Posted by tkrajcar on January 7, 2011 at 10:59pm
Hi all,
Looking for some ideas on the right solution here. We are building several Drupal sites with a common user audience. These users also will be accessing Moodle content via hyperlinks from Drupal (i.e. we are not directly integrating Drupal and Moodle).
Looking for a centralized authentication server implementation that can:
- protect both Drupal and Moodle sites
- support true single sign-on (i.e. no re-prompting for credentials when users go from one Drupal site to another, or from Drupal to Moodle, or from Moodle to Drupal
- use LDAP (against MS Active Directory) as a primary authentication source, but also be able to work with a legacy system (i.e. we would regularly export usernames/passwords out of legacy system and presumably import them somewhere else where the auth server could see
pubcookie seems the closest to what I'm looking for, but does not appear to support multiple authentication sources (or 'verifiers' in pubcookie parlance).
Other systems like CAS, Shibboleth, OpenSSO, etc seem like they might fit the need but also seem quite a bit more complex to setup then would be ideal :-)
Thoughts?
Comments
We use Co-sign at our
We use Co-sign at our university which is probably a bit more complicated to setup (I don't know specifically, we just tap into it and auto create drupal accounts off of it). http://drupal.org/project/sso is what I've used for consulting projects. Never used it to tap moodle but that can at least do SSO across drupal instances. OpenID is probably supported by both, any desire to go that route?
Ex Uno Plures
http://elmsln.org/
http://btopro.com/
http://drupal.psu.edu/
Integrating Moodle
See http://docs.moodle.org/en/Integration_FAQ for some pointers from the other side ;-)
hth
Frank
Frank
My LinkedIn profile
CAS
We already have CAS SSO Authentication on most of our stuff on campus, so we're planning on using that for this fall's (2011) launch. Our testing so far seems fine to use CAS and AD groups to check membership.
CAS
We already have CAS SSO Authentication on most of our stuff on campus, so we're planning on using that for this fall's (2011) launch. Our testing so far seems fine to use CAS and AD groups to check membership.
Drupal Cookie
There is a Moodle Authentiation Type (sort of like a module) called Drupal Cookie that we have used. It is fairly simple and light-weight to implement, but it depends on the sites being able to access a common cookie (the Drupal session cookie). So, you'll want to have these sites at least hanging from the same parent domain.
We had to customize it a bit to make it fit our needs for mapping user accounts from Drupal to Moodle, along with synchronizing the user base nightly.
Our Drupal site authenticates against a SAML Identity Provider (or it could use LDAP), and Moodle authenticates against Drupal (using the Cookie). Theoretically, you could modify the Moodle authentication type to support multiple Drupal sites.
LDAP integration
The LDAP integration module allows for authentication against windows server's AD, and by googling I found this tutorial:
http://docs.moodle.org/en/LDAP_authentication
on the moodle side.
Centralized Authentication
Well if you are just talking about authentication and not account sharing/replication you could consider using an OpenID server. For one of our clients; who used CAS as a authentication server on top of a open LDAP and Active Directory platform. We opted to use OpenID instead with automated routines within the enterprise to sync Drupal accounts from the LDAP stack.
Of course the solution wouldn't allow anonymous users to create accounts. All business personnel, staff, and student accounts were created first in a external business process then users were issued account notices for Drupal second (on a nightly batch process).
I've also found that mapping roles in Drupal to realms or roles in LDAP very problematic.
Robert Foley Jr
Solutions Architect
http://www.robertfoleyjr.com