This document describes the process of how to configure Lambda Single Sign On (SSO) plugin in order to achieve Single Sign On capability between your primary application (portal) and Moodle/Totara. By following all the described steps, you should have your SSO working between the two systems.
Objective: to configure Lambda SSO plugin, so that when a user logs into the primary application (portal), he/she is automatically logged into Moodle/Totara.
The plugin is based on the Cookie information that is set by the primary application. Normally the information set consists of a unique user identifier that both systems share (for example, user idnumber field). If it is set by the primary application, Moodle will read the idnumber from the browser cookie and log the user with this idnumber into Moodle.
Sections/Summary of the Steps
Once the plugin is installed, these are the high level steps to be performed in order to achieve the objective.
This article will also expand upon the following.
- Best Practices and Common Mistakes
- Moodle and primary application that you want to integrate with SSO are on the same domain
- You are able to create a cookie containing the user id of the user who successfully authenticated into the primary application
- Primary application users have a unique user id, which is entered in corresponding Moodle users' profile field (either username, email or idnumber).
Section 1: Configure the settings page
In order for the SSO to work correctly, we need to ensure that the plugin is enabled and configured correctly.
Navigate to Site Administration > Plugins > Authentication > Manage Authentication.
Find Lambda SSO Authentication in the list, and enable it (unless already enabled) by clicking on the eye icon.
Once enabled, click on Settings link to proceed with configuration of the plugin settings.
Return URL: enter URL that you wish Moodle users to be redirected to, such as the primary system login page, if they are not logged in and are trying to access a page that requires them to be logged in. Enter a URL of the page here, if you'd like to have a central point of logging in for all users. If left blank, Moodle Login page will be presented by default.
Add redirect URL: If selected "Yes", users who try to access a page on Moodle that requires them to be logged in, are redirected to the login page entered in "Return URL" field and upon successful login are taken back to the Moodle page they initially tried to access.
If selected "No", the user will not be redirected to the Moodle page they initially tried to access.
Logout URL: enter URL that you wish Moodle users to be redirected to upon Logout out of Moodle. If left blank, Moodle Logout page will be presented by default.
When developing authentication capability in the primary application, you must create a cookie that would contain user id of the user authenticating into the system. This id must be unique in both primary application and Moodle. Moodle user profile fields supported to be matched with primary app user id are: username, email, and idnumber.
Moodle and primary application must be on the same domain in order for the SSO to work.
Cookie name: enter the cookie name that stores user's id
Cookie path: enter the cookie path (set upon creation of the cookie)
Cookie domain: enter the domain of both Moodle and primary application
Remove cookie on log out: if selected "Yes", cookie will be destroyed when user logs out of Moodle, which will log the user out of the primary application, given that authentication in primary application depends on the cookie. If selected "No", the cookie will be preserved.
Use API for cookie content decryption: If the primary system encrypts the user's id inside the cookie for security purposes, a decryption API tool link must be provided here.
Cookie API attribute: Enter the attribute or parameter of the decryption API tool specified above that returns the decrypted user's id value.
Process API response: If the returned value is an XML response, and not the string value of the id itself, then set this to "Yes". Otherwise set to "No".
User Validation Options
User validation checking criteria: Choose from the dropdown one of the fields that user id from primary application will be matched against on Moodle.
Authentication methods: If any method is selected, SSO will work only for those users who have the same method selected in their user profiles. If "Choose..." is selected, then SSO will work for all users independent of their authentication methods.
Section 2. Test SSO
Log into your primary application and click on a link that leads to a Moodle page requiring authentication. You should be automatically authenticated in Moodle; and the page will be loaded.
You can test SSO plugin by manually creating cookie, if primary application has not been set up for authentication or cookie creation.
Using Firebug (or any other developer's tool) create a cookie with the name, domain and path as specified in SSO settings.