [net.shibboleth.idp.profile.saml.impl.PopulateBindingAndEndpointContexts:410] - Profile Action PopulateBindingAndEndpointContexts: Unable to resolve outbound message endpoint for relying party 'https://engage.elearning.sruc.ac.uk': EndpointCriterion [type=
{urn:oasis:names:tc:SAML:2.0:metadata} 
AssertionConsumerService, Binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, Location=https://engage.elearning.sruc.ac.uk/Shibboleth.sso/SAML2/POST, trusted=false]

So I'd 1) check the SP's metadata making sure this lists an exactly matching AssertionConsumerService element, both the URL ("https://engage.elearning.sruc.ac.uk/Shibboleth.sso/SAML2/POST") and the binding ("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST") must match, and 2) check the IdP has a current copy of the SP's metadata which contains this AssertionConsumerService.

Google OAuth2 Services - error/moodle/Could not discover end points for identity issuerGoogle

April 21, 2020, 11:09 am
$
0
0
by Premjith KK.  

Hi,

I installed moodle 3.8 in a subdomain, and configured Google OAuth2 services.
In  Moodle OAuth2 services page,  After entering the "Client ID and Client Secret", getting this error

"error/moodle/Could not discover endpoints for identity issuerGoogle"

How to fix this issue? 






Re: Google OAuth2 Services - error/moodle/Could not discover end points for identity issuerGoogle

April 21, 2020, 12:20 pm
$
0
0
by Ken Task.  

Maybe somewhere in:

https://developers.google.com/identity/protocols/oauth2/web-server

I usually set up an account in google as a service account and also include scopes for Google Drive.  Even is site doesn't use Google Drive as a file system repo.

Plus on the Google end, set up all 3 tabs - credentials, Oauth consent screen, and Domain verification which includes a static termsofservice.html page on my server as well as a privacypolicies.html page.

https://docs.moodle.org/38/en/OAuth_2_Google_service

'SoS', Ken

Re: How can I hide a course category to unauthenticated users

April 21, 2020, 11:19 pm
$
0
0
by Alex B.  

Hi Chris,

Thanks for this.

I posted the same question in the other thread as well. I thought maybe there are people that will go in here and find this useful.

https://moodle.org/mod/forum/discuss.php?d=350518#p1619398

I seen that category:viewcourselist is available in Moodle 3.7+

I have a Moodle 3.6... and doesn't have this category, unfortunately.

I've done some workarounds, and that is the one with the hiding, what Debbie was saying. Yet, sometimes in Site Administration works to allow role in the permissions, sometimes it doesn't. 

But, the concern is, that through the Search functionality, the users from let's say Product A can still see all the courses from any other Product (B,C,D..). Even though if they are not enrolled and they cannot enroll, they can still see the courses in the search results, which is not too good.


I was thinking maybe upgrading to the latest version of Moodle would help now that I seen this category:viewcourselist .


One question please - for Moodle 3.7 or 3.8, when you use this category:viewcourselist for a specific user role, I understood that you can show only specific categories of courses as you assign them. But when you are logged in with a user from Product A  and you click on the Search field from the front page and you type in let's say "a" for search, will the search results display only the courses that contain the letter 'a' from the Product A  category? Or will it display all the courses from other categories too, those that the user is not enrolled in? 


Is this something that someone could test in their Moodle please?

At my end, to upgrade to later versions of Moodle, I need to upgrade my PHP as well on the server (version 7.1.0 is required and you are running 7.0.33.14.18.04.1.1). and not sure of the implications, if I want to revert back to Moodle 3.6 if it will still work and so on...


Many thanks

Alex

Re: Using Multiple Authentication Methods

April 22, 2020, 3:04 am
$
0
0
by Leon Stringer.  

I think this is what the Allowed any auth type setting allows, i.e. you could have External Database users which could by synced by the auth_db plugin but be authenticated by auth_saml2.

auth_saml2 setting: Allowed any auth type

I don't have an environment to hand to test this would definitely work but the process could be something like:

  1. Set up External Database authentication to the PostgreSQL database.
  2. Migrate the SAML2 users in Moodle to be External Database users, e.g. using CSV upload to bulk-change the auth type.
  3. Enable the External Database scheduled task to synchronise user details.
  4. Change Allowed any auth type to "Yes" for the SAML2 plugin.
  5. Try logging into Moodle with SAML as one of the users that have be migrated to auth="db".

Hopefully you'll have a test site so you can test this process out and see if it works.

Search

Re: Using Multiple Authentication Methods

April 22, 2020, 3:41 am
$
0
0
by Kieran Briggs.  

Cheers Leon. I'll give this a try. I missed that list box as I was setting the SAML up.

ldap Authentication

April 22, 2020, 2:02 pm
$
0
0
by rob coles.  

Evening, 

We've been using Moodle for years with ldap authentication and working wonderfully,

However we'd like to be able to login with both username & email address but can't see anyway of doing it, both are mapped in ldap. 

We're constantly getting can't login because they tried logging in with email address rather than sam account name

Using Moodle 3.8.1+ 

Any ideas?


Many thanks


Rob


Re: ldap Authentication

April 22, 2020, 2:42 pm
$
0
0
by Emma Richardson.  

I have been able to have them log in with their email address...is the email showing in their moodle profile?  Is it possible that you have multiple accounts with the same email?

Re: ldap Authentication

April 22, 2020, 11:29 pm
$
0
0
by rob coles.  

Email is showing in profile which is picked up from via LDAP


Can be done with manual or web registrations 

Re: ldap Authentication

April 23, 2020, 3:50 am
$
0
0
by Iñaki Arenaza.  

Assuming you have "Allow log in via email" already enabled, it should work as long as the user already exists in Moodle and she has the email address already filled in. In other words, either the user has already logged in at least once using their username (and synced her email address from LDAP), or you have run the LDAP sync task and created the user (and synced her email address).

If the user doesn't already exist in Moodle and has the email address already filled in, Moodle can't link the email address to the username and can't perform the authentication successfully (the username field is what's really needed to perform the authentication)

I just setup Moodle with OpenLDAP to test it, and as long as you fullfil the above condition, it works as expected smile

Saludos.

Iñaki.

Re: ldap Authentication

April 23, 2020, 4:37 am
$
0
0
by rob coles.  

I cleared ldap settings and tried again and for some reason works perfectly.

Can't really see any settings I've missed.

Thank you all for you support.

Regards

Rob

Re: Google OAuth2 Services - error/moodle/Could not discover end points for identity issuerGoogle

April 23, 2020, 4:56 am
$
0
0
by Premjith KK.  

Hi Ken, 

Thanks for your reply.

I added below details in Outh2 services -> "Endpoints for issuer section: Google" section and restarted the server.

Issue solved.  


discovery_endpointhttps://accounts.google.com/.well-known/openid-configuration

authorization_endpointhttps://accounts.google.com/o/oauth2/v2/auth

device_authorization_endpointhttps://oauth2.googleapis.com/device/code

token_endpointhttps://oauth2.googleapis.com/token

userinfo_endpointhttps://openidconnect.googleapis.com/v1/userinfo

revocation_endpointhttps://oauth2.googleapis.com/revoke


Search

Re: MS AD and switching from LDAP to LDAPS

April 23, 2020, 1:10 pm
$
0
0
by Mak Darko.  

Hello, I have the same problem. "TLS_REQCERT never" works, but i would like to use the certificate with "TLS_REQCERT demand".

With verification I also get:
Verify return code: 0 (ok)

Extended master secret: yes

---

read:errno=104

I have this in my ldap.conf:
TLS_CACERT /etc/ssl/certs/ca.pem
TLS_CACERTDIR /etc/ssl/certs

But when i try to login i still get:
LDAP-module cannot connect to any servers: Server: 'ldaps://server:3269', Connection: 'Resource id #14', Bind result: ''

Any idea how to get this to work. And is it any downfall with using "TLS_REQCERT never". It's a shame since i have working (so it seems) .pem file.

Re: How can I hide a course category to unauthenticated users

April 23, 2020, 10:58 pm
$
0
0
by Alex B.  

I managed to upgrade to Moodle 3.8.2 and it works ok that functionality, much easier to do things.... And in Moodle 3.8.2 the search works just fine, it won't show anymore the courses that are not supposed to be seen anymore, just the courses from the categories where an user is assigned to. Yay.

Data mapping (Department)

April 24, 2020, 12:52 am
$
0
0
by Stefanos Balampos.  

Hello,

All users in AD are associated with a specific department under the Organization tab. I see that it is not "copied" in Moodle in the Optional Department field.

In Moodle, the settings are:

1) Data Mapping (Department): department

2) Update Local (Department): On creation

Is there something else I can do?

Thank you.

how extend signup form.php?

April 24, 2020, 2:23 am
$
0
0
by Claudio Curci.  

Hello,
I should set as mandatory the "city" field of the user registration form.

I should add this line
$mform->addRule('city', 'Insert your city, 'required', null, 'client');
to the file
/login/signup_form.php

Is there any way to extend this class ("login_signup_form") without modifying the original file (which will then be overwritten with Moodle updates)?
Thanks!

Re: Data mapping (Department)

April 24, 2020, 5:20 am
$
0
0
by Emma Richardson.  

Are these existing users? Try changing Update local to On Every Login and see if that helps...the field mapping looks right...
Viewing all 8272 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>