Authentication in Moodle

By July 17, 2017Blog
Authentication in Moodle - Blog Banner

Most people who have used and managed Moodle know that it can handle user creation and passwords internally or externally through different authentication types. However, many are not aware of the various other options that can be used with Moodle to allow users to access the system.

In this post, we’ll take a dive into some of our clients’ favorite options for authentication, both standard and extended, what it takes to get them to work, and the pros and cons of each system.

LDAP Authentication (including Active Directory and OpenLDAP)

This is by far our most popular authentication type.  Lightweight Directory Access Protocol (LDAP) compatible directories have been around for well over 20 years and are already deployed in most schools and businesses.  Since LDAP is part of Moodle core and most IT professionals know their LDAP system setups well, it makes for an easy setup and configuration in Moodle.  Another added benefit is the ability not only to authenticate users, but also pre-populate them into the system.  This allows for users to be enrolled into classes well before they have ever logged into the system.

The biggest drawback to using LDAP is when your Moodle server does not sit on the same network as your LDAP server as you do not want to send usernames and passwords in the clear over the internet.  To deal with this, you have two options.  You can either configure a VPN tunnel between the two networks or you can configure LDAP traffic to use SSL (LDAPS) to encrypt the LDAP traffic between the two sites.

 SAML-based Single Sign On (including ADFS, Okta, Shibboleth, Sailpoint IdenityNow, etc.)

While Single Sign On (SSO) technologies have been around for some time, we are finding more and more clients who want to implement SSO within Moodle.  This allows our clients to standardize access to all their services, give end users the same look and feel, and allow users to switch between applications without having to login again and again.

Security Assertion Markup Language (SAML) compliant systems are becoming the leading favorite for SSO amongst our clients. Luckily, there are a few plugins available to make this possible within Moodle.  One of our favorites is SAML2 Single Sign On.  This plugin contains all the needed SAML functionality right in the plugin without any need to install extra services beside your Moodle installation.

While the user experience is much better with SSO, the initial configuration between Moodle and the different SSO systems can take some configuration on the back end of both systems to make them ‘talk’.  A potential downside is that SAML-based systems are used for authentication only and Moodle can only create users as they login.  Therefore, if clients need to pre-populate users for enrollments, it will require the use of another system (LDAP, External Database, etc.) or the uploading of users in Moodle via flat file.

 OAuth2 based Single Sign On (including Google, Facebook, LinkedIn, and o365)

For those Moodlers who are looking to get an SSO up and running without a ton of resources, especially those already running Google gSuite or o365, configuring OAuth2 on your site is a quick solution to get your users logged into Moodle with SSO functionality without breaking the bank.  It’s also a great way to allow users outside of your organization to create an account in Moodle with their own Google/Facebook/LinkedIn/etc. account to have classes available without having to manage users and passwords via Self-Registration. Prior to Moodle 3.3, this was best handled using the OAuth2 plugin. (You can find more information on how to configure the plugin here.)

Beginning in Moodle 3.3, OAuth2 authentication is now supported within core Moodle. While still under development, enabling OAuth2 within Moodle 3.3 and future versions also adds the ability to integrate other services that support OAuth2 access into Moodle more seamlessly including Google Apps, o365, Dropbox, etc., and we expect to see more and more clients moving towards oAuth2 in the near future.

 Web Services User Key API Pass-through

If you have ever wanted to ‘pass’ a user into Moodle from another system you have built (be it a homegrown sales system, course catalog, or user management portal) without having to login to Moodle separately, then the User Key Authentication plugin is for you.

Building on top of Moodle’s Web Services API, this plugin will allow a developer the ability to authenticate a user into Moodle and then direct them into the site without the user ever knowing they have logged in.  It allows for a seamless integration between systems from the user experience, while allowing a developer to use the Moodle Web API to create a user, enroll them, and then use the User Key Authentication plugin to log them into Moodle.

 

These are just a few of the many authentication types available in Moodle.  If you need more help with authentication in Moodle, the pros here at eThink would love to talk with you!

Request a Demo