Centralized authentication for Drupal & Moodle

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
tkrajcar's picture

Hi all,

Looking for some ideas on the right solution here. We are building several Drupal sites with a common user audience. These users also will be accessing Moodle content via hyperlinks from Drupal (i.e. we are not directly integrating Drupal and Moodle).

Looking for a centralized authentication server implementation that can:

  • protect both Drupal and Moodle sites
  • support true single sign-on (i.e. no re-prompting for credentials when users go from one Drupal site to another, or from Drupal to Moodle, or from Moodle to Drupal
  • use LDAP (against MS Active Directory) as a primary authentication source, but also be able to work with a legacy system (i.e. we would regularly export usernames/passwords out of legacy system and presumably import them somewhere else where the auth server could see

pubcookie seems the closest to what I'm looking for, but does not appear to support multiple authentication sources (or 'verifiers' in pubcookie parlance).
Other systems like CAS, Shibboleth, OpenSSO, etc seem like they might fit the need but also seem quite a bit more complex to setup then would be ideal :-)

Thoughts?

Comments

We use Co-sign at our

btopro's picture

We use Co-sign at our university which is probably a bit more complicated to setup (I don't know specifically, we just tap into it and auto create drupal accounts off of it). http://drupal.org/project/sso is what I've used for consulting projects. Never used it to tap moodle but that can at least do SSO across drupal instances. OpenID is probably supported by both, any desire to go that route?

Integrating Moodle

Frank Ralf's picture

See http://docs.moodle.org/en/Integration_FAQ for some pointers from the other side ;-)

hth
Frank

CAS

rieraney's picture

We already have CAS SSO Authentication on most of our stuff on campus, so we're planning on using that for this fall's (2011) launch. Our testing so far seems fine to use CAS and AD groups to check membership.

CAS

rieraney's picture

We already have CAS SSO Authentication on most of our stuff on campus, so we're planning on using that for this fall's (2011) launch. Our testing so far seems fine to use CAS and AD groups to check membership.

Drupal Cookie

benrj's picture

There is a Moodle Authentiation Type (sort of like a module) called Drupal Cookie that we have used. It is fairly simple and light-weight to implement, but it depends on the sites being able to access a common cookie (the Drupal session cookie). So, you'll want to have these sites at least hanging from the same parent domain.

We had to customize it a bit to make it fit our needs for mapping user accounts from Drupal to Moodle, along with synchronizing the user base nightly.

Our Drupal site authenticates against a SAML Identity Provider (or it could use LDAP), and Moodle authenticates against Drupal (using the Cookie). Theoretically, you could modify the Moodle authentication type to support multiple Drupal sites.

LDAP integration

lucio.ferrari's picture

The LDAP integration module allows for authentication against windows server's AD, and by googling I found this tutorial:
http://docs.moodle.org/en/LDAP_authentication
on the moodle side.

Centralized Authentication

emptyvoid's picture

Well if you are just talking about authentication and not account sharing/replication you could consider using an OpenID server. For one of our clients; who used CAS as a authentication server on top of a open LDAP and Active Directory platform. We opted to use OpenID instead with automated routines within the enterprise to sync Drupal accounts from the LDAP stack.

Of course the solution wouldn't allow anonymous users to create accounts. All business personnel, staff, and student accounts were created first in a external business process then users were issued account notices for Drupal second (on a nightly batch process).

I've also found that mapping roles in Drupal to realms or roles in LDAP very problematic.

Robert Foley Jr
Solutions Architect
http://www.robertfoleyjr.com