Note: You are currently viewing documentation for Moodle 3.11. Up-to-date documentation for the latest stable version of Moodle may be available here: Multi-tenancy authentication.

Multi-tenancy authentication

From MoodleDocs
Main pageMoodle WorkplaceMulti-tenancy authentication
Moodle Workplace
workplacelogo.png This feature is part of Moodle Workplace™, which is available through Moodle Partners only.

Overview

Moodle Workplace supports different authentication configurations for each tenant. Currently, the following authentication plugins support multi-tenancy:

Authentication plugins are managed by the administrator. The multi-tenancy awareness is indicated via the Multi-tenant label next to each authentication plugin


There are various places to configure settings for authentication plugins:

  • Site-wide common settings: Site administration > Plugins > Authentication > Manage authentication. Site-wide common settings apply to all plugins, if applicable, for example, "Allowed email domains". Any common settings that can be overridden at tenant-level can be locked via the Force for all tenants settings. Or, looking at it the other way round, it also can be used as an indication of which settings are configurable per tenant.
  • Site-wide plugin settings: Site administration > Plugins > Authentication > Manage authentication > [Plugin] > Settings. Most authentication plugins offer a range of site-wide settings.
  • Tenant-specific common settings: Site administration > Users > Organisation > Manage tenants > [Select tenant] > Authentication > Common settings. Here, you can override the site-wide common settings and adjust them for the tenant at hand.
  • Tenant-specific plugin settings: Site administration > Users > Organisation > Manage tenants > [Select tenant] > Authentication > [Plugin] > Settings

Any plugin enabled at tenant level that is able to create new accounts will do so in the tenant where it has been configured. Authentication plugins not supporting multi-tenancy will create users in the default tenant. To provide a degree of multi-tenant support for auth plugins not supporting multi-tenancy, a Dynamic rule has to be created to allocate users to different tenants based on some conditions.

Multi-tenant authentication plugins

Manual accounts

When configuring manual accounts at the tenant level, you can override the predefined lock values for each data field. When Custom is selected, you have to choose between the three locking options Unlocked, Unlocked if empty, and Locked.

Email-based self-registration

When configuring email-based self-registration at the tenant level, you can override the predefined lock values for each data field. When Custom is selected, you have to choose between the three locking options Unlocked, Unlocked if empty, and Locked.

OAuth 2

The standard OAuth 2 plugin has been extended by a Tenant availability feature which can be accessed via Site administration > Server > OAuth 2 Services or directly from the tenant settings in the Authentication tab.


A new icon labelled Tenant availability has been added to the actions list. Once this has been selected, you can choose between the following self-explanatory options:

  • This service is available to all tenants (including future ones)
  • This service is available only to the following tenants: <select one or many tenants>
  • This service is available to all tenants except the following: <select one or many tenants>

SAML

Multi-tenancy support for third-party SAML authentication plugin has been added to the Moodle Workplace codebase. That is, you will need to install the plugin as usual before the added multi-tenancy options can be configured.

You can limit IDPs to individual tenants and also configure fields locking per tenant. The following multi-tenancy features have been added to the SAML plugin:

  • SAML2 appears in the list of available authentication plugins on the tenant page. Individual tenants can enable or disable the plugin and also override fields locking.
  • Force for all tenant options have been added to the Data mapping section on the SAML2 configuration page (Site administration > Plugins > Authentication > SAML2).
  • Identity providers in SAML2 can be limited to individual tenants. To access its selection, go to the SAML2 settings on the Authentication tab of a tenant. Then select Manage available Identity Providers (IdPs) from the SAML2 section and press the Edit tenant availability button where you can choose between the following self-explanatory options:
  • This service is available to all tenants (including future ones)
  • This service is available only to the following tenants: <select one or many tenants>
  • This service is available to all tenants except the following: <select one or many tenants>

Login and signup tenant selector

Moodle Workplace offers a site selector on the login and signup pages to select the correct tenant on the authentication page. To enable the site selector, go to Site administration > Plugins > Authentication > Manage authentication and enable the setting Show tenant selector on the login page.


Each tenant’s visibility of the selector can be configured in the tenant settings (Show this tenant in the login selector). Once enabled, the site selector is shown in the bottom-right corner of the login and signup pages a few seconds after the page loads. When selecting the Change site option, a modal window will be shown where the user can select an alternative tenant.


The authentication buttons on the login page are configured in the OAuth 2 services settings. Depending on the tenant availability selection (available to all tenants (including future ones), available only to the following tenants…, or available to all tenants except the following…), different authentication buttons will be shown for different tenant login pages.

Users can login using an email address if their email is not unique across the site, but is unique in the tenant selected in the login screen.

Retrieved from "https://docs.moodle.org/311/en/index.php?title=Multi-tenancy_authentication&oldid=142861"
Powered by MediaWiki