https://docs.moodle.org/405/en/api.php?action=feedcontributions&feedformat=atom&user=RatnaMoodleDocs - User contributions [en]2026-05-16T06:33:42ZUser contributionsMediaWiki 1.43.5https://docs.moodle.org/405/en/index.php?title=Talk:Installation_on_Ubuntu_using_Git&diff=151195Talk:Installation on Ubuntu using Git2025-03-18T12:39:33Z<p>Ratna: </p>
<hr />
<div>This old documentation uses PHP 5, but current Moodle 3.5 should use PHP 7<br />
<br />
"current Moodle 3.5"? This is the Moodle 4.5 LTS page!</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Shibboleth&diff=149281Shibboleth2024-09-09T05:11:35Z<p>Ratna: </p>
<hr />
<div>{{Authentication}}<br />
<br />
==What is Shibboleth==<br />
<br />
[https://en.wikipedia.org/wiki/Shibboleth_(software) Shibboleth] is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions. The federations are often universities or public service organizations. <br />
<br />
Shibboleth is a middleware architecture and an open-source implementation created by the [https://en.wikipedia.org/wiki/Internet2 Internet2] consortium, for federated identity-based authentication and authorization infrastructure based on [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language SAML]. Federated identity allows for information about users in one security domain to be provided to other organizations in a common federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain usernames and passwords. [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language Identity providers (IdP's)] supply user information, while [https://en.wikipedia.org/wiki/Service_provider_(SAML) service providers (SP's)] consume this information and gate access to secure content.<br />
<br />
==auth/shibboleth/README.txt==<br />
<br />
This the auth/shibboleth/README.txt file in the Moodle distribution:<br />
<br />
Shibboleth Authentication for Moodle<br />
-------------------------------------------------------------------------------<br />
<br />
Requirements:<br />
- Shibboleth Service Provider 1.3 or newer. Recommended is 2.1 or newer.<br />
See documentation for your Shibboleth federation on how to set up Shibboleth.<br />
<br />
Changes:<br />
- 11. 2004: Created by Markus Hagman<br />
- 05. 2005: Modifications to login process by Martin Dougiamas<br />
- 05. 2005: Various extensions and fixes by Lukas Haemmerle<br />
- 06. 2005: Adaptions to new field locks and plugin config structures by Martin<br />
Langhoff and Lukas Haemmerle<br />
- 10. 2005: Added better error messages and moved text to language directories<br />
- 02. 2006: Simplified authentication so that authorization works properly<br />
Added instructions for IIS<br />
- 11. 2006: User capabilities are now loaded properly as of Moodle 1.7+<br />
- 03. 2007: Adapted authentication method to Moodle 1.8<br />
- 07. 2007: Fixed a but that caused problems with uppercase usernames<br />
- 10. 2007: Removed the requirement for email address, surname and given name<br />
attributes on request of Markus Hagman<br />
- 11. 2007: Integrated WAYF Service in Moodle<br />
- 12. 2008: Shibboleth 2.x and Single Logout support added<br />
- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth<br />
language files.<br />
- 3. 2009: Added various improvements and bug fixes reported by Ina M�ller from<br />
university Tuebingen and Peter Ellis of University of Washington<br />
- 4. 2009: Added another requirement for logout regarding the call back script<br />
- 6. 2009: Changed handler URL when integrated Discovery Service is used<br />
- 10. 2009: Fixed HTML entity preservation in Shibboleth settings<br />
<br />
Moodle Configuration with Dual login<br />
-------------------------------------------------------------------------------<br />
1. Protect the directory moodle/auth/shibboleth/index.php with Shibboleth.<br />
The page index.php in that directory actually logs in a Shibboleth user.<br />
For Apache you have to define a rule like the following in the Apache config:<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
--<br />
<br />
To restrict access to Moodle, replace the access rule 'require valid-user'<br />
with something that fits your needs, e.g. 'require affiliation student'.<br />
<br />
For IIS you have protect the auth/shibboleth directory directly in the<br />
RequestMap of the Shibboleth configuration file (shibboleth.xml or<br />
shibboleth2.xml).<br />
<br />
--<br />
<Path name="moodle" requireSession="false" ><br />
<Path name="auth/shibboleth/index.php" requireSession="true" ><br />
<AccessControl><br />
...<br />
</AccessControl><br />
</Path><br />
</Path><br />
--<br />
<br />
Also see:<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapper and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAccessControl<br />
<br />
2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and<br />
click on the the 'Shibboleth' settings.<br />
<br />
3. Fill in the fields of the form. The fields 'Username', 'First name',<br />
'Surname', etc. should contain the name of the environment variables of the<br />
Shibboleth attributes that you want to map onto the corresponding Moodle<br />
variable (e.g. 'Shib-Person-surname' for the person's last name, refer<br />
the Shibboleth documentation or the documentation of your Shibboleth<br />
federation for information on which attributes are available).<br />
Especially the 'Username' field is of great importance because<br />
this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
#############################################################################<br />
Shibboleth Attributes needed by Moodle:<br />
For Moodle to work properly Shibboleth should at least provide the attribute<br />
that is used as username in Moodle. It has to be unique for all Shibboleth<br />
Be aware that Moodle converts the username to lowercase. So, the overall<br />
behaviour of the username will be case-insensitive.<br />
All attributes used for moodle must obey a certain length, otherwise Moodle<br />
cuts off the ends. Consult the Moodle documentation for further information<br />
on the maximum lengths for each field in the user profile.<br />
#############################################################################<br />
<br />
4.a If you want Shibboleth as your only authentication method with an external<br />
Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the<br />
'Common settings' in 'Administrations >> Users >> Authentication Options'<br />
to the the URL of the file 'moodle/auth/shibboleth/index.php'.<br />
This will enforce Shibboleth login.<br />
<br />
4.b If you want to use the Moodle integrated WAYF service, you have to activate it<br />
in the Moodle Shibboleth authentication settings by checking the<br />
'Moodle WAYF Service' checkbox and providing a list of entity IDs in the<br />
'Identity Providers' textarea together with a name and an optional<br />
SessionInitiator URL, which usually is an absolute or relative URL pointing<br />
to the same host. If no SessionInitiator URL is given, the default one<br />
'/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For<br />
Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a SessionInitiator.<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB/SessionInitiator<br />
and https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionInitiator<br />
<br />
Important Note: If you upgraded from a previous version of Moodle and now<br />
want to use the integrated WAYF, you have to make sure that<br />
in step 1 only the index.php script in<br />
moodle/auth/shibboleth/ is protected but *not* the other<br />
scripts and especially not the login.php script.<br />
<br />
If you were using the integrated WAYF alread with Shibboleth 1.3, it could<br />
be that the integrated WAYF is not working anymore after you updated Moodle.<br />
The reason is that the implicitly set default SessionInitiator changed in<br />
Moodle as well as in Shibboleth. For Shibboleth 1.3 one therefore has to<br />
add /Shibboleth.sso as third parameter whereas this is /Shibboleth.sso/DS<br />
for Shibboleth 2.x.<br />
<br />
5. Save the changes for the 'Shibboleth settings'.<br />
<br />
Important Note: If you went for 4.b (integrated WAYF service), saving the<br />
settings will overwrite the Moodle Alternate Login URL<br />
using the Moodle web root URL.<br />
<br />
6. If you want to use Shibboleth in addition to another authentication method<br />
not using the integrated WAYF service from 4.b, change the 'Instructions' in<br />
'Administrations >> Users >> Manage authentication' to contain a link to the<br />
moodle/auth/shibboleth/index.php file which is protected by<br />
Shibboleth (see step 1.) and causes the Shibboleth login procedure to start.<br />
You can also use HTML code in that field, e.g. to include an image as a<br />
Shibboleth login button.<br />
<br />
Note: As of now you cannot use dual login together with the integrated<br />
WAYF service provided by Moodle (4.b).<br />
<br />
7. Save the authentication changes.<br />
<br />
How the Shibboleth authentication works<br />
--------------------------------------------------------------------------------<br />
To get Shibboleth authenticated in Moodle a user basically must access the<br />
Shibboleth-protected page /auth/shibboleth/index.php. If Shibboleth is the only<br />
authentication method (see 4.a), this happens automatically when a user selects<br />
his home organization in the Moodle WAYF service or if the alternate login URL<br />
is configured to be the protected /auth/shibboleth/index.php<br />
Otherwise, the user has to click on the link on the dual login page you<br />
provided in step 5.b.<br />
<br />
Moodle basically checks whether the Shibboleth attribute that you mapped<br />
as the username is present. This attribute should only be present if a user is<br />
Shibboleth authenticated.<br />
<br />
If the user's Moodle account has not existed yet, it gets automatically created.<br />
<br />
To prevent that every Shibboleth user can access your Moodle site you have to<br />
adapt the 'require valid-user' line in your webserver's config (see step 1) to<br />
allow only specific users. If you defined some authorization rules in step 1,<br />
these are checked by Shibboleth itself. Only users who met these rules<br />
actually can access /auth/shibboleth/index.php and get logged in.<br />
<br />
You can use Shibboleth AND another authentication method (it was tested with<br />
manual login). So, if there are a few users that don't have a Shibboleth<br />
login, you could create manual accounts for them and they could use the manual<br />
login. For other authentication methods you first have to configure them and<br />
then set Shibboleth as your authentication method. Users can log in only via one<br />
authentication method unless they have two accounts in Moodle.<br />
<br />
Shibboleth dual login with custom login page<br />
--------------------------------------------------------------------------------<br />
You can create a dual login page that better fits your needs. For this<br />
to work, you have to set up the two authentication methods (e.g. 'Manual<br />
Accounts' and 'Shibboleth') and specify an alternate login link to your own dual<br />
login page. On that page you basically need a link to the Shibboleth-protected<br />
page ('/auth/shibboleth/index.php') for the Shibboleth login and a<br />
form that sends 'username' and 'password' to moodle/login/index.php. Set this<br />
web page then als alternate login page.<br />
Consult the Moodle documentation for further instructions and requirements.<br />
<br />
How to customize the way the Shibboleth user data is used in Moodle<br />
--------------------------------------------------------------------------------<br />
Among the Shibboleth settings in Moodle there is a field that should contain a<br />
path to a php file that can be used as data manipulation hook.<br />
You can use this if you want to further process the way your Shibboleth<br />
attributes are used in Moodle. Due to security reasons this file cannot be<br />
located within the current site data directory ($CFG->dataroot).<br />
<br />
Example 1: Your Shibboleth federation uses an attribute that specifies the<br />
user's preferred language, but the content of this attribute is not<br />
compatible with the Moodle data representation, e.g. the Shibboleth<br />
attribute contains 'German' but Moodle needs a two letter value like<br />
'de'.<br />
<br />
Example 2: The country, city and street are provided in one Shibboleth attribute<br />
and you want these values to be used in the Moodle user profile. So<br />
You have to parse the corresponding attribute to fill the user fields.<br />
<br />
If you want to use this hook you have to be a skilled PHP programmer. It is<br />
strongly recommended that you take a look at the file<br />
moodle/auth/shibboleth/auth.php, especially the function 'get_userinfo'<br />
where this file is included.<br />
<br />
The context of the file is the same as within this login function. So you<br />
can directly edit the object $result.<br />
<br />
Example file:<br />
--<br />
<?php<br />
<br />
// Set the zip code and the adress<br />
if ($_SERVER[$this->config->field_map_address] != '')<br />
{<br />
// $address contains something like 'SWITCH$Limmatquai 138$CH-8021 Zurich'<br />
// We want to split this up to get:<br />
// institution, street, zipcode, city and country<br />
$address = $_SERVER[$this->config->field_map_address];<br />
list($institution, $street, $zip_city) = explode('$', $address);<br />
preg_match('/ (.+)/', $zip_city, $regs);<br />
$city = $regs[1];<br />
<br />
preg_match('/(.+)-/',$zip_city, $regs);<br />
$country = $regs[1];<br />
<br />
$result["address"] = $street;<br />
$result["city"] = $city;<br />
$result["country"] = $country;<br />
$result["department"] = $institution;<br />
$result["description"] = "I am a Shibboleth user"; <br />
}<br />
?><br />
--<br />
<br />
How to upgrade your Service Provider to 2.x<br />
-------------------------------------------------------------------------------<br />
In case your upgrade your Service Provider 1.3.x to 2.x, be aware of the fact<br />
that in version 2.0 the default behaviour regarding attribute propagation<br />
changed.<br />
<br />
While the Service Provider 1.3.x published the Shibboleth attributes to the<br />
web server environment as HTTP Request headers, the Service Provider 2.x<br />
publishes attributes as environment variables, which increases the security for<br />
some platforms.<br />
<br />
However, this change has the effect that the attribute names change.<br />
E.g. while the surname attribute was published as 'HTTP_SHIB_PERSON_SURNAME'<br />
with 1.3.x, this attribute will be available in $_SERVER['Shib-Person-surname']<br />
or depending on your /etc/shibboleth/attribute-map.xml file just as<br />
$_SERVER['sn'].<br />
<br />
Because Moodle needs to know what Shibboleth attributes it shall map onto which<br />
Moodle user profile field, one has to make sure the mapping is updated as well<br />
after the Service Provider upgrade.<br />
<br />
********************************************************************************<br />
Because you risk locking yourself out of Moodle it is strongly<br />
recommended to use the following approach when upgrading the Service Provider:<br />
1. Enable manual authentication before the upgrade.<br />
2. Make sure that you have at least one manual account with administration<br />
privileges working before upgrading your Service Provider to 2.x.<br />
3. After the SP upgrade, use this account to log into Moodle and adapt the<br />
attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect<br />
the changed attribute names.<br />
You find the attribute names in the file /etc/shibboleth/attribute-map.xml<br />
listed as the 'id' value of an attribute definition.<br />
4. If you are using the integrated WAYF, you may have to set the third parameter<br />
of each entry to '/Shibboleth.sso/DS'<br />
5. Test the login with a Shibboleth account<br />
6. If all is working, disable manual authentication again<br />
********************************************************************************<br />
<br />
How to add logout support<br />
--------------------------------------------------------------------------------<br />
In order make Moodle support Shibboleth logout, one has to make the Shibboleth<br />
Service Provider (SP) aware of the Moodle logout capability. Only then the SP<br />
can trigger Moodle's front or back channel logout handler.<br />
<br />
To make the SP aware of the Moodle logout, you have to add the following to the<br />
Shibboleth main configuration file shibboleth2.xml (usually in /etc/shibboleth/)<br />
just before the <MetadataProvider> element.<br />
<br />
--<br />
<Notify<br />
Channel="back"<br />
Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" /><br />
--<br />
<br />
Then restart the Shibboleth daemon and check the log file for errors. If there<br />
were no errors, you can test the logout feature by accessing Moodle,<br />
authenticating via Shibboleth and the access the URL:<br />
#YOUR_MOODLE_HOSTNAME#/Shibboleth.sso/Logout (assuming you have a standard<br />
Shibboleth installation). If everything worked well, you should see a Shibboleth<br />
page saying that you were successfully logged out and if you go back to Moodle<br />
you also should be logged out from Moodle.<br />
<br />
Requirements:<br />
- PHP needs the Soap Extension, which maybe must installed manually:<br />
More information is available here http://ch.php.net/soap<br />
- Logout only works with Shibboleth Service Provider 2.1 or higher<br />
- /moodle/auth/shibboleth/logout.php *must not* be protected by Shibboleth!<br />
In case all of Moodle is protected with Shibboleth, you have to add something<br />
like this to your Apache configuration after all the other require rules<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/logout.php><br />
AuthType shibboleth<br />
ShibRequireSession Off<br />
require shibboleth<br />
</Directory><br />
--<br />
<br />
When using IIS, the same can be achieved by something like:<br />
--<br />
<Path name="auth/shibboleth/logout.php" requireSession="false"><br />
--<br />
in the shibboleth2.xml RequestMap.<br />
<br />
Limitations:<br />
Single Logout is only supported when SAML2 is used at the SP and the IdP.<br />
As of October 2009, the Shibboleth Identity Provider 2.1.4 does not yet support<br />
Single Logout (SLO). Therefore, the single logout feature cannot be used yet<br />
in a Shibboleth only setup but there may be other SAML2 products that could<br />
be used as Identity Provider, e.g. SimpleSAML PHP.<br />
<br />
One of the reasons why SLO isn't supported yet is because there aren't many<br />
applications yet that were adapted to support front and back channel<br />
logout. Hopefully, the Moodle logout helps to motivate the developers to<br />
implement SLO. On the other hand, the easiest and safest way to log out<br />
still is to tell users to quit their web browsers :)<br />
<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLogoutInitiator for some<br />
background information on this topic.<br />
<br />
--------------------------------------------------------------------------------<br />
In case of problems and questions with Shibboleth authentication, contact<br />
Lukas Haemmerle <lukas.haemmerle@switch.ch> or Markus Hagman <hagman@hytti.uku.fi><br />
<br />
==Some notable Shibboleth federations==<br />
===UK Access Management Federation for Education and Research===<br />
In the UK [https://en.wikipedia.org/wiki/Becta Becta] and [https://www.jisc.ac.uk/about-us JISC] have implemented the education federation [https://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research] using Shibboleth to provide single sign on. This means that education establishments in the UK using Moodle should be able to authenticate their users via Shibboleth if their organization joins the UK Access Management Federation and their users' identity is held by the identity provider the LA/RBC use. For maintained schools in the England and Wales this will probably mean contacting their Local Authority or Regional Broadband Consortium (RBC). A list of current UK federation members can be found [http://www.ukfederation.org.uk/content/Documents/MemberList here].<br />
<br />
===Swiss Authentication and Authorization Infrastructure (SWITCHaai)===<br />
In Switzerland the [https://switch.ch/ SWITCH Foundation] runs the federation called [https://help.switch.ch/aai/ Swiss Authentication and Authorization Infrastructure (SWITCHaai)] encompassing about 160 institutions and a universal login for all living in Switzerland under [https://www.switch.ch/edu-id Switch edu-ID] covering around 900,000 users.<br />
<br />
==A sample configuration in detail==<br />
Here are the steps required in a specific federation as an example to demonstrate the components involved.<br />
<br />
===Notation===<br />
- The expressions in all caps are placeholders for their actual values. For example /PATH/TO/MOODLE in the document could mean /var/www/html/moodle in your server.<br />
<br />
- The '#' in shell commands in the form '# COMMAND" means the COMMAND needs to be run as the super-user. It could be the user 'root' or a different user having sudo privileges. In the latter case he should prepend the command with sudo, as in '$ sudo COMMAND'. The '$' in that command denotes it is a non-privileged user.<br />
<br />
===Prerequisites===<br />
- You have your Moodle site running on Debian GNU/Linux or any of its derivatives like Ubuntu Linux.<br />
<br />
- This documentation assumes that your Linux distribution uses the system manager Systemd. But you can easily change the commands for a different init system, typically SysV or Upstart.<br />
<br />
- You are running the web server Apache2.<br />
<br />
- Your site serves HTTPS on its default port 443. We write its URL as https://DOMAIN, where DOMAIN stands for your the domain name of your Moodle server. So if the URL of your Moodle is https://lms.example.com/ then DOMAIN is lms.example.com.<br />
<br />
===Configuring service provider===<br />
1. Install the Shibboleth module for Apache2<br />
<br />
Install the Debian package libapache2-mod-shib, which contains the Apache module for Shibboleth service providers (SP) and its supporting Shib daemon:<br />
<br />
# apt install libapache2-mod-shib --no-install-recommends<br />
<br />
It will create a directory /etc/shibboleth with a default set of configuration files and also install the system service shib.<br />
<br />
2. Get federation metadata signing certificate federation-cert.pem<br />
<br />
# wget https://FEDERATIONREGISTRY/signedmetadata/metadata-signer -O /etc/shibboleth/federation-cert.pem<br />
<br />
3. Edit the main Shibboleth configuration file /etc/shibboleth/shibboleth2.xml<br />
<br />
3.1 Change the entityID in the ApplicationDefaults tag to your service<br />
<br />
<ApplicationDefaults entityID="https://DOMAIN/shibboleth"<br />
REMOTE_USER="eppn subject-id pairwise-id persistent-id"<br />
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"><br />
<br />
Notice that the end of the ApplicationDefaults tag is way below. So don't add one here!<br />
<br />
3.2 Set the discovery server<br />
<br />
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://DISCOVERYSERVER"><br />
SAML2<br />
</SSO><br />
<br />
3.3 Set the MetadataProvider<br />
<br />
<MetadataProvider type="XML" url="https://METADATAPROVIDER/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" maxRefreshDelay="7200"><br />
<br />
<MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false" /><br />
<br />
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" /><br />
</MetadataProvider><br />
<br />
3.4 Plan for the key and certificate files<br />
<br />
<CredentialResolver type="File" use="signing" key="lms-signing-key.pem" certificate="lms-signing-cert.pem" /><br />
<CredentialResolver type="File" use="encryption" key="lms-encrypt-key.pem" certificate="lms-encrypt-cert.pem" /><br />
<br />
4. Create SP metadata credentials<br />
<br />
# /usr/sbin/shib-keygen -n lms-signing -e https://DOMAIN/shibboleth<br />
# /usr/sbin/shib-keygen -n lms-encrypt -e https://DOMAIN/shibboleth<br />
<br />
5. Start the shibboleth service for Apache<br />
<br />
5.1 Test the configuration before starting the service:<br />
<br />
# shibd -t /etc/shibboleth/shibboleth2.xml<br />
[possible errors or warnings]<br />
overall configuration is loadable, check console or log for non-fatal problems<br />
<br />
You need to study the errors or warnings, if there are any, before continuing.<br />
<br />
5.2 Start the service:<br />
<br />
# systemctl start shibd<br />
<br />
<br />
6. Enable Shibboleth on the Apache virtual host<br />
<br />
6.1 To activate shibboleth login on Apache protect the /PATH/TO/MOODLE/auth/shibboleth/index.php file by Shibboleth. Also add the SSL certificates to the /etc/apache2/sites-available/SOMETHING.conf file:<br />
<br />
<IfModule mod_ssl.c><br />
<VirtualHost *:443><br />
<br />
ServerName DOMAIN<br />
ServerAdmin YOU@DOMAIN<br />
DocumentRoot /PATH/TO/MOODLE<br />
<br />
ErrorLog ${APACHE_LOG_DIR}/DOMAIN-error.log<br />
CustomLog ${APACHE_LOG_DIR}/DOMAIN-access.log combined<br />
<br />
SSLCertificateFile /etc/ssl/certs/ssl-DOMAIN.crt<br />
SSLCertificateKeyFile /etc/ssl/private/ssl-DOMAIN.key<br />
<br />
<Location /moodle><br />
# just comment out<br />
# ShibRequestSetting applicationId mdl<br />
</Location><br />
<br />
<Directory /PATH/TO/MOODLE/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
# just comment out the next line and add the two lines below that<br />
# ShibRequestSetting applicationId mdl<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
</VirtualHost><br />
</IfModule><br />
<br />
6.2 Activate Shibd and reload Apache<br />
<br />
# a2enmod shib<br />
# systemctl reload apache2.service <br />
<br />
===Configuring the identity provider===<br />
<br />
7. Register the site with the federation<br />
<br />
The site needs to be registered with the federation so that its WAYF go to the discovery service divert you to the correct IdP.<br />
<br />
7.1 Get the metadata of the application<br />
<br />
It is available at the URL https://DOMAIN/Shibboleth.sso/Metadata. <br />
<br />
7.2 Submit the metadata and your administrative information to the federation<br />
<br />
Usually there is a web site at the federation for you to upload the metadata and enter various administrative information. The administrators of the federation must have shared the link with you. Follow the instructions on the screens.<br />
<br />
Once the federation operator approves your request you will receive a SP registration link.<br />
<br />
<br />
8. Enable and configure the Shibboleth plug-in in Moodle<br />
<br />
Once you've registered successfully you have to configure the Shibboleth plug-in in Moodle. For that Moodle you have to enable it first.<br />
<br />
8.1 Enable the Shibboleth plug-in in Moodle<br />
<br />
As Moodle admin, go to the Site administration > Plugins > Authentication and enable Shibboleth by clicking on the "eye". <br />
<br />
8.2 Configure the Shibboleth plug-in in Moodle<br />
<br />
Moodle needs the four fields 'Username', 'First name', 'Surname' and 'Email' at a minimum to create an account. So you should map them to corrosponding attributes in the IdP database. You have to set this data-mapping under ''Site administration > Plugins: Authentication > Shibboleth'' , etc. Here is again a typical set:<br />
<br />
Username: eppn<br />
<br />
Data mapping (First name): givenName<br />
<br />
Data mapping (Surname): sn<br />
<br />
Data mapping (Email address): mail<br />
<br />
In all the above three set Update local to On every login and Lock value to Unlocked if empty.<br />
<br />
In addition make the following changes:<br />
<br />
Moodle WAYF service: No<br />
<br />
Identity providers (auth_shibboleth | organization_selection): Delete everything in the box<br />
<br />
Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout<br />
<br />
And save. The change will be immediately active, no need to restart any service!<br />
<br />
Now you may visit https://DOMAIN/login/ and choose Shibboleth to be taken to the federation WAYF.<br />
<br />
==How to debug==<br />
* Visit https://DOMAIN/Shibboleth.sso/Login. You should be taken to the federation discovery service where you need to select your IdP. From there you'll be taken to your IdP login page. Once your credentials are accepted you'll be taken back to the Moodle site. Once in there visit https://DOMAIN/Shibboleth.sso/Session. It should show all the required attributes as in this example:<br />
<br />
Some IdPs will only share a minimal set of user fields with your Moodle SP, which can cause problems:<br />
<br />
*Moodle errors relating to missing Shibboleth fields can be fixed by altering the data mappings within the Shibboleth authentication plugin, and ensuring that fields are not locked. The user will be asked to manually provide data if Shibboleth does not automatically provide the corresponding information.<br />
<br />
*Moodle errors relating to invalid characters in username can be fixed by Allowing extended characters in usernames (found under Security > Site policies).<br />
<br />
==External links==<br />
*[https://incommon.org/software/shibboleth/ Shibboleth Internet2 Website]<br />
*[http://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research]<br />
*[http://www.ukfederation.org.uk/content/Documents/AttributeUsage Current Core Attributes for the UK Federation]<br />
<br />
[[de:Shibboleth-Server]]<br />
[[es:Shibboleth]]<br />
[[fr:Shibboleth]]<br />
[[ja:Shibboleth]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=File:test_screenshot.png&diff=149280File:test screenshot.png2024-09-08T15:15:36Z<p>Ratna: </p>
<hr />
<div></div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Talk:Shibboleth&diff=149279Talk:Shibboleth2024-09-08T14:31:05Z<p>Ratna: </p>
<hr />
<div>See the original discussion: [https://moodle.org/mod/forum/discuss.php?d=461370 "Shibboleth" Moodle as the SP doesn't get the attributes filled from the IdP]<br />
<br />
--[[User:Visvanath Ratnaweera|Visvanath Ratnaweera]] ([[User talk:Visvanath Ratnaweera|talk]]) 14:30, 8 September 2024 (UTC)</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Shibboleth&diff=149269Shibboleth2024-09-08T10:25:01Z<p>Ratna: </p>
<hr />
<div>{{Authentication}}<br />
<br />
==What is Shibboleth==<br />
<br />
[https://en.wikipedia.org/wiki/Shibboleth_(software) Shibboleth] is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions. The federations are often universities or public service organizations. <br />
<br />
Shibboleth is a middleware architecture and an open-source implementation created by the [https://en.wikipedia.org/wiki/Internet2 Internet2] consortium, for federated identity-based authentication and authorization infrastructure based on [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language SAML]. Federated identity allows for information about users in one security domain to be provided to other organizations in a common federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain usernames and passwords. [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language Identity providers (IdP's)] supply user information, while [https://en.wikipedia.org/wiki/Service_provider_(SAML) service providers (SP's)] consume this information and gate access to secure content.<br />
<br />
==auth/shibboleth/README.txt==<br />
<br />
This the auth/shibboleth/README.txt file in the Moodle distribution:<br />
<br />
Shibboleth Authentication for Moodle<br />
-------------------------------------------------------------------------------<br />
<br />
Requirements:<br />
- Shibboleth Service Provider 1.3 or newer. Recommended is 2.1 or newer.<br />
See documentation for your Shibboleth federation on how to set up Shibboleth.<br />
<br />
Changes:<br />
- 11. 2004: Created by Markus Hagman<br />
- 05. 2005: Modifications to login process by Martin Dougiamas<br />
- 05. 2005: Various extensions and fixes by Lukas Haemmerle<br />
- 06. 2005: Adaptions to new field locks and plugin config structures by Martin<br />
Langhoff and Lukas Haemmerle<br />
- 10. 2005: Added better error messages and moved text to language directories<br />
- 02. 2006: Simplified authentication so that authorization works properly<br />
Added instructions for IIS<br />
- 11. 2006: User capabilities are now loaded properly as of Moodle 1.7+<br />
- 03. 2007: Adapted authentication method to Moodle 1.8<br />
- 07. 2007: Fixed a but that caused problems with uppercase usernames<br />
- 10. 2007: Removed the requirement for email address, surname and given name<br />
attributes on request of Markus Hagman<br />
- 11. 2007: Integrated WAYF Service in Moodle<br />
- 12. 2008: Shibboleth 2.x and Single Logout support added<br />
- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth<br />
language files.<br />
- 3. 2009: Added various improvements and bug fixes reported by Ina M�ller from<br />
university Tuebingen and Peter Ellis of University of Washington<br />
- 4. 2009: Added another requirement for logout regarding the call back script<br />
- 6. 2009: Changed handler URL when integrated Discovery Service is used<br />
- 10. 2009: Fixed HTML entity preservation in Shibboleth settings<br />
<br />
Moodle Configuration with Dual login<br />
-------------------------------------------------------------------------------<br />
1. Protect the directory moodle/auth/shibboleth/index.php with Shibboleth.<br />
The page index.php in that directory actually logs in a Shibboleth user.<br />
For Apache you have to define a rule like the following in the Apache config:<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
--<br />
<br />
To restrict access to Moodle, replace the access rule 'require valid-user'<br />
with something that fits your needs, e.g. 'require affiliation student'.<br />
<br />
For IIS you have protect the auth/shibboleth directory directly in the<br />
RequestMap of the Shibboleth configuration file (shibboleth.xml or<br />
shibboleth2.xml).<br />
<br />
--<br />
<Path name="moodle" requireSession="false" ><br />
<Path name="auth/shibboleth/index.php" requireSession="true" ><br />
<AccessControl><br />
...<br />
</AccessControl><br />
</Path><br />
</Path><br />
--<br />
<br />
Also see:<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapper and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAccessControl<br />
<br />
2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and<br />
click on the the 'Shibboleth' settings.<br />
<br />
3. Fill in the fields of the form. The fields 'Username', 'First name',<br />
'Surname', etc. should contain the name of the environment variables of the<br />
Shibboleth attributes that you want to map onto the corresponding Moodle<br />
variable (e.g. 'Shib-Person-surname' for the person's last name, refer<br />
the Shibboleth documentation or the documentation of your Shibboleth<br />
federation for information on which attributes are available).<br />
Especially the 'Username' field is of great importance because<br />
this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
#############################################################################<br />
Shibboleth Attributes needed by Moodle:<br />
For Moodle to work properly Shibboleth should at least provide the attribute<br />
that is used as username in Moodle. It has to be unique for all Shibboleth<br />
Be aware that Moodle converts the username to lowercase. So, the overall<br />
behaviour of the username will be case-insensitive.<br />
All attributes used for moodle must obey a certain length, otherwise Moodle<br />
cuts off the ends. Consult the Moodle documentation for further information<br />
on the maximum lengths for each field in the user profile.<br />
#############################################################################<br />
<br />
4.a If you want Shibboleth as your only authentication method with an external<br />
Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the<br />
'Common settings' in 'Administrations >> Users >> Authentication Options'<br />
to the the URL of the file 'moodle/auth/shibboleth/index.php'.<br />
This will enforce Shibboleth login.<br />
<br />
4.b If you want to use the Moodle integrated WAYF service, you have to activate it<br />
in the Moodle Shibboleth authentication settings by checking the<br />
'Moodle WAYF Service' checkbox and providing a list of entity IDs in the<br />
'Identity Providers' textarea together with a name and an optional<br />
SessionInitiator URL, which usually is an absolute or relative URL pointing<br />
to the same host. If no SessionInitiator URL is given, the default one<br />
'/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For<br />
Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a SessionInitiator.<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB/SessionInitiator<br />
and https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionInitiator<br />
<br />
Important Note: If you upgraded from a previous version of Moodle and now<br />
want to use the integrated WAYF, you have to make sure that<br />
in step 1 only the index.php script in<br />
moodle/auth/shibboleth/ is protected but *not* the other<br />
scripts and especially not the login.php script.<br />
<br />
If you were using the integrated WAYF alread with Shibboleth 1.3, it could<br />
be that the integrated WAYF is not working anymore after you updated Moodle.<br />
The reason is that the implicitly set default SessionInitiator changed in<br />
Moodle as well as in Shibboleth. For Shibboleth 1.3 one therefore has to<br />
add /Shibboleth.sso as third parameter whereas this is /Shibboleth.sso/DS<br />
for Shibboleth 2.x.<br />
<br />
5. Save the changes for the 'Shibboleth settings'.<br />
<br />
Important Note: If you went for 4.b (integrated WAYF service), saving the<br />
settings will overwrite the Moodle Alternate Login URL<br />
using the Moodle web root URL.<br />
<br />
6. If you want to use Shibboleth in addition to another authentication method<br />
not using the integrated WAYF service from 4.b, change the 'Instructions' in<br />
'Administrations >> Users >> Manage authentication' to contain a link to the<br />
moodle/auth/shibboleth/index.php file which is protected by<br />
Shibboleth (see step 1.) and causes the Shibboleth login procedure to start.<br />
You can also use HTML code in that field, e.g. to include an image as a<br />
Shibboleth login button.<br />
<br />
Note: As of now you cannot use dual login together with the integrated<br />
WAYF service provided by Moodle (4.b).<br />
<br />
7. Save the authentication changes.<br />
<br />
How the Shibboleth authentication works<br />
--------------------------------------------------------------------------------<br />
To get Shibboleth authenticated in Moodle a user basically must access the<br />
Shibboleth-protected page /auth/shibboleth/index.php. If Shibboleth is the only<br />
authentication method (see 4.a), this happens automatically when a user selects<br />
his home organization in the Moodle WAYF service or if the alternate login URL<br />
is configured to be the protected /auth/shibboleth/index.php<br />
Otherwise, the user has to click on the link on the dual login page you<br />
provided in step 5.b.<br />
<br />
Moodle basically checks whether the Shibboleth attribute that you mapped<br />
as the username is present. This attribute should only be present if a user is<br />
Shibboleth authenticated.<br />
<br />
If the user's Moodle account has not existed yet, it gets automatically created.<br />
<br />
To prevent that every Shibboleth user can access your Moodle site you have to<br />
adapt the 'require valid-user' line in your webserver's config (see step 1) to<br />
allow only specific users. If you defined some authorization rules in step 1,<br />
these are checked by Shibboleth itself. Only users who met these rules<br />
actually can access /auth/shibboleth/index.php and get logged in.<br />
<br />
You can use Shibboleth AND another authentication method (it was tested with<br />
manual login). So, if there are a few users that don't have a Shibboleth<br />
login, you could create manual accounts for them and they could use the manual<br />
login. For other authentication methods you first have to configure them and<br />
then set Shibboleth as your authentication method. Users can log in only via one<br />
authentication method unless they have two accounts in Moodle.<br />
<br />
Shibboleth dual login with custom login page<br />
--------------------------------------------------------------------------------<br />
You can create a dual login page that better fits your needs. For this<br />
to work, you have to set up the two authentication methods (e.g. 'Manual<br />
Accounts' and 'Shibboleth') and specify an alternate login link to your own dual<br />
login page. On that page you basically need a link to the Shibboleth-protected<br />
page ('/auth/shibboleth/index.php') for the Shibboleth login and a<br />
form that sends 'username' and 'password' to moodle/login/index.php. Set this<br />
web page then als alternate login page.<br />
Consult the Moodle documentation for further instructions and requirements.<br />
<br />
How to customize the way the Shibboleth user data is used in Moodle<br />
--------------------------------------------------------------------------------<br />
Among the Shibboleth settings in Moodle there is a field that should contain a<br />
path to a php file that can be used as data manipulation hook.<br />
You can use this if you want to further process the way your Shibboleth<br />
attributes are used in Moodle. Due to security reasons this file cannot be<br />
located within the current site data directory ($CFG->dataroot).<br />
<br />
Example 1: Your Shibboleth federation uses an attribute that specifies the<br />
user's preferred language, but the content of this attribute is not<br />
compatible with the Moodle data representation, e.g. the Shibboleth<br />
attribute contains 'German' but Moodle needs a two letter value like<br />
'de'.<br />
<br />
Example 2: The country, city and street are provided in one Shibboleth attribute<br />
and you want these values to be used in the Moodle user profile. So<br />
You have to parse the corresponding attribute to fill the user fields.<br />
<br />
If you want to use this hook you have to be a skilled PHP programmer. It is<br />
strongly recommended that you take a look at the file<br />
moodle/auth/shibboleth/auth.php, especially the function 'get_userinfo'<br />
where this file is included.<br />
<br />
The context of the file is the same as within this login function. So you<br />
can directly edit the object $result.<br />
<br />
Example file:<br />
--<br />
<?php<br />
<br />
// Set the zip code and the adress<br />
if ($_SERVER[$this->config->field_map_address] != '')<br />
{<br />
// $address contains something like 'SWITCH$Limmatquai 138$CH-8021 Zurich'<br />
// We want to split this up to get:<br />
// institution, street, zipcode, city and country<br />
$address = $_SERVER[$this->config->field_map_address];<br />
list($institution, $street, $zip_city) = explode('$', $address);<br />
preg_match('/ (.+)/', $zip_city, $regs);<br />
$city = $regs[1];<br />
<br />
preg_match('/(.+)-/',$zip_city, $regs);<br />
$country = $regs[1];<br />
<br />
$result["address"] = $street;<br />
$result["city"] = $city;<br />
$result["country"] = $country;<br />
$result["department"] = $institution;<br />
$result["description"] = "I am a Shibboleth user"; <br />
}<br />
?><br />
--<br />
<br />
How to upgrade your Service Provider to 2.x<br />
-------------------------------------------------------------------------------<br />
In case your upgrade your Service Provider 1.3.x to 2.x, be aware of the fact<br />
that in version 2.0 the default behaviour regarding attribute propagation<br />
changed.<br />
<br />
While the Service Provider 1.3.x published the Shibboleth attributes to the<br />
web server environment as HTTP Request headers, the Service Provider 2.x<br />
publishes attributes as environment variables, which increases the security for<br />
some platforms.<br />
<br />
However, this change has the effect that the attribute names change.<br />
E.g. while the surname attribute was published as 'HTTP_SHIB_PERSON_SURNAME'<br />
with 1.3.x, this attribute will be available in $_SERVER['Shib-Person-surname']<br />
or depending on your /etc/shibboleth/attribute-map.xml file just as<br />
$_SERVER['sn'].<br />
<br />
Because Moodle needs to know what Shibboleth attributes it shall map onto which<br />
Moodle user profile field, one has to make sure the mapping is updated as well<br />
after the Service Provider upgrade.<br />
<br />
********************************************************************************<br />
Because you risk locking yourself out of Moodle it is strongly<br />
recommended to use the following approach when upgrading the Service Provider:<br />
1. Enable manual authentication before the upgrade.<br />
2. Make sure that you have at least one manual account with administration<br />
privileges working before upgrading your Service Provider to 2.x.<br />
3. After the SP upgrade, use this account to log into Moodle and adapt the<br />
attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect<br />
the changed attribute names.<br />
You find the attribute names in the file /etc/shibboleth/attribute-map.xml<br />
listed as the 'id' value of an attribute definition.<br />
4. If you are using the integrated WAYF, you may have to set the third parameter<br />
of each entry to '/Shibboleth.sso/DS'<br />
5. Test the login with a Shibboleth account<br />
6. If all is working, disable manual authentication again<br />
********************************************************************************<br />
<br />
How to add logout support<br />
--------------------------------------------------------------------------------<br />
In order make Moodle support Shibboleth logout, one has to make the Shibboleth<br />
Service Provider (SP) aware of the Moodle logout capability. Only then the SP<br />
can trigger Moodle's front or back channel logout handler.<br />
<br />
To make the SP aware of the Moodle logout, you have to add the following to the<br />
Shibboleth main configuration file shibboleth2.xml (usually in /etc/shibboleth/)<br />
just before the <MetadataProvider> element.<br />
<br />
--<br />
<Notify<br />
Channel="back"<br />
Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" /><br />
--<br />
<br />
Then restart the Shibboleth daemon and check the log file for errors. If there<br />
were no errors, you can test the logout feature by accessing Moodle,<br />
authenticating via Shibboleth and the access the URL:<br />
#YOUR_MOODLE_HOSTNAME#/Shibboleth.sso/Logout (assuming you have a standard<br />
Shibboleth installation). If everything worked well, you should see a Shibboleth<br />
page saying that you were successfully logged out and if you go back to Moodle<br />
you also should be logged out from Moodle.<br />
<br />
Requirements:<br />
- PHP needs the Soap Extension, which maybe must installed manually:<br />
More information is available here http://ch.php.net/soap<br />
- Logout only works with Shibboleth Service Provider 2.1 or higher<br />
- /moodle/auth/shibboleth/logout.php *must not* be protected by Shibboleth!<br />
In case all of Moodle is protected with Shibboleth, you have to add something<br />
like this to your Apache configuration after all the other require rules<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/logout.php><br />
AuthType shibboleth<br />
ShibRequireSession Off<br />
require shibboleth<br />
</Directory><br />
--<br />
<br />
When using IIS, the same can be achieved by something like:<br />
--<br />
<Path name="auth/shibboleth/logout.php" requireSession="false"><br />
--<br />
in the shibboleth2.xml RequestMap.<br />
<br />
Limitations:<br />
Single Logout is only supported when SAML2 is used at the SP and the IdP.<br />
As of October 2009, the Shibboleth Identity Provider 2.1.4 does not yet support<br />
Single Logout (SLO). Therefore, the single logout feature cannot be used yet<br />
in a Shibboleth only setup but there may be other SAML2 products that could<br />
be used as Identity Provider, e.g. SimpleSAML PHP.<br />
<br />
One of the reasons why SLO isn't supported yet is because there aren't many<br />
applications yet that were adapted to support front and back channel<br />
logout. Hopefully, the Moodle logout helps to motivate the developers to<br />
implement SLO. On the other hand, the easiest and safest way to log out<br />
still is to tell users to quit their web browsers :)<br />
<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLogoutInitiator for some<br />
background information on this topic.<br />
<br />
--------------------------------------------------------------------------------<br />
In case of problems and questions with Shibboleth authentication, contact<br />
Lukas Haemmerle <lukas.haemmerle@switch.ch> or Markus Hagman <hagman@hytti.uku.fi><br />
<br />
==Some notable federations==<br />
===UK Access Management Federation for Education and Research===<br />
In the UK Becta and JISC have implemented the education federation [https://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research] using Shibboleth to provide single sign on. This means that education establishments in the UK using Moodle should be able to authenticate their users via Shibboleth if their organization joins the UK Access Management Federation and their users' identity is held by the identity provider the LA/RBC use. For maintained schools in the England and Wales this will probably mean contacting their Local Authority or Regional Broadband Consortium (RBC). A list of current UK federation members can be found [http://www.ukfederation.org.uk/content/Documents/MemberList here].<br />
<br />
===Swiss Authentication and Authorization Infrastructure (SWITCHaai)===<br />
In Switzerland the [https://switch.ch/ SWITCH Foundation] runs the federation called [https://help.switch.ch/aai/ Swiss Authentication and Authorization Infrastructure (SWITCHaai)] encompassing about 160 institutions and a universal login for all living in Switzerland under [https://www.switch.ch/edu-id Switch edu-ID] covering around 900,000 users.<br />
<br />
==A sample configuration in detail==<br />
Here are the steps required in a specific federation as an example to demonstrate the components involved.<br />
<br />
===Notation===<br />
- The expressions in all caps are placeholders for their actual values. For example /PATH/TO/MOODLE in the document could mean /var/www/html/moodle in your server.<br />
<br />
- The '#' in shell commands in the form '# COMMAND" means the COMMAND needs to be run as the super-user. It could be the user 'root' or a different user having sudo privileges. In the latter case he should prepend the command with sudo, as in '$ sudo COMMAND'. The '$' in that command denotes it is a non-privileged user.<br />
<br />
===Prerequisites===<br />
- You have your Moodle site running on Debian GNU/Linux or any of its derivatives like Ubuntu Linux.<br />
<br />
- This documentation assumes that your Linux distribution uses the system manager Systemd. But you can easily change the commands for a different init system, typically SysV or Upstart.<br />
<br />
- You are running the web server Apache2.<br />
<br />
- Your site serves HTTPS on its default port 443. We write its URL as https://DOMAIN, where DOMAIN stands for your the domain name of your Moodle server. So if the URL of your Moodle is https://lms.example.com/ then DOMAIN is lms.example.com.<br />
<br />
===Configuring service provider===<br />
1. Install the Shibboleth module for Apache2<br />
<br />
Install the Debian package libapache2-mod-shib, which contains the Apache module for Shibboleth service providers (SP) and its supporting Shib daemon:<br />
<br />
# apt install libapache2-mod-shib --no-install-recommends<br />
<br />
It will create a directory /etc/shibboleth with a default set of configuration files and also install the system service shib.<br />
<br />
2. Get federation metadata signing certificate federation-cert.pem<br />
<br />
# wget https://FEDERATIONREGISTRY/signedmetadata/metadata-signer -O /etc/shibboleth/federation-cert.pem<br />
<br />
3. Edit the main Shibboleth configuration file /etc/shibboleth/shibboleth2.xml<br />
<br />
3.1 Change the entityID in the ApplicationDefaults tag to your service<br />
<br />
<ApplicationDefaults entityID="https://DOMAIN/shibboleth"<br />
REMOTE_USER="eppn subject-id pairwise-id persistent-id"<br />
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"><br />
<br />
Notice that the end of the ApplicationDefaults tag is way below. So don't add one here!<br />
<br />
3.2 Set the discovery server<br />
<br />
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://DISCOVERYSERVER"><br />
SAML2<br />
</SSO><br />
<br />
3.3 Set the MetadataProvider<br />
<br />
<MetadataProvider type="XML" url="https://METADATAPROVIDER/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" maxRefreshDelay="7200"><br />
<br />
<MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false" /><br />
<br />
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" /><br />
</MetadataProvider><br />
<br />
3.4 Plan for the key and certificate files<br />
<br />
<CredentialResolver type="File" use="signing" key="lms-signing-key.pem" certificate="lms-signing-cert.pem" /><br />
<CredentialResolver type="File" use="encryption" key="lms-encrypt-key.pem" certificate="lms-encrypt-cert.pem" /><br />
<br />
4. Create SP metadata credentials<br />
<br />
# /usr/sbin/shib-keygen -n lms-signing -e https://DOMAIN/shibboleth<br />
# /usr/sbin/shib-keygen -n lms-encrypt -e https://DOMAIN/shibboleth<br />
<br />
5. Start the shibboleth service for Apache<br />
<br />
5.1 Test the configuration before starting the service:<br />
<br />
# shibd -t /etc/shibboleth/shibboleth2.xml<br />
[possible errors or warnings]<br />
overall configuration is loadable, check console or log for non-fatal problems<br />
<br />
You need to study the errors or warnings, if there are any, before continuing.<br />
<br />
5.2 Start the service:<br />
<br />
# systemctl start shibd<br />
<br />
<br />
6. Enable Shibboleth on the Apache virtual host<br />
<br />
6.1 To activate shibboleth login on Apache protect the /PATH/TO/MOODLE/auth/shibboleth/index.php file by Shibboleth. Also add the SSL certificates to the /etc/apache2/sites-available/SOMETHING.conf file:<br />
<br />
<IfModule mod_ssl.c><br />
<VirtualHost *:443><br />
<br />
ServerName DOMAIN<br />
ServerAdmin YOU@DOMAIN<br />
DocumentRoot /PATH/TO/MOODLE<br />
<br />
ErrorLog ${APACHE_LOG_DIR}/DOMAIN-error.log<br />
CustomLog ${APACHE_LOG_DIR}/DOMAIN-access.log combined<br />
<br />
SSLCertificateFile /etc/ssl/certs/ssl-DOMAIN.crt<br />
SSLCertificateKeyFile /etc/ssl/private/ssl-DOMAIN.key<br />
<br />
<Location /moodle><br />
# just comment out<br />
# ShibRequestSetting applicationId mdl<br />
</Location><br />
<br />
<Directory /PATH/TO/MOODLE/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
# just comment out the next line and add the two lines below that<br />
# ShibRequestSetting applicationId mdl<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
</VirtualHost><br />
</IfModule><br />
<br />
6.2 Activate Shibd and reload Apache<br />
<br />
# a2enmod shib<br />
# systemctl reload apache2.service <br />
<br />
===Configuring the identity provider===<br />
<br />
7. Register the site with the federation<br />
<br />
The site needs to be registered with the federation so that its WAYF go to the discovery service divert you to the correct IdP.<br />
<br />
7.1 Get the metadata of the application<br />
<br />
It is available at the URL https://DOMAIN/Shibboleth.sso/Metadata. <br />
<br />
7.2 Submit the metadata and your administrative information to the federation<br />
<br />
Usually there is a web site at the federation for you to upload the metadata and enter various administrative information. The administrators of the federation must have shared the link with you. Follow the instructions on the screens.<br />
<br />
Once the federation operator approves your request you will receive a SP registration link.<br />
<br />
<br />
8. Enable and configure the Shibboleth plug-in in Moodle<br />
<br />
Once you've registered successfully you have to configure the Shibboleth plug-in in Moodle. For that Moodle you have to enable it first.<br />
<br />
8.1 Enable the Shibboleth plug-in in Moodle<br />
<br />
As Moodle admin, go to the Site administration > Plugins > Authentication and enable Shibboleth by clicking on the "eye". <br />
<br />
8.2 Configure the Shibboleth plug-in in Moodle<br />
<br />
Moodle needs the four fields 'Username', 'First name', 'Surname' and 'Email' at a minimum to create an account. So you should map them to corrosponding attributes in the IdP database. You have to set this data-mapping under ''Site administration > Plugins: Authentication > Shibboleth'' , etc. Here is again a typical set:<br />
<br />
Username: eppn<br />
<br />
Data mapping (First name): givenName<br />
<br />
Data mapping (Surname): sn<br />
<br />
Data mapping (Email address): mail<br />
<br />
In all the above three set Update local to On every login and Lock value to Unlocked if empty.<br />
<br />
In addition make the following changes:<br />
<br />
Moodle WAYF service: No<br />
<br />
Identity providers (auth_shibboleth | organization_selection): Delete everything in the box<br />
<br />
Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout<br />
<br />
And save. The change will be immediately active, no need to restart any service!<br />
<br />
Now you may visit https://DOMAIN/login/ and choose Shibboleth to be taken to the federation WAYF.<br />
<br />
==How to debug==<br />
* Visit https://DOMAIN/Shibboleth.sso/Login. You should be taken to the federation discovery service where you need to select your IdP. From there you'll be taken to your IdP login page. Once your credentials are accepted you'll be taken back to the Moodle site. Once in there visit https://DOMAIN/Shibboleth.sso/Session. It should show all the required attributes as in this example:<br />
<br />
Some IdPs will only share a minimal set of user fields with your Moodle SP, which can cause problems:<br />
<br />
*Moodle errors relating to missing Shibboleth fields can be fixed by altering the data mappings within the Shibboleth authentication plugin, and ensuring that fields are not locked. The user will be asked to manually provide data if Shibboleth does not automatically provide the corresponding information.<br />
<br />
*Moodle errors relating to invalid characters in username can be fixed by Allowing extended characters in usernames (found under Security > Site policies).<br />
<br />
==External links==<br />
*[https://incommon.org/software/shibboleth/ Shibboleth Internet2 Website]<br />
*[http://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research]<br />
*[http://www.ukfederation.org.uk/content/Documents/AttributeUsage Current Core Attributes for the UK Federation]<br />
<br />
[[de:Shibboleth-Server]]<br />
[[es:Shibboleth]]<br />
[[fr:Shibboleth]]<br />
[[ja:Shibboleth]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Shibboleth&diff=149263Shibboleth2024-09-08T07:51:27Z<p>Ratna: </p>
<hr />
<div>{{Authentication}}<br />
<br />
==What is Shibboleth==<br />
<br />
[https://en.wikipedia.org/wiki/Shibboleth_(software) Shibboleth] is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions. The federations are often universities or public service organizations. <br />
<br />
Shibboleth is a middleware architecture and an open-source implementation created by the [https://en.wikipedia.org/wiki/Internet2 Internet2] consortium, for federated identity-based authentication and authorization infrastructure based on [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language SAML]. Federated identity allows for information about users in one security domain to be provided to other organizations in a common federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain usernames and passwords. [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language Identity providers (IdP's)] supply user information, while [https://en.wikipedia.org/wiki/Service_provider_(SAML) service providers (SP's)] consume this information and gate access to secure content.<br />
<br />
==auth/shibboleth/README.txt==<br />
<br />
This the auth/shibboleth/README.txt file in the Moodle distribution:<br />
<br />
Shibboleth Authentication for Moodle<br />
-------------------------------------------------------------------------------<br />
<br />
Requirements:<br />
- Shibboleth Service Provider 1.3 or newer. Recommended is 2.1 or newer.<br />
See documentation for your Shibboleth federation on how to set up Shibboleth.<br />
<br />
Changes:<br />
- 11. 2004: Created by Markus Hagman<br />
- 05. 2005: Modifications to login process by Martin Dougiamas<br />
- 05. 2005: Various extensions and fixes by Lukas Haemmerle<br />
- 06. 2005: Adaptions to new field locks and plugin config structures by Martin<br />
Langhoff and Lukas Haemmerle<br />
- 10. 2005: Added better error messages and moved text to language directories<br />
- 02. 2006: Simplified authentication so that authorization works properly<br />
Added instructions for IIS<br />
- 11. 2006: User capabilities are now loaded properly as of Moodle 1.7+<br />
- 03. 2007: Adapted authentication method to Moodle 1.8<br />
- 07. 2007: Fixed a but that caused problems with uppercase usernames<br />
- 10. 2007: Removed the requirement for email address, surname and given name<br />
attributes on request of Markus Hagman<br />
- 11. 2007: Integrated WAYF Service in Moodle<br />
- 12. 2008: Shibboleth 2.x and Single Logout support added<br />
- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth<br />
language files.<br />
- 3. 2009: Added various improvements and bug fixes reported by Ina M�ller from<br />
university Tuebingen and Peter Ellis of University of Washington<br />
- 4. 2009: Added another requirement for logout regarding the call back script<br />
- 6. 2009: Changed handler URL when integrated Discovery Service is used<br />
- 10. 2009: Fixed HTML entity preservation in Shibboleth settings<br />
<br />
Moodle Configuration with Dual login<br />
-------------------------------------------------------------------------------<br />
1. Protect the directory moodle/auth/shibboleth/index.php with Shibboleth.<br />
The page index.php in that directory actually logs in a Shibboleth user.<br />
For Apache you have to define a rule like the following in the Apache config:<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
--<br />
<br />
To restrict access to Moodle, replace the access rule 'require valid-user'<br />
with something that fits your needs, e.g. 'require affiliation student'.<br />
<br />
For IIS you have protect the auth/shibboleth directory directly in the<br />
RequestMap of the Shibboleth configuration file (shibboleth.xml or<br />
shibboleth2.xml).<br />
<br />
--<br />
<Path name="moodle" requireSession="false" ><br />
<Path name="auth/shibboleth/index.php" requireSession="true" ><br />
<AccessControl><br />
...<br />
</AccessControl><br />
</Path><br />
</Path><br />
--<br />
<br />
Also see:<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapper and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAccessControl<br />
<br />
2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and<br />
click on the the 'Shibboleth' settings.<br />
<br />
3. Fill in the fields of the form. The fields 'Username', 'First name',<br />
'Surname', etc. should contain the name of the environment variables of the<br />
Shibboleth attributes that you want to map onto the corresponding Moodle<br />
variable (e.g. 'Shib-Person-surname' for the person's last name, refer<br />
the Shibboleth documentation or the documentation of your Shibboleth<br />
federation for information on which attributes are available).<br />
Especially the 'Username' field is of great importance because<br />
this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
#############################################################################<br />
Shibboleth Attributes needed by Moodle:<br />
For Moodle to work properly Shibboleth should at least provide the attribute<br />
that is used as username in Moodle. It has to be unique for all Shibboleth<br />
Be aware that Moodle converts the username to lowercase. So, the overall<br />
behaviour of the username will be case-insensitive.<br />
All attributes used for moodle must obey a certain length, otherwise Moodle<br />
cuts off the ends. Consult the Moodle documentation for further information<br />
on the maximum lengths for each field in the user profile.<br />
#############################################################################<br />
<br />
4.a If you want Shibboleth as your only authentication method with an external<br />
Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the<br />
'Common settings' in 'Administrations >> Users >> Authentication Options'<br />
to the the URL of the file 'moodle/auth/shibboleth/index.php'.<br />
This will enforce Shibboleth login.<br />
<br />
4.b If you want to use the Moodle integrated WAYF service, you have to activate it<br />
in the Moodle Shibboleth authentication settings by checking the<br />
'Moodle WAYF Service' checkbox and providing a list of entity IDs in the<br />
'Identity Providers' textarea together with a name and an optional<br />
SessionInitiator URL, which usually is an absolute or relative URL pointing<br />
to the same host. If no SessionInitiator URL is given, the default one<br />
'/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For<br />
Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a SessionInitiator.<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB/SessionInitiator<br />
and https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionInitiator<br />
<br />
Important Note: If you upgraded from a previous version of Moodle and now<br />
want to use the integrated WAYF, you have to make sure that<br />
in step 1 only the index.php script in<br />
moodle/auth/shibboleth/ is protected but *not* the other<br />
scripts and especially not the login.php script.<br />
<br />
If you were using the integrated WAYF alread with Shibboleth 1.3, it could<br />
be that the integrated WAYF is not working anymore after you updated Moodle.<br />
The reason is that the implicitly set default SessionInitiator changed in<br />
Moodle as well as in Shibboleth. For Shibboleth 1.3 one therefore has to<br />
add /Shibboleth.sso as third parameter whereas this is /Shibboleth.sso/DS<br />
for Shibboleth 2.x.<br />
<br />
5. Save the changes for the 'Shibboleth settings'.<br />
<br />
Important Note: If you went for 4.b (integrated WAYF service), saving the<br />
settings will overwrite the Moodle Alternate Login URL<br />
using the Moodle web root URL.<br />
<br />
6. If you want to use Shibboleth in addition to another authentication method<br />
not using the integrated WAYF service from 4.b, change the 'Instructions' in<br />
'Administrations >> Users >> Manage authentication' to contain a link to the<br />
moodle/auth/shibboleth/index.php file which is protected by<br />
Shibboleth (see step 1.) and causes the Shibboleth login procedure to start.<br />
You can also use HTML code in that field, e.g. to include an image as a<br />
Shibboleth login button.<br />
<br />
Note: As of now you cannot use dual login together with the integrated<br />
WAYF service provided by Moodle (4.b).<br />
<br />
7. Save the authentication changes.<br />
<br />
How the Shibboleth authentication works<br />
--------------------------------------------------------------------------------<br />
To get Shibboleth authenticated in Moodle a user basically must access the<br />
Shibboleth-protected page /auth/shibboleth/index.php. If Shibboleth is the only<br />
authentication method (see 4.a), this happens automatically when a user selects<br />
his home organization in the Moodle WAYF service or if the alternate login URL<br />
is configured to be the protected /auth/shibboleth/index.php<br />
Otherwise, the user has to click on the link on the dual login page you<br />
provided in step 5.b.<br />
<br />
Moodle basically checks whether the Shibboleth attribute that you mapped<br />
as the username is present. This attribute should only be present if a user is<br />
Shibboleth authenticated.<br />
<br />
If the user's Moodle account has not existed yet, it gets automatically created.<br />
<br />
To prevent that every Shibboleth user can access your Moodle site you have to<br />
adapt the 'require valid-user' line in your webserver's config (see step 1) to<br />
allow only specific users. If you defined some authorization rules in step 1,<br />
these are checked by Shibboleth itself. Only users who met these rules<br />
actually can access /auth/shibboleth/index.php and get logged in.<br />
<br />
You can use Shibboleth AND another authentication method (it was tested with<br />
manual login). So, if there are a few users that don't have a Shibboleth<br />
login, you could create manual accounts for them and they could use the manual<br />
login. For other authentication methods you first have to configure them and<br />
then set Shibboleth as your authentication method. Users can log in only via one<br />
authentication method unless they have two accounts in Moodle.<br />
<br />
Shibboleth dual login with custom login page<br />
--------------------------------------------------------------------------------<br />
You can create a dual login page that better fits your needs. For this<br />
to work, you have to set up the two authentication methods (e.g. 'Manual<br />
Accounts' and 'Shibboleth') and specify an alternate login link to your own dual<br />
login page. On that page you basically need a link to the Shibboleth-protected<br />
page ('/auth/shibboleth/index.php') for the Shibboleth login and a<br />
form that sends 'username' and 'password' to moodle/login/index.php. Set this<br />
web page then als alternate login page.<br />
Consult the Moodle documentation for further instructions and requirements.<br />
<br />
How to customize the way the Shibboleth user data is used in Moodle<br />
--------------------------------------------------------------------------------<br />
Among the Shibboleth settings in Moodle there is a field that should contain a<br />
path to a php file that can be used as data manipulation hook.<br />
You can use this if you want to further process the way your Shibboleth<br />
attributes are used in Moodle. Due to security reasons this file cannot be<br />
located within the current site data directory ($CFG->dataroot).<br />
<br />
Example 1: Your Shibboleth federation uses an attribute that specifies the<br />
user's preferred language, but the content of this attribute is not<br />
compatible with the Moodle data representation, e.g. the Shibboleth<br />
attribute contains 'German' but Moodle needs a two letter value like<br />
'de'.<br />
<br />
Example 2: The country, city and street are provided in one Shibboleth attribute<br />
and you want these values to be used in the Moodle user profile. So<br />
You have to parse the corresponding attribute to fill the user fields.<br />
<br />
If you want to use this hook you have to be a skilled PHP programmer. It is<br />
strongly recommended that you take a look at the file<br />
moodle/auth/shibboleth/auth.php, especially the function 'get_userinfo'<br />
where this file is included.<br />
<br />
The context of the file is the same as within this login function. So you<br />
can directly edit the object $result.<br />
<br />
Example file:<br />
--<br />
<?php<br />
<br />
// Set the zip code and the adress<br />
if ($_SERVER[$this->config->field_map_address] != '')<br />
{<br />
// $address contains something like 'SWITCH$Limmatquai 138$CH-8021 Zurich'<br />
// We want to split this up to get:<br />
// institution, street, zipcode, city and country<br />
$address = $_SERVER[$this->config->field_map_address];<br />
list($institution, $street, $zip_city) = explode('$', $address);<br />
preg_match('/ (.+)/', $zip_city, $regs);<br />
$city = $regs[1];<br />
<br />
preg_match('/(.+)-/',$zip_city, $regs);<br />
$country = $regs[1];<br />
<br />
$result["address"] = $street;<br />
$result["city"] = $city;<br />
$result["country"] = $country;<br />
$result["department"] = $institution;<br />
$result["description"] = "I am a Shibboleth user"; <br />
}<br />
?><br />
--<br />
<br />
How to upgrade your Service Provider to 2.x<br />
-------------------------------------------------------------------------------<br />
In case your upgrade your Service Provider 1.3.x to 2.x, be aware of the fact<br />
that in version 2.0 the default behaviour regarding attribute propagation<br />
changed.<br />
<br />
While the Service Provider 1.3.x published the Shibboleth attributes to the<br />
web server environment as HTTP Request headers, the Service Provider 2.x<br />
publishes attributes as environment variables, which increases the security for<br />
some platforms.<br />
<br />
However, this change has the effect that the attribute names change.<br />
E.g. while the surname attribute was published as 'HTTP_SHIB_PERSON_SURNAME'<br />
with 1.3.x, this attribute will be available in $_SERVER['Shib-Person-surname']<br />
or depending on your /etc/shibboleth/attribute-map.xml file just as<br />
$_SERVER['sn'].<br />
<br />
Because Moodle needs to know what Shibboleth attributes it shall map onto which<br />
Moodle user profile field, one has to make sure the mapping is updated as well<br />
after the Service Provider upgrade.<br />
<br />
********************************************************************************<br />
Because you risk locking yourself out of Moodle it is strongly<br />
recommended to use the following approach when upgrading the Service Provider:<br />
1. Enable manual authentication before the upgrade.<br />
2. Make sure that you have at least one manual account with administration<br />
privileges working before upgrading your Service Provider to 2.x.<br />
3. After the SP upgrade, use this account to log into Moodle and adapt the<br />
attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect<br />
the changed attribute names.<br />
You find the attribute names in the file /etc/shibboleth/attribute-map.xml<br />
listed as the 'id' value of an attribute definition.<br />
4. If you are using the integrated WAYF, you may have to set the third parameter<br />
of each entry to '/Shibboleth.sso/DS'<br />
5. Test the login with a Shibboleth account<br />
6. If all is working, disable manual authentication again<br />
********************************************************************************<br />
<br />
How to add logout support<br />
--------------------------------------------------------------------------------<br />
In order make Moodle support Shibboleth logout, one has to make the Shibboleth<br />
Service Provider (SP) aware of the Moodle logout capability. Only then the SP<br />
can trigger Moodle's front or back channel logout handler.<br />
<br />
To make the SP aware of the Moodle logout, you have to add the following to the<br />
Shibboleth main configuration file shibboleth2.xml (usually in /etc/shibboleth/)<br />
just before the <MetadataProvider> element.<br />
<br />
--<br />
<Notify<br />
Channel="back"<br />
Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" /><br />
--<br />
<br />
Then restart the Shibboleth daemon and check the log file for errors. If there<br />
were no errors, you can test the logout feature by accessing Moodle,<br />
authenticating via Shibboleth and the access the URL:<br />
#YOUR_MOODLE_HOSTNAME#/Shibboleth.sso/Logout (assuming you have a standard<br />
Shibboleth installation). If everything worked well, you should see a Shibboleth<br />
page saying that you were successfully logged out and if you go back to Moodle<br />
you also should be logged out from Moodle.<br />
<br />
Requirements:<br />
- PHP needs the Soap Extension, which maybe must installed manually:<br />
More information is available here http://ch.php.net/soap<br />
- Logout only works with Shibboleth Service Provider 2.1 or higher<br />
- /moodle/auth/shibboleth/logout.php *must not* be protected by Shibboleth!<br />
In case all of Moodle is protected with Shibboleth, you have to add something<br />
like this to your Apache configuration after all the other require rules<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/logout.php><br />
AuthType shibboleth<br />
ShibRequireSession Off<br />
require shibboleth<br />
</Directory><br />
--<br />
<br />
When using IIS, the same can be achieved by something like:<br />
--<br />
<Path name="auth/shibboleth/logout.php" requireSession="false"><br />
--<br />
in the shibboleth2.xml RequestMap.<br />
<br />
Limitations:<br />
Single Logout is only supported when SAML2 is used at the SP and the IdP.<br />
As of October 2009, the Shibboleth Identity Provider 2.1.4 does not yet support<br />
Single Logout (SLO). Therefore, the single logout feature cannot be used yet<br />
in a Shibboleth only setup but there may be other SAML2 products that could<br />
be used as Identity Provider, e.g. SimpleSAML PHP.<br />
<br />
One of the reasons why SLO isn't supported yet is because there aren't many<br />
applications yet that were adapted to support front and back channel<br />
logout. Hopefully, the Moodle logout helps to motivate the developers to<br />
implement SLO. On the other hand, the easiest and safest way to log out<br />
still is to tell users to quit their web browsers :)<br />
<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLogoutInitiator for some<br />
background information on this topic.<br />
<br />
--------------------------------------------------------------------------------<br />
In case of problems and questions with Shibboleth authentication, contact<br />
Lukas Haemmerle <lukas.haemmerle@switch.ch> or Markus Hagman <hagman@hytti.uku.fi><br />
<br />
==Some notable federations==<br />
===UK Access Management Federation for Education and Research===<br />
In the UK Becta and JISC have implemented the education federation [https://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research] using Shibboleth to provide single sign on. This means that education establishments in the UK using Moodle should be able to authenticate their users via Shibboleth if their organization joins the UK Access Management Federation and their users' identity is held by the identity provider the LA/RBC use. For maintained schools in the England and Wales this will probably mean contacting their Local Authority or Regional Broadband Consortium (RBC). A list of current UK federation members can be found [http://www.ukfederation.org.uk/content/Documents/MemberList here].<br />
<br />
===Swiss Authentication and Authorization Infrastructure (SWITCHaai)===<br />
In Switzerland the [https://switch.ch/ SWITCH Foundation] runs the federation called [https://help.switch.ch/aai/ Swiss Authentication and Authorization Infrastructure (SWITCHaai)] encompassing about 160 institutions and a universal login for all living in Switzerland under [https://www.switch.ch/edu-id Switch edu-ID] covering around 900,000 users.<br />
<br />
==A sample configuration in detail==<br />
Here are the steps required in a specific federation as an example to demonstrate the components involved.<br />
<br />
===Notation===<br />
- The expressions in all caps are placeholders for their actual values. For example /PATH/TO/MOODLE in the document could mean /var/www/html/moodle in your server.<br />
<br />
- The '#' in shell commands in the form '# COMMAND" means the COMMAND needs to be run as the super-user. It could be the user 'root' or a different user having sudo privileges. In the latter case he should prepend the command with sudo, as in '$ sudo COMMAND'. The '$' in that command denotes it is a non-privileged user.<br />
<br />
===Prerequisites===<br />
- You have your Moodle site running on Debian GNU/Linux or any of its derivatives like Ubuntu Linux.<br />
<br />
- This documentation assumes that your Linux distribution uses the system manager Systemd. But you can easily change the commands for a different init system, typically SysV or Upstart.<br />
<br />
- You are running the web server Apache2.<br />
<br />
- Your site serves HTTPS on its default port 443. We write its URL as https://DOMAIN, where DOMAIN stands for your the domain name of your Moodle server. So if the URL of your Moodle is https://lms.example.com/ then DOMAIN is lms.example.com.<br />
<br />
===Configuring service provider===<br />
1. Install the Shibboleth module for Apache2<br />
<br />
Install the Debian package libapache2-mod-shib, which contains the Apache module for Shibboleth service providers (SP) and its supporting Shib daemon:<br />
<br />
# apt install libapache2-mod-shib --no-install-recommends<br />
<br />
It will create a directory /etc/shibboleth with a default set of configuration files and also install the system service shib.<br />
<br />
2. Download federation metadata signing certificate<br />
<br />
# wget https://FEDERATIONREGISTRY/signedmetadata/metadata-signer -O /etc/shibboleth/federation-cert.pem<br />
<br />
3. Edit the /etc/shibboleth/shibboleth2.xml file<br />
<br />
3.1 Change the ApplicationDefaults tag to your domain<br />
<br />
<ApplicationDefaults entityID="https://DOMAIN/shibboleth"<br />
REMOTE_USER="eppn subject-id pairwise-id persistent-id"<br />
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"><br />
<br />
Notice that the end of the ApplicationDefaults tag is way below. So don't add one here!<br />
<br />
3.2 Set the discovery server<br />
<br />
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://DISCOVERYSERVER"><br />
SAML2<br />
</SSO><br />
<br />
3.3 Set the MetadataProvider<br />
<br />
<MetadataProvider type="XML" url="https://METADATAPROVIDER/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" maxRefreshDelay="7200"><br />
<br />
<MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false" /><br />
<br />
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" /><br />
</MetadataProvider><br />
<br />
3.4 Set the names of the key and certificate files<br />
<br />
<CredentialResolver type="File" use="signing" key="lms-signing-key.pem" certificate="lms-signing-cert.pem" /><br />
<CredentialResolver type="File" use="encryption" key="lms-encrypt-key.pem" certificate="lms-encrypt-cert.pem" /><br />
<br />
4. Create SP metadata credentials<br />
<br />
# /usr/sbin/shib-keygen -n lms-signing -e https://DOMAIN/shibboleth<br />
# /usr/sbin/shib-keygen -n lms-encrypt -e https://DOMAIN/shibboleth<br />
<br />
5. Start the shibboleth service for Apache<br />
<br />
5.1 Test the configuration before starting the service:<br />
<br />
# shibd -t /etc/shibboleth/shibboleth2.xml<br />
[possible errors or warnings]<br />
overall configuration is loadable, check console or log for non-fatal problems<br />
<br />
You need to study the errors or warnings, if there are any, before continuing.<br />
<br />
5.2 Start the service:<br />
<br />
# systemctl start shibd<br />
<br />
<br />
6. Enable Shibboleth on the Apache virtual host<br />
<br />
6.1 To activate shibboleth login on Apache protect the /PATH/TO/MOODLE/auth/shibboleth/index.php file by Shibboleth. Also add the SSL certificates to the /etc/apache2/sites-available/SOMETHING.conf file:<br />
<br />
<IfModule mod_ssl.c><br />
<VirtualHost *:443><br />
<br />
ServerName DOMAIN<br />
ServerAdmin YOU@DOMAIN<br />
DocumentRoot /PATH/TO/MOODLE<br />
<br />
ErrorLog ${APACHE_LOG_DIR}/DOMAIN-error.log<br />
CustomLog ${APACHE_LOG_DIR}/DOMAIN-access.log combined<br />
<br />
SSLCertificateFile /etc/ssl/certs/ssl-DOMAIN.crt<br />
SSLCertificateKeyFile /etc/ssl/private/ssl-DOMAIN.key<br />
<br />
<Location /moodle><br />
# just comment out<br />
# ShibRequestSetting applicationId mdl<br />
</Location><br />
<br />
<Directory /PATH/TO/MOODLE/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
# just comment out the next line and add the two lines below that<br />
# ShibRequestSetting applicationId mdl<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
</VirtualHost><br />
</IfModule><br />
<br />
6.2 Activate Shibd and reload Apache<br />
<br />
# a2enmod shib<br />
# systemctl reload apache2.service <br />
<br />
===Configuring the identity provider===<br />
<br />
7. Register the site with the federation<br />
<br />
The site needs to be registered with the federation so that its WAYF go to the discovery service divert you to the correct IdP.<br />
<br />
7.1 Get the metadata of the application<br />
<br />
It is available at the URL https://DOMAIN/Shibboleth.sso/Metadata. <br />
<br />
7.2 Submit the metadata and your administrative information to the federation<br />
<br />
Usually there is a web site at the federation for you to upload the metadata and enter various administrative information. The administrators of the federation must have shared the link with you. Follow the instructions on the screens.<br />
<br />
Once the federation operator approves your request you will receive a SP registration link.<br />
<br />
<br />
8. Enable and configure the Shibboleth plug-in in Moodle<br />
<br />
Once you've registered successfully you have to configure the Shibboleth plug-in in Moodle. For that Moodle you have to enable it first.<br />
<br />
8.1 Enable the Shibboleth plug-in in Moodle<br />
<br />
As Moodle admin, go to the Site administration > Plugins > Authentication and enable Shibboleth by clicking on the "eye". <br />
<br />
8.2 Configure the Shibboleth plug-in in Moodle<br />
<br />
Moodle needs the four fields 'Username', 'First name', 'Surname' and 'Email' at a minimum to create an account. So you should map them to corrosponding attributes in the IdP database. You have to set this data-mapping under ''Site administration > Plugins: Authentication > Shibboleth'' , etc. Here is again a typical set:<br />
<br />
Username: eppn<br />
<br />
Data mapping (First name): givenName<br />
<br />
Data mapping (Surname): sn<br />
<br />
Data mapping (Email address): mail<br />
<br />
In all three set Update local to On every login and Lock value to Unlocked if empty.<br />
<br />
In addition make the following changes:<br />
<br />
Moodle WAYF service: No<br />
<br />
Identity providers (auth_shibboleth | organization_selection): Delete everything in the box<br />
<br />
Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout<br />
<br />
And save. The change will be immediately active, no need to restart any service!<br />
<br />
Now you may visit https://DOMAIN/login/ and choose Shibboleth to be taken to the federation WAYF.<br />
<br />
==In case of problems==<br />
* Visit https://DOMAIN/Shibboleth.sso/Login. You should be taken to the Federation fds page where you need to select your IdP. From there you'll be taken to your IdP login page. Once you enter your credentials you'll be taken back to your Moodle site. Once in there visit https://DOMAIN/Shibboleth.sso/Session. It should show all the required attributes as in this example:<br />
<br />
Some IdPs will only share a minimal set of user fields with your Moodle SP, which can cause problems:<br />
<br />
*Moodle errors relating to missing Shibboleth fields can be fixed by altering the data mappings within the Shibboleth authentication plugin, and ensuring that fields are not locked. The user will be asked to manually provide data if Shibboleth does not automatically provide the corresponding information.<br />
<br />
*Moodle errors relating to invalid characters in username can be fixed by Allowing extended characters in usernames (found under Security > Site policies).<br />
<br />
==External links==<br />
*[https://incommon.org/software/shibboleth/ Shibboleth Internet2 Website]<br />
*[http://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research]<br />
*[http://www.ukfederation.org.uk/content/Documents/AttributeUsage Current Core Attributes for the UK Federation]<br />
<br />
[[de:Shibboleth-Server]]<br />
[[es:Shibboleth]]<br />
[[fr:Shibboleth]]<br />
[[ja:Shibboleth]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Shibboleth&diff=149262Shibboleth2024-09-08T07:50:35Z<p>Ratna: </p>
<hr />
<div>{{Authentication}}<br />
<br />
==What is Shibboleth==<br />
<br />
[https://en.wikipedia.org/wiki/Shibboleth_(software) Shibboleth] is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions. The federations are often universities or public service organizations. <br />
<br />
Shibboleth is a middleware architecture and an open-source implementation created by the [https://en.wikipedia.org/wiki/Internet2 Internet2] consortium, for federated identity-based authentication and authorization infrastructure based on [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language SAML]. Federated identity allows for information about users in one security domain to be provided to other organizations in a common federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain usernames and passwords. [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language Identity providers (IdP's)] supply user information, while [https://en.wikipedia.org/wiki/Service_provider_(SAML) service providers (SP's)] consume this information and gate access to secure content.<br />
<br />
==auth/shibboleth/README.txt==<br />
<br />
This the auth/shibboleth/README.txt file in the Moodle distribution:<br />
<br />
Shibboleth Authentication for Moodle<br />
-------------------------------------------------------------------------------<br />
<br />
Requirements:<br />
- Shibboleth Service Provider 1.3 or newer. Recommended is 2.1 or newer.<br />
See documentation for your Shibboleth federation on how to set up Shibboleth.<br />
<br />
Changes:<br />
- 11. 2004: Created by Markus Hagman<br />
- 05. 2005: Modifications to login process by Martin Dougiamas<br />
- 05. 2005: Various extensions and fixes by Lukas Haemmerle<br />
- 06. 2005: Adaptions to new field locks and plugin config structures by Martin<br />
Langhoff and Lukas Haemmerle<br />
- 10. 2005: Added better error messages and moved text to language directories<br />
- 02. 2006: Simplified authentication so that authorization works properly<br />
Added instructions for IIS<br />
- 11. 2006: User capabilities are now loaded properly as of Moodle 1.7+<br />
- 03. 2007: Adapted authentication method to Moodle 1.8<br />
- 07. 2007: Fixed a but that caused problems with uppercase usernames<br />
- 10. 2007: Removed the requirement for email address, surname and given name<br />
attributes on request of Markus Hagman<br />
- 11. 2007: Integrated WAYF Service in Moodle<br />
- 12. 2008: Shibboleth 2.x and Single Logout support added<br />
- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth<br />
language files.<br />
- 3. 2009: Added various improvements and bug fixes reported by Ina M�ller from<br />
university Tuebingen and Peter Ellis of University of Washington<br />
- 4. 2009: Added another requirement for logout regarding the call back script<br />
- 6. 2009: Changed handler URL when integrated Discovery Service is used<br />
- 10. 2009: Fixed HTML entity preservation in Shibboleth settings<br />
<br />
Moodle Configuration with Dual login<br />
-------------------------------------------------------------------------------<br />
1. Protect the directory moodle/auth/shibboleth/index.php with Shibboleth.<br />
The page index.php in that directory actually logs in a Shibboleth user.<br />
For Apache you have to define a rule like the following in the Apache config:<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
--<br />
<br />
To restrict access to Moodle, replace the access rule 'require valid-user'<br />
with something that fits your needs, e.g. 'require affiliation student'.<br />
<br />
For IIS you have protect the auth/shibboleth directory directly in the<br />
RequestMap of the Shibboleth configuration file (shibboleth.xml or<br />
shibboleth2.xml).<br />
<br />
--<br />
<Path name="moodle" requireSession="false" ><br />
<Path name="auth/shibboleth/index.php" requireSession="true" ><br />
<AccessControl><br />
...<br />
</AccessControl><br />
</Path><br />
</Path><br />
--<br />
<br />
Also see:<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapper and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAccessControl<br />
<br />
2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and<br />
click on the the 'Shibboleth' settings.<br />
<br />
3. Fill in the fields of the form. The fields 'Username', 'First name',<br />
'Surname', etc. should contain the name of the environment variables of the<br />
Shibboleth attributes that you want to map onto the corresponding Moodle<br />
variable (e.g. 'Shib-Person-surname' for the person's last name, refer<br />
the Shibboleth documentation or the documentation of your Shibboleth<br />
federation for information on which attributes are available).<br />
Especially the 'Username' field is of great importance because<br />
this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
#############################################################################<br />
Shibboleth Attributes needed by Moodle:<br />
For Moodle to work properly Shibboleth should at least provide the attribute<br />
that is used as username in Moodle. It has to be unique for all Shibboleth<br />
Be aware that Moodle converts the username to lowercase. So, the overall<br />
behaviour of the username will be case-insensitive.<br />
All attributes used for moodle must obey a certain length, otherwise Moodle<br />
cuts off the ends. Consult the Moodle documentation for further information<br />
on the maximum lengths for each field in the user profile.<br />
#############################################################################<br />
<br />
4.a If you want Shibboleth as your only authentication method with an external<br />
Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the<br />
'Common settings' in 'Administrations >> Users >> Authentication Options'<br />
to the the URL of the file 'moodle/auth/shibboleth/index.php'.<br />
This will enforce Shibboleth login.<br />
<br />
4.b If you want to use the Moodle integrated WAYF service, you have to activate it<br />
in the Moodle Shibboleth authentication settings by checking the<br />
'Moodle WAYF Service' checkbox and providing a list of entity IDs in the<br />
'Identity Providers' textarea together with a name and an optional<br />
SessionInitiator URL, which usually is an absolute or relative URL pointing<br />
to the same host. If no SessionInitiator URL is given, the default one<br />
'/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For<br />
Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a SessionInitiator.<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB/SessionInitiator<br />
and https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionInitiator<br />
<br />
Important Note: If you upgraded from a previous version of Moodle and now<br />
want to use the integrated WAYF, you have to make sure that<br />
in step 1 only the index.php script in<br />
moodle/auth/shibboleth/ is protected but *not* the other<br />
scripts and especially not the login.php script.<br />
<br />
If you were using the integrated WAYF alread with Shibboleth 1.3, it could<br />
be that the integrated WAYF is not working anymore after you updated Moodle.<br />
The reason is that the implicitly set default SessionInitiator changed in<br />
Moodle as well as in Shibboleth. For Shibboleth 1.3 one therefore has to<br />
add /Shibboleth.sso as third parameter whereas this is /Shibboleth.sso/DS<br />
for Shibboleth 2.x.<br />
<br />
5. Save the changes for the 'Shibboleth settings'.<br />
<br />
Important Note: If you went for 4.b (integrated WAYF service), saving the<br />
settings will overwrite the Moodle Alternate Login URL<br />
using the Moodle web root URL.<br />
<br />
6. If you want to use Shibboleth in addition to another authentication method<br />
not using the integrated WAYF service from 4.b, change the 'Instructions' in<br />
'Administrations >> Users >> Manage authentication' to contain a link to the<br />
moodle/auth/shibboleth/index.php file which is protected by<br />
Shibboleth (see step 1.) and causes the Shibboleth login procedure to start.<br />
You can also use HTML code in that field, e.g. to include an image as a<br />
Shibboleth login button.<br />
<br />
Note: As of now you cannot use dual login together with the integrated<br />
WAYF service provided by Moodle (4.b).<br />
<br />
7. Save the authentication changes.<br />
<br />
How the Shibboleth authentication works<br />
--------------------------------------------------------------------------------<br />
To get Shibboleth authenticated in Moodle a user basically must access the<br />
Shibboleth-protected page /auth/shibboleth/index.php. If Shibboleth is the only<br />
authentication method (see 4.a), this happens automatically when a user selects<br />
his home organization in the Moodle WAYF service or if the alternate login URL<br />
is configured to be the protected /auth/shibboleth/index.php<br />
Otherwise, the user has to click on the link on the dual login page you<br />
provided in step 5.b.<br />
<br />
Moodle basically checks whether the Shibboleth attribute that you mapped<br />
as the username is present. This attribute should only be present if a user is<br />
Shibboleth authenticated.<br />
<br />
If the user's Moodle account has not existed yet, it gets automatically created.<br />
<br />
To prevent that every Shibboleth user can access your Moodle site you have to<br />
adapt the 'require valid-user' line in your webserver's config (see step 1) to<br />
allow only specific users. If you defined some authorization rules in step 1,<br />
these are checked by Shibboleth itself. Only users who met these rules<br />
actually can access /auth/shibboleth/index.php and get logged in.<br />
<br />
You can use Shibboleth AND another authentication method (it was tested with<br />
manual login). So, if there are a few users that don't have a Shibboleth<br />
login, you could create manual accounts for them and they could use the manual<br />
login. For other authentication methods you first have to configure them and<br />
then set Shibboleth as your authentication method. Users can log in only via one<br />
authentication method unless they have two accounts in Moodle.<br />
<br />
Shibboleth dual login with custom login page<br />
--------------------------------------------------------------------------------<br />
You can create a dual login page that better fits your needs. For this<br />
to work, you have to set up the two authentication methods (e.g. 'Manual<br />
Accounts' and 'Shibboleth') and specify an alternate login link to your own dual<br />
login page. On that page you basically need a link to the Shibboleth-protected<br />
page ('/auth/shibboleth/index.php') for the Shibboleth login and a<br />
form that sends 'username' and 'password' to moodle/login/index.php. Set this<br />
web page then als alternate login page.<br />
Consult the Moodle documentation for further instructions and requirements.<br />
<br />
How to customize the way the Shibboleth user data is used in Moodle<br />
--------------------------------------------------------------------------------<br />
Among the Shibboleth settings in Moodle there is a field that should contain a<br />
path to a php file that can be used as data manipulation hook.<br />
You can use this if you want to further process the way your Shibboleth<br />
attributes are used in Moodle. Due to security reasons this file cannot be<br />
located within the current site data directory ($CFG->dataroot).<br />
<br />
Example 1: Your Shibboleth federation uses an attribute that specifies the<br />
user's preferred language, but the content of this attribute is not<br />
compatible with the Moodle data representation, e.g. the Shibboleth<br />
attribute contains 'German' but Moodle needs a two letter value like<br />
'de'.<br />
<br />
Example 2: The country, city and street are provided in one Shibboleth attribute<br />
and you want these values to be used in the Moodle user profile. So<br />
You have to parse the corresponding attribute to fill the user fields.<br />
<br />
If you want to use this hook you have to be a skilled PHP programmer. It is<br />
strongly recommended that you take a look at the file<br />
moodle/auth/shibboleth/auth.php, especially the function 'get_userinfo'<br />
where this file is included.<br />
<br />
The context of the file is the same as within this login function. So you<br />
can directly edit the object $result.<br />
<br />
Example file:<br />
--<br />
<?php<br />
<br />
// Set the zip code and the adress<br />
if ($_SERVER[$this->config->field_map_address] != '')<br />
{<br />
// $address contains something like 'SWITCH$Limmatquai 138$CH-8021 Zurich'<br />
// We want to split this up to get:<br />
// institution, street, zipcode, city and country<br />
$address = $_SERVER[$this->config->field_map_address];<br />
list($institution, $street, $zip_city) = explode('$', $address);<br />
preg_match('/ (.+)/', $zip_city, $regs);<br />
$city = $regs[1];<br />
<br />
preg_match('/(.+)-/',$zip_city, $regs);<br />
$country = $regs[1];<br />
<br />
$result["address"] = $street;<br />
$result["city"] = $city;<br />
$result["country"] = $country;<br />
$result["department"] = $institution;<br />
$result["description"] = "I am a Shibboleth user"; <br />
}<br />
?><br />
--<br />
<br />
How to upgrade your Service Provider to 2.x<br />
-------------------------------------------------------------------------------<br />
In case your upgrade your Service Provider 1.3.x to 2.x, be aware of the fact<br />
that in version 2.0 the default behaviour regarding attribute propagation<br />
changed.<br />
<br />
While the Service Provider 1.3.x published the Shibboleth attributes to the<br />
web server environment as HTTP Request headers, the Service Provider 2.x<br />
publishes attributes as environment variables, which increases the security for<br />
some platforms.<br />
<br />
However, this change has the effect that the attribute names change.<br />
E.g. while the surname attribute was published as 'HTTP_SHIB_PERSON_SURNAME'<br />
with 1.3.x, this attribute will be available in $_SERVER['Shib-Person-surname']<br />
or depending on your /etc/shibboleth/attribute-map.xml file just as<br />
$_SERVER['sn'].<br />
<br />
Because Moodle needs to know what Shibboleth attributes it shall map onto which<br />
Moodle user profile field, one has to make sure the mapping is updated as well<br />
after the Service Provider upgrade.<br />
<br />
********************************************************************************<br />
Because you risk locking yourself out of Moodle it is strongly<br />
recommended to use the following approach when upgrading the Service Provider:<br />
1. Enable manual authentication before the upgrade.<br />
2. Make sure that you have at least one manual account with administration<br />
privileges working before upgrading your Service Provider to 2.x.<br />
3. After the SP upgrade, use this account to log into Moodle and adapt the<br />
attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect<br />
the changed attribute names.<br />
You find the attribute names in the file /etc/shibboleth/attribute-map.xml<br />
listed as the 'id' value of an attribute definition.<br />
4. If you are using the integrated WAYF, you may have to set the third parameter<br />
of each entry to '/Shibboleth.sso/DS'<br />
5. Test the login with a Shibboleth account<br />
6. If all is working, disable manual authentication again<br />
********************************************************************************<br />
<br />
How to add logout support<br />
--------------------------------------------------------------------------------<br />
In order make Moodle support Shibboleth logout, one has to make the Shibboleth<br />
Service Provider (SP) aware of the Moodle logout capability. Only then the SP<br />
can trigger Moodle's front or back channel logout handler.<br />
<br />
To make the SP aware of the Moodle logout, you have to add the following to the<br />
Shibboleth main configuration file shibboleth2.xml (usually in /etc/shibboleth/)<br />
just before the <MetadataProvider> element.<br />
<br />
--<br />
<Notify<br />
Channel="back"<br />
Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" /><br />
--<br />
<br />
Then restart the Shibboleth daemon and check the log file for errors. If there<br />
were no errors, you can test the logout feature by accessing Moodle,<br />
authenticating via Shibboleth and the access the URL:<br />
#YOUR_MOODLE_HOSTNAME#/Shibboleth.sso/Logout (assuming you have a standard<br />
Shibboleth installation). If everything worked well, you should see a Shibboleth<br />
page saying that you were successfully logged out and if you go back to Moodle<br />
you also should be logged out from Moodle.<br />
<br />
Requirements:<br />
- PHP needs the Soap Extension, which maybe must installed manually:<br />
More information is available here http://ch.php.net/soap<br />
- Logout only works with Shibboleth Service Provider 2.1 or higher<br />
- /moodle/auth/shibboleth/logout.php *must not* be protected by Shibboleth!<br />
In case all of Moodle is protected with Shibboleth, you have to add something<br />
like this to your Apache configuration after all the other require rules<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/logout.php><br />
AuthType shibboleth<br />
ShibRequireSession Off<br />
require shibboleth<br />
</Directory><br />
--<br />
<br />
When using IIS, the same can be achieved by something like:<br />
--<br />
<Path name="auth/shibboleth/logout.php" requireSession="false"><br />
--<br />
in the shibboleth2.xml RequestMap.<br />
<br />
Limitations:<br />
Single Logout is only supported when SAML2 is used at the SP and the IdP.<br />
As of October 2009, the Shibboleth Identity Provider 2.1.4 does not yet support<br />
Single Logout (SLO). Therefore, the single logout feature cannot be used yet<br />
in a Shibboleth only setup but there may be other SAML2 products that could<br />
be used as Identity Provider, e.g. SimpleSAML PHP.<br />
<br />
One of the reasons why SLO isn't supported yet is because there aren't many<br />
applications yet that were adapted to support front and back channel<br />
logout. Hopefully, the Moodle logout helps to motivate the developers to<br />
implement SLO. On the other hand, the easiest and safest way to log out<br />
still is to tell users to quit their web browsers :)<br />
<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLogoutInitiator for some<br />
background information on this topic.<br />
<br />
--------------------------------------------------------------------------------<br />
In case of problems and questions with Shibboleth authentication, contact<br />
Lukas Haemmerle <lukas.haemmerle@switch.ch> or Markus Hagman <hagman@hytti.uku.fi><br />
<br />
==Some notable federations==<br />
===UK Access Management Federation for Education and Research===<br />
In the UK Becta and JISC have implemented the education federation [https://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research] using Shibboleth to provide single sign on. This means that education establishments in the UK using Moodle should be able to authenticate their users via Shibboleth if their organization joins the UK Access Management Federation and their users' identity is held by the identity provider the LA/RBC use. For maintained schools in the England and Wales this will probably mean contacting their Local Authority or Regional Broadband Consortium (RBC). A list of current UK federation members can be found [http://www.ukfederation.org.uk/content/Documents/MemberList here].<br />
<br />
===Swiss Authentication and Authorization Infrastructure (SWITCHaai)===<br />
In Switzerland the [https://switch.ch/ SWITCH Foundation] runs the federation called [https://help.switch.ch/aai/ Swiss Authentication and Authorization Infrastructure (SWITCHaai)] encompassing about 160 institutions and a universal login for all living in Switzerland under [https://www.switch.ch/edu-id Switch edu-ID] covering around 900,000 users.<br />
<br />
==A sample configuration in detail==<br />
Here are the steps required in a specific federation as an example to demonstrate the components involved.<br />
<br />
===Notation===<br />
- The expressions in all caps are placeholders for their actual values. For example /PATH/TO/MOODLE in the document could mean /var/www/html/moodle in your server.<br />
<br />
- The '#' in shell commands in the form '# COMMAND" means the COMMAND needs to be run as the super-user. It could be the user 'root' or a different user having sudo privileges. In the latter case he should prepend the command with sudo, as in '$ sudo COMMAND'. The '$' in that command denotes it is a non-privileged user.<br />
<br />
===Prerequisites===<br />
- You have your Moodle site running on Debian GNU/Linux or any of its derivatives like Ubuntu Linux.<br />
<br />
- This documentation assumes that your Linux distribution uses the system manager Systemd. But you can easily change the commands for a different init system, typically SysV or Upstart.<br />
<br />
- You are running the web server Apache2.<br />
<br />
- Your site serves HTTPS on its default port 443. We write its URL as https://DOMAIN, where DOMAIN stands for your the domain name of your Moodle server. So if the URL of your Moodle is https://lms.example.com/ then DOMAIN is lms.example.com.<br />
<br />
===Configuring service provider===<br />
1. Install the Shibboleth module for Apache2<br />
<br />
Install the Debian package libapache2-mod-shib, which contains the Apache module for Shibboleth service providers (SP) and its supporting Shib daemon:<br />
<br />
# apt install libapache2-mod-shib --no-install-recommends<br />
<br />
It will create a directory /etc/shibboleth with a default set of configuration files and also install the system service shib.<br />
<br />
2. Download federation metadata signing certificate<br />
<br />
# wget https://FEDERATIONREGISTRY/signedmetadata/metadata-signer -O /etc/shibboleth/federation-cert.pem<br />
<br />
3. Edit the /etc/shibboleth/shibboleth2.xml file<br />
<br />
3.1 Change the ApplicationDefaults tag to your domain<br />
<br />
<ApplicationDefaults entityID="https://DOMAIN/shibboleth"<br />
REMOTE_USER="eppn subject-id pairwise-id persistent-id"<br />
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"><br />
<br />
Notice that the end of the ApplicationDefaults tag is way below. So don't add one here!<br />
<br />
3.2 Set the discovery server<br />
<br />
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://DISCOVERYSERVER"><br />
SAML2<br />
</SSO><br />
<br />
3.3 Set the MetadataProvider<br />
<br />
<MetadataProvider type="XML" url="https://METADATAPROVIDER/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" maxRefreshDelay="7200"><br />
<br />
<MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false" /><br />
<br />
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" /><br />
</MetadataProvider><br />
<br />
3.4 Set the names of the key and certificate files<br />
<br />
<CredentialResolver type="File" use="signing" key="lms-signing-key.pem" certificate="lms-signing-cert.pem" /><br />
<CredentialResolver type="File" use="encryption" key="lms-encrypt-key.pem" certificate="lms-encrypt-cert.pem" /><br />
<br />
4. Create SP metadata credentials<br />
<br />
# /usr/sbin/shib-keygen -n lms-signing -e https://DOMAIN/shibboleth<br />
# /usr/sbin/shib-keygen -n lms-encrypt -e https://DOMAIN/shibboleth<br />
<br />
5. Start the shibboleth service for Apache<br />
<br />
5.1 Test the configuration before starting the service:<br />
<br />
# shibd -t /etc/shibboleth/shibboleth2.xml<br />
[possible errors or warnings]<br />
overall configuration is loadable, check console or log for non-fatal problems<br />
<br />
You need to study the errors or warnings, if there are any, before continuing.<br />
<br />
5.2 Start the service:<br />
<br />
# systemctl start shibd<br />
<br />
<br />
6. Enable Shibboleth on the Apache virtual host<br />
<br />
6.1 To activate shibboleth login on Apache protect the /PATH/TO/MOODLE/auth/shibboleth/index.php file by Shibboleth. Also add the SSL certificates to the /etc/apache2/sites-available/SOMETHING.conf file:<br />
<br />
<IfModule mod_ssl.c><br />
<VirtualHost *:443><br />
<br />
ServerName DOMAIN<br />
ServerAdmin YOU@DOMAIN<br />
DocumentRoot /PATH/TO/MOODLE<br />
<br />
ErrorLog ${APACHE_LOG_DIR}/DOMAIN-error.log<br />
CustomLog ${APACHE_LOG_DIR}/DOMAIN-access.log combined<br />
<br />
SSLCertificateFile /etc/ssl/certs/ssl-DOMAIN.crt<br />
SSLCertificateKeyFile /etc/ssl/private/ssl-DOMAIN.key<br />
<br />
<Location /moodle><br />
# just comment out<br />
# ShibRequestSetting applicationId mdl<br />
</Location><br />
<br />
<Directory /PATH/TO/MOODLE/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
# just comment out the next line and add the two lines below that<br />
# ShibRequestSetting applicationId mdl<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
</VirtualHost><br />
</IfModule><br />
<br />
6.2 Activate Shibd and reload Apache<br />
<br />
# a2enmod shib<br />
# systemctl reload apache2.service <br />
<br />
===Configuring the identity provider===<br />
<br />
7. Register the site with the federation<br />
<br />
The site needs to be registered with the federation so that its WAYF go to the discovery service divert you to the correct IdP.<br />
<br />
7.1 Get the metadata of the application<br />
<br />
It is available at the URL https://DOMAIN/Shibboleth.sso/Metadata. <br />
<br />
7.2 Submit the metadata and your administrative information to the federation<br />
<br />
Usually there is a web site at the federation for you to upload the metadata and enter various administrative information. The administrators of the federation must have shared the link with you. Follow the instructions on the screens.<br />
<br />
Once the federation operator approves your request you will receive a SP registration link.<br />
<br />
<br />
8. Enable and configure the Shibboleth plug-in in Moodle<br />
<br />
Once you've registered successfully you have to configure the Shibboleth plug-in in Moodle. For that Moodle you have to enable it first.<br />
<br />
8.1 Enable the Shibboleth plug-in in Moodle<br />
<br />
As Moodle admin, go to the Site administration > Plugins > Authentication and enable Shibboleth by clicking on the "eye". <br />
<br />
8.2 Configure the Shibboleth plug-in in Moodle<br />
<br />
Moodle needs the four fields 'Username', 'First name', 'Surname' and 'Email' at a minimum to create an account. So you should map them to corrosponding attributes in the IdP database. You have to set this data-mapping under ''Site administration > Plugins: Authentication > Shibboleth'' , etc. Here is again a typical set:<br />
<br />
Username: eppn<br />
<br />
Data mapping (First name): givenName<br />
<br />
Data mapping (Surname): sn<br />
<br />
Data mapping (Email address): mail<br />
<br />
In all three set Update local to On every login and Lock value to Unlocked if empty.<br />
<br />
In addition make the following changes:<br />
<br />
Moodle WAYF service: No<br />
<br />
Identity providers (auth_shibboleth | organization_selection): Delete everything in the box<br />
<br />
Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout<br />
<br />
And save. The change will be immediately active, no need to restart any service!<br />
<br />
Now you may visit https://DOMAIN/login/ and choose Shibboleth to be taken to the federation WAYF.<br />
<br />
===In case of problems===<br />
* Visit https://DOMAIN/Shibboleth.sso/Login. You should be taken to the Federation fds page where you need to select your IdP. From there you'll be taken to your IdP login page. Once you enter your credentials you'll be taken back to your Moodle site. Once in there visit https://DOMAIN/Shibboleth.sso/Session. It should show all the required attributes as in this example:<br />
<br />
Some IdPs will only share a minimal set of user fields with your Moodle SP, which can cause problems:<br />
<br />
*Moodle errors relating to missing Shibboleth fields can be fixed by altering the data mappings within the Shibboleth authentication plugin, and ensuring that fields are not locked. The user will be asked to manually provide data if Shibboleth does not automatically provide the corresponding information.<br />
<br />
*Moodle errors relating to invalid characters in username can be fixed by Allowing extended characters in usernames (found under Security > Site policies).<br />
<br />
==External links==<br />
*[https://incommon.org/software/shibboleth/ Shibboleth Internet2 Website]<br />
*[http://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research]<br />
*[http://www.ukfederation.org.uk/content/Documents/AttributeUsage Current Core Attributes for the UK Federation]<br />
<br />
[[de:Shibboleth-Server]]<br />
[[es:Shibboleth]]<br />
[[fr:Shibboleth]]<br />
[[ja:Shibboleth]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Shibboleth&diff=149261Shibboleth2024-09-08T07:02:57Z<p>Ratna: Renumbering the SP config section. Debugging section started</p>
<hr />
<div>{{Authentication}}<br />
<br />
==What is Shibboleth==<br />
<br />
[https://en.wikipedia.org/wiki/Shibboleth_(software) Shibboleth] is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions. The federations are often universities or public service organizations. <br />
<br />
Shibboleth is a middleware architecture and an open-source implementation created by the [https://en.wikipedia.org/wiki/Internet2 Internet2] consortium, for federated identity-based authentication and authorization infrastructure based on [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language SAML]. Federated identity allows for information about users in one security domain to be provided to other organizations in a common federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain usernames and passwords. [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language Identity providers (IdP's)] supply user information, while [https://en.wikipedia.org/wiki/Service_provider_(SAML) service providers (SP's)] consume this information and gate access to secure content.<br />
<br />
==auth/shibboleth/README.txt==<br />
<br />
This the auth/shibboleth/README.txt file in the Moodle distribution:<br />
<br />
Shibboleth Authentication for Moodle<br />
-------------------------------------------------------------------------------<br />
<br />
Requirements:<br />
- Shibboleth Service Provider 1.3 or newer. Recommended is 2.1 or newer.<br />
See documentation for your Shibboleth federation on how to set up Shibboleth.<br />
<br />
Changes:<br />
- 11. 2004: Created by Markus Hagman<br />
- 05. 2005: Modifications to login process by Martin Dougiamas<br />
- 05. 2005: Various extensions and fixes by Lukas Haemmerle<br />
- 06. 2005: Adaptions to new field locks and plugin config structures by Martin<br />
Langhoff and Lukas Haemmerle<br />
- 10. 2005: Added better error messages and moved text to language directories<br />
- 02. 2006: Simplified authentication so that authorization works properly<br />
Added instructions for IIS<br />
- 11. 2006: User capabilities are now loaded properly as of Moodle 1.7+<br />
- 03. 2007: Adapted authentication method to Moodle 1.8<br />
- 07. 2007: Fixed a but that caused problems with uppercase usernames<br />
- 10. 2007: Removed the requirement for email address, surname and given name<br />
attributes on request of Markus Hagman<br />
- 11. 2007: Integrated WAYF Service in Moodle<br />
- 12. 2008: Shibboleth 2.x and Single Logout support added<br />
- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth<br />
language files.<br />
- 3. 2009: Added various improvements and bug fixes reported by Ina M�ller from<br />
university Tuebingen and Peter Ellis of University of Washington<br />
- 4. 2009: Added another requirement for logout regarding the call back script<br />
- 6. 2009: Changed handler URL when integrated Discovery Service is used<br />
- 10. 2009: Fixed HTML entity preservation in Shibboleth settings<br />
<br />
Moodle Configuration with Dual login<br />
-------------------------------------------------------------------------------<br />
1. Protect the directory moodle/auth/shibboleth/index.php with Shibboleth.<br />
The page index.php in that directory actually logs in a Shibboleth user.<br />
For Apache you have to define a rule like the following in the Apache config:<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
--<br />
<br />
To restrict access to Moodle, replace the access rule 'require valid-user'<br />
with something that fits your needs, e.g. 'require affiliation student'.<br />
<br />
For IIS you have protect the auth/shibboleth directory directly in the<br />
RequestMap of the Shibboleth configuration file (shibboleth.xml or<br />
shibboleth2.xml).<br />
<br />
--<br />
<Path name="moodle" requireSession="false" ><br />
<Path name="auth/shibboleth/index.php" requireSession="true" ><br />
<AccessControl><br />
...<br />
</AccessControl><br />
</Path><br />
</Path><br />
--<br />
<br />
Also see:<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapper and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAccessControl<br />
<br />
2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and<br />
click on the the 'Shibboleth' settings.<br />
<br />
3. Fill in the fields of the form. The fields 'Username', 'First name',<br />
'Surname', etc. should contain the name of the environment variables of the<br />
Shibboleth attributes that you want to map onto the corresponding Moodle<br />
variable (e.g. 'Shib-Person-surname' for the person's last name, refer<br />
the Shibboleth documentation or the documentation of your Shibboleth<br />
federation for information on which attributes are available).<br />
Especially the 'Username' field is of great importance because<br />
this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
#############################################################################<br />
Shibboleth Attributes needed by Moodle:<br />
For Moodle to work properly Shibboleth should at least provide the attribute<br />
that is used as username in Moodle. It has to be unique for all Shibboleth<br />
Be aware that Moodle converts the username to lowercase. So, the overall<br />
behaviour of the username will be case-insensitive.<br />
All attributes used for moodle must obey a certain length, otherwise Moodle<br />
cuts off the ends. Consult the Moodle documentation for further information<br />
on the maximum lengths for each field in the user profile.<br />
#############################################################################<br />
<br />
4.a If you want Shibboleth as your only authentication method with an external<br />
Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the<br />
'Common settings' in 'Administrations >> Users >> Authentication Options'<br />
to the the URL of the file 'moodle/auth/shibboleth/index.php'.<br />
This will enforce Shibboleth login.<br />
<br />
4.b If you want to use the Moodle integrated WAYF service, you have to activate it<br />
in the Moodle Shibboleth authentication settings by checking the<br />
'Moodle WAYF Service' checkbox and providing a list of entity IDs in the<br />
'Identity Providers' textarea together with a name and an optional<br />
SessionInitiator URL, which usually is an absolute or relative URL pointing<br />
to the same host. If no SessionInitiator URL is given, the default one<br />
'/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For<br />
Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a SessionInitiator.<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB/SessionInitiator<br />
and https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionInitiator<br />
<br />
Important Note: If you upgraded from a previous version of Moodle and now<br />
want to use the integrated WAYF, you have to make sure that<br />
in step 1 only the index.php script in<br />
moodle/auth/shibboleth/ is protected but *not* the other<br />
scripts and especially not the login.php script.<br />
<br />
If you were using the integrated WAYF alread with Shibboleth 1.3, it could<br />
be that the integrated WAYF is not working anymore after you updated Moodle.<br />
The reason is that the implicitly set default SessionInitiator changed in<br />
Moodle as well as in Shibboleth. For Shibboleth 1.3 one therefore has to<br />
add /Shibboleth.sso as third parameter whereas this is /Shibboleth.sso/DS<br />
for Shibboleth 2.x.<br />
<br />
5. Save the changes for the 'Shibboleth settings'.<br />
<br />
Important Note: If you went for 4.b (integrated WAYF service), saving the<br />
settings will overwrite the Moodle Alternate Login URL<br />
using the Moodle web root URL.<br />
<br />
6. If you want to use Shibboleth in addition to another authentication method<br />
not using the integrated WAYF service from 4.b, change the 'Instructions' in<br />
'Administrations >> Users >> Manage authentication' to contain a link to the<br />
moodle/auth/shibboleth/index.php file which is protected by<br />
Shibboleth (see step 1.) and causes the Shibboleth login procedure to start.<br />
You can also use HTML code in that field, e.g. to include an image as a<br />
Shibboleth login button.<br />
<br />
Note: As of now you cannot use dual login together with the integrated<br />
WAYF service provided by Moodle (4.b).<br />
<br />
7. Save the authentication changes.<br />
<br />
How the Shibboleth authentication works<br />
--------------------------------------------------------------------------------<br />
To get Shibboleth authenticated in Moodle a user basically must access the<br />
Shibboleth-protected page /auth/shibboleth/index.php. If Shibboleth is the only<br />
authentication method (see 4.a), this happens automatically when a user selects<br />
his home organization in the Moodle WAYF service or if the alternate login URL<br />
is configured to be the protected /auth/shibboleth/index.php<br />
Otherwise, the user has to click on the link on the dual login page you<br />
provided in step 5.b.<br />
<br />
Moodle basically checks whether the Shibboleth attribute that you mapped<br />
as the username is present. This attribute should only be present if a user is<br />
Shibboleth authenticated.<br />
<br />
If the user's Moodle account has not existed yet, it gets automatically created.<br />
<br />
To prevent that every Shibboleth user can access your Moodle site you have to<br />
adapt the 'require valid-user' line in your webserver's config (see step 1) to<br />
allow only specific users. If you defined some authorization rules in step 1,<br />
these are checked by Shibboleth itself. Only users who met these rules<br />
actually can access /auth/shibboleth/index.php and get logged in.<br />
<br />
You can use Shibboleth AND another authentication method (it was tested with<br />
manual login). So, if there are a few users that don't have a Shibboleth<br />
login, you could create manual accounts for them and they could use the manual<br />
login. For other authentication methods you first have to configure them and<br />
then set Shibboleth as your authentication method. Users can log in only via one<br />
authentication method unless they have two accounts in Moodle.<br />
<br />
Shibboleth dual login with custom login page<br />
--------------------------------------------------------------------------------<br />
You can create a dual login page that better fits your needs. For this<br />
to work, you have to set up the two authentication methods (e.g. 'Manual<br />
Accounts' and 'Shibboleth') and specify an alternate login link to your own dual<br />
login page. On that page you basically need a link to the Shibboleth-protected<br />
page ('/auth/shibboleth/index.php') for the Shibboleth login and a<br />
form that sends 'username' and 'password' to moodle/login/index.php. Set this<br />
web page then als alternate login page.<br />
Consult the Moodle documentation for further instructions and requirements.<br />
<br />
How to customize the way the Shibboleth user data is used in Moodle<br />
--------------------------------------------------------------------------------<br />
Among the Shibboleth settings in Moodle there is a field that should contain a<br />
path to a php file that can be used as data manipulation hook.<br />
You can use this if you want to further process the way your Shibboleth<br />
attributes are used in Moodle. Due to security reasons this file cannot be<br />
located within the current site data directory ($CFG->dataroot).<br />
<br />
Example 1: Your Shibboleth federation uses an attribute that specifies the<br />
user's preferred language, but the content of this attribute is not<br />
compatible with the Moodle data representation, e.g. the Shibboleth<br />
attribute contains 'German' but Moodle needs a two letter value like<br />
'de'.<br />
<br />
Example 2: The country, city and street are provided in one Shibboleth attribute<br />
and you want these values to be used in the Moodle user profile. So<br />
You have to parse the corresponding attribute to fill the user fields.<br />
<br />
If you want to use this hook you have to be a skilled PHP programmer. It is<br />
strongly recommended that you take a look at the file<br />
moodle/auth/shibboleth/auth.php, especially the function 'get_userinfo'<br />
where this file is included.<br />
<br />
The context of the file is the same as within this login function. So you<br />
can directly edit the object $result.<br />
<br />
Example file:<br />
--<br />
<?php<br />
<br />
// Set the zip code and the adress<br />
if ($_SERVER[$this->config->field_map_address] != '')<br />
{<br />
// $address contains something like 'SWITCH$Limmatquai 138$CH-8021 Zurich'<br />
// We want to split this up to get:<br />
// institution, street, zipcode, city and country<br />
$address = $_SERVER[$this->config->field_map_address];<br />
list($institution, $street, $zip_city) = explode('$', $address);<br />
preg_match('/ (.+)/', $zip_city, $regs);<br />
$city = $regs[1];<br />
<br />
preg_match('/(.+)-/',$zip_city, $regs);<br />
$country = $regs[1];<br />
<br />
$result["address"] = $street;<br />
$result["city"] = $city;<br />
$result["country"] = $country;<br />
$result["department"] = $institution;<br />
$result["description"] = "I am a Shibboleth user"; <br />
}<br />
?><br />
--<br />
<br />
How to upgrade your Service Provider to 2.x<br />
-------------------------------------------------------------------------------<br />
In case your upgrade your Service Provider 1.3.x to 2.x, be aware of the fact<br />
that in version 2.0 the default behaviour regarding attribute propagation<br />
changed.<br />
<br />
While the Service Provider 1.3.x published the Shibboleth attributes to the<br />
web server environment as HTTP Request headers, the Service Provider 2.x<br />
publishes attributes as environment variables, which increases the security for<br />
some platforms.<br />
<br />
However, this change has the effect that the attribute names change.<br />
E.g. while the surname attribute was published as 'HTTP_SHIB_PERSON_SURNAME'<br />
with 1.3.x, this attribute will be available in $_SERVER['Shib-Person-surname']<br />
or depending on your /etc/shibboleth/attribute-map.xml file just as<br />
$_SERVER['sn'].<br />
<br />
Because Moodle needs to know what Shibboleth attributes it shall map onto which<br />
Moodle user profile field, one has to make sure the mapping is updated as well<br />
after the Service Provider upgrade.<br />
<br />
********************************************************************************<br />
Because you risk locking yourself out of Moodle it is strongly<br />
recommended to use the following approach when upgrading the Service Provider:<br />
1. Enable manual authentication before the upgrade.<br />
2. Make sure that you have at least one manual account with administration<br />
privileges working before upgrading your Service Provider to 2.x.<br />
3. After the SP upgrade, use this account to log into Moodle and adapt the<br />
attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect<br />
the changed attribute names.<br />
You find the attribute names in the file /etc/shibboleth/attribute-map.xml<br />
listed as the 'id' value of an attribute definition.<br />
4. If you are using the integrated WAYF, you may have to set the third parameter<br />
of each entry to '/Shibboleth.sso/DS'<br />
5. Test the login with a Shibboleth account<br />
6. If all is working, disable manual authentication again<br />
********************************************************************************<br />
<br />
How to add logout support<br />
--------------------------------------------------------------------------------<br />
In order make Moodle support Shibboleth logout, one has to make the Shibboleth<br />
Service Provider (SP) aware of the Moodle logout capability. Only then the SP<br />
can trigger Moodle's front or back channel logout handler.<br />
<br />
To make the SP aware of the Moodle logout, you have to add the following to the<br />
Shibboleth main configuration file shibboleth2.xml (usually in /etc/shibboleth/)<br />
just before the <MetadataProvider> element.<br />
<br />
--<br />
<Notify<br />
Channel="back"<br />
Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" /><br />
--<br />
<br />
Then restart the Shibboleth daemon and check the log file for errors. If there<br />
were no errors, you can test the logout feature by accessing Moodle,<br />
authenticating via Shibboleth and the access the URL:<br />
#YOUR_MOODLE_HOSTNAME#/Shibboleth.sso/Logout (assuming you have a standard<br />
Shibboleth installation). If everything worked well, you should see a Shibboleth<br />
page saying that you were successfully logged out and if you go back to Moodle<br />
you also should be logged out from Moodle.<br />
<br />
Requirements:<br />
- PHP needs the Soap Extension, which maybe must installed manually:<br />
More information is available here http://ch.php.net/soap<br />
- Logout only works with Shibboleth Service Provider 2.1 or higher<br />
- /moodle/auth/shibboleth/logout.php *must not* be protected by Shibboleth!<br />
In case all of Moodle is protected with Shibboleth, you have to add something<br />
like this to your Apache configuration after all the other require rules<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/logout.php><br />
AuthType shibboleth<br />
ShibRequireSession Off<br />
require shibboleth<br />
</Directory><br />
--<br />
<br />
When using IIS, the same can be achieved by something like:<br />
--<br />
<Path name="auth/shibboleth/logout.php" requireSession="false"><br />
--<br />
in the shibboleth2.xml RequestMap.<br />
<br />
Limitations:<br />
Single Logout is only supported when SAML2 is used at the SP and the IdP.<br />
As of October 2009, the Shibboleth Identity Provider 2.1.4 does not yet support<br />
Single Logout (SLO). Therefore, the single logout feature cannot be used yet<br />
in a Shibboleth only setup but there may be other SAML2 products that could<br />
be used as Identity Provider, e.g. SimpleSAML PHP.<br />
<br />
One of the reasons why SLO isn't supported yet is because there aren't many<br />
applications yet that were adapted to support front and back channel<br />
logout. Hopefully, the Moodle logout helps to motivate the developers to<br />
implement SLO. On the other hand, the easiest and safest way to log out<br />
still is to tell users to quit their web browsers :)<br />
<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLogoutInitiator for some<br />
background information on this topic.<br />
<br />
--------------------------------------------------------------------------------<br />
In case of problems and questions with Shibboleth authentication, contact<br />
Lukas Haemmerle <lukas.haemmerle@switch.ch> or Markus Hagman <hagman@hytti.uku.fi><br />
<br />
==Some notable federations==<br />
===UK Access Management Federation for Education and Research===<br />
In the UK Becta and JISC have implemented the education federation [https://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research] using Shibboleth to provide single sign on. This means that education establishments in the UK using Moodle should be able to authenticate their users via Shibboleth if their organization joins the UK Access Management Federation and their users' identity is held by the identity provider the LA/RBC use. For maintained schools in the England and Wales this will probably mean contacting their Local Authority or Regional Broadband Consortium (RBC). A list of current UK federation members can be found [http://www.ukfederation.org.uk/content/Documents/MemberList here].<br />
<br />
===Swiss Authentication and Authorization Infrastructure (SWITCHaai)===<br />
In Switzerland the [https://switch.ch/ SWITCH Foundation] runs the federation called [https://help.switch.ch/aai/ Swiss Authentication and Authorization Infrastructure (SWITCHaai)] encompassing about 160 institutions and a universal login for all living in Switzerland under [https://www.switch.ch/edu-id Switch edu-ID] covering around 900,000 users.<br />
<br />
==A sample configuration in detail==<br />
Here are the steps required in a specific federation as an example to demonstrate the components involved.<br />
<br />
===Notation===<br />
- The expressions in all caps are placeholders for their actual values. For example /PATH/TO/MOODLE in the document could mean /var/www/html/moodle in your server.<br />
<br />
- The '#' in shell commands in the form '# COMMAND" means the COMMAND needs to be run as the super-user. It could be the user 'root' or a different user having sudo privileges. In the latter case he should prepend the command with sudo, as in '$ sudo COMMAND'. The '$' in that command denotes it is a non-privileged user.<br />
<br />
===Prerequisites===<br />
- You have your Moodle site running on Debian GNU/Linux or any of its derivatives like Ubuntu Linux.<br />
<br />
- This documentation assumes that your Linux distribution uses the system manager Systemd. But you can easily change the commands for a different init system, typically SysV or Upstart.<br />
<br />
- You are running the web server Apache2.<br />
<br />
- Your site serves HTTPS on its default port 443. We write its URL as https://DOMAIN, where DOMAIN stands for your the domain name of your Moodle server. So if the URL of your Moodle is https://lms.example.com/ then DOMAIN is lms.example.com.<br />
<br />
===Configuring SP (Moodle) side===<br />
1. Install the Shibboleth module for Apache2<br />
<br />
Install the Debian package libapache2-mod-shib, which contains the Apache module for Shibboleth service providers (SP) and its supporting Shib daemon:<br />
<br />
# apt install libapache2-mod-shib --no-install-recommends<br />
<br />
It will create a directory /etc/shibboleth with a default set of configuration files and also install the system service shib.<br />
<br />
2. Download federation metadata signing certificate<br />
<br />
# wget https://FEDERATIONREGISTRY/signedmetadata/metadata-signer -O /etc/shibboleth/federation-cert.pem<br />
<br />
3. Edit the /etc/shibboleth/shibboleth2.xml file<br />
<br />
3.1 Change the ApplicationDefaults tag to your domain<br />
<br />
<ApplicationDefaults entityID="https://DOMAIN/shibboleth"<br />
REMOTE_USER="eppn subject-id pairwise-id persistent-id"<br />
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"><br />
<br />
Notice that the end of the ApplicationDefaults tag is way below. So don't add one here!<br />
<br />
3.2 Set the discovery server<br />
<br />
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://DISCOVERYSERVER"><br />
SAML2<br />
</SSO><br />
<br />
3.3 Set the MetadataProvider<br />
<br />
<MetadataProvider type="XML" url="https://METADATAPROVIDER/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" maxRefreshDelay="7200"><br />
<br />
<MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false" /><br />
<br />
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" /><br />
</MetadataProvider><br />
<br />
3.4 Set the names of the key and certificate files<br />
<br />
<CredentialResolver type="File" use="signing" key="lms-signing-key.pem" certificate="lms-signing-cert.pem" /><br />
<CredentialResolver type="File" use="encryption" key="lms-encrypt-key.pem" certificate="lms-encrypt-cert.pem" /><br />
<br />
4. Create SP metadata credentials<br />
<br />
# /usr/sbin/shib-keygen -n lms-signing -e https://DOMAIN/shibboleth<br />
# /usr/sbin/shib-keygen -n lms-encrypt -e https://DOMAIN/shibboleth<br />
<br />
5. Start the shibboleth service for Apache<br />
<br />
5.1 Test the configuration before starting the service:<br />
<br />
# shibd -t /etc/shibboleth/shibboleth2.xml<br />
[possible errors or warnings]<br />
overall configuration is loadable, check console or log for non-fatal problems<br />
<br />
You need to study the errors or warnings, if there are any, before continuing.<br />
<br />
5.2 Start the service:<br />
<br />
# systemctl start shibd<br />
<br />
<br />
6. Enable Shibboleth on the Apache virtual host<br />
<br />
6.1 To activate shibboleth login on Apache protect the /PATH/TO/MOODLE/auth/shibboleth/index.php file by Shibboleth. Also add the SSL certificates to the /etc/apache2/sites-available/SOMETHING.conf file:<br />
<br />
<IfModule mod_ssl.c><br />
<VirtualHost *:443><br />
<br />
ServerName DOMAIN<br />
ServerAdmin YOU@DOMAIN<br />
DocumentRoot /PATH/TO/MOODLE<br />
<br />
ErrorLog ${APACHE_LOG_DIR}/DOMAIN-error.log<br />
CustomLog ${APACHE_LOG_DIR}/DOMAIN-access.log combined<br />
<br />
SSLCertificateFile /etc/ssl/certs/ssl-DOMAIN.crt<br />
SSLCertificateKeyFile /etc/ssl/private/ssl-DOMAIN.key<br />
<br />
<Location /moodle><br />
# just comment out<br />
# ShibRequestSetting applicationId mdl<br />
</Location><br />
<br />
<Directory /PATH/TO/MOODLE/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
# just comment out the next line and add the two lines below that<br />
# ShibRequestSetting applicationId mdl<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
</VirtualHost><br />
</IfModule><br />
<br />
6.2 Activate Shibd and reload Apache<br />
<br />
# a2enmod shib<br />
# systemctl reload apache2.service <br />
<br />
<br />
7. Register the site with the federation<br />
<br />
We have now set up Shibboleth SP for Moodle. It has to be registered with the federation so that its WAYF go to the discovery Service to point different IDP's.<br />
<br />
7.1 Download the metadata of the application<br />
<br />
You can get them by visiting the URL https://DOMAIN/Shibboleth.sso/Metadata <br />
<br />
7.2 Submit the metadata to the federation<br />
<br />
Usually there is a web site at the federation for you to upload the metadata and enter various administrative information. Follow the instructions on the screens.<br />
<br />
Once the federation operator approves your request you will receive a SP registration link.<br />
<br />
<br />
8. Enable and configure the Shibboleth plug-in in Moodle<br />
<br />
Once you've registered successfully you have to configure the Shibboleth plug-in in Moodle. For that Moodle you have to enable it first.<br />
<br />
8.1 Enable the Shibboleth plug-in in Moodle<br />
<br />
As Moodle admin, go to the Site administration > Plugins > Authentication and enable Shibboleth by clicking on the "eye". <br />
<br />
8.2 Configure the Shibboleth plug-in in Moodle<br />
Under ''Site administration > Plugins: Authentication > Shibboleth'' the fields 'Username', 'First name', 'Surname', etc. should contain the name of the environment variables of the Shibboleth attributes that you want to map onto them. Especially the 'Username' field is of great importance because this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
Username: eppn<br />
<br />
Moodle WAYF service: No<br />
<br />
Identity providers (auth_shibboleth | organization_selection): Delete everything in the box<br />
<br />
Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout<br />
<br />
Data mapping (First name): givenName<br />
<br />
Data mapping (Surname): sn<br />
<br />
Data mapping (Email address): mail<br />
<br />
In all three set Update local to On every login and Lock value to Unlocked if empty.<br />
<br />
And save. The change will be immediately active, no need to restart any service!<br />
<br />
Now you may browse to https://DOMAIN/ and select your preferred IdP to log in.<br />
<br />
===In case of problems===<br />
* Visit https://DOMAIN/Shibboleth.sso/Login. You should be taken to the Federation fds page where you need to select your IdP. From there you'll be taken to your IdP login page. Once you enter your credentials you'll be taken back to your Moodle site. Once in there visit https://DOMAIN/Shibboleth.sso/Session. It should show all the required attributes as in this example:<br />
<br />
Some IdPs will only share a minimal set of user fields with your Moodle SP, which can cause problems:<br />
<br />
*Moodle errors relating to missing Shibboleth fields can be fixed by altering the data mappings within the Shibboleth authentication plugin, and ensuring that fields are not locked. The user will be asked to manually provide data if Shibboleth does not automatically provide the corresponding information.<br />
<br />
*Moodle errors relating to invalid characters in username can be fixed by Allowing extended characters in usernames (found under Security > Site policies).<br />
<br />
==External links==<br />
*[https://incommon.org/software/shibboleth/ Shibboleth Internet2 Website]<br />
*[http://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research]<br />
*[http://www.ukfederation.org.uk/content/Documents/AttributeUsage Current Core Attributes for the UK Federation]<br />
<br />
[[de:Shibboleth-Server]]<br />
[[es:Shibboleth]]<br />
[[fr:Shibboleth]]<br />
[[ja:Shibboleth]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Talk:Shibboleth&diff=149246Talk:Shibboleth2024-09-03T20:28:10Z<p>Ratna: </p>
<hr />
<div>Original discussion: [https://moodle.org/mod/forum/discuss.php?d=461370 "Shibboleth" Moodle as the SP doesn't get the attributes filled from the IdP]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Talk:Shibboleth&diff=149245Talk:Shibboleth2024-09-03T20:27:25Z<p>Ratna: </p>
<hr />
<div>Original discussion: [https://moodle.org/mod/forum/discuss.php?d=461370 [Shibboleth] Moodle as the SP doesn't get the attributes filled from the IdP]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Shibboleth&diff=149244Shibboleth2024-09-03T20:16:20Z<p>Ratna: </p>
<hr />
<div>{{Authentication}}<br />
<br />
==What is Shibboleth==<br />
<br />
[https://en.wikipedia.org/wiki/Shibboleth_(software) Shibboleth] is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions. The federations are often universities or public service organizations. <br />
<br />
Shibboleth is a middleware architecture and an open-source implementation created by the [https://en.wikipedia.org/wiki/Internet2 Internet2] consortium, for federated identity-based authentication and authorization infrastructure based on [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language SAML]. Federated identity allows for information about users in one security domain to be provided to other organizations in a common federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain usernames and passwords. [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language Identity providers (IdP's)] supply user information, while [https://en.wikipedia.org/wiki/Service_provider_(SAML) service providers (SP's)] consume this information and gate access to secure content.<br />
<br />
==auth/shibboleth/README.txt==<br />
<br />
This the auth/shibboleth/README.txt file in the Moodle distribution:<br />
<br />
Shibboleth Authentication for Moodle<br />
-------------------------------------------------------------------------------<br />
<br />
Requirements:<br />
- Shibboleth Service Provider 1.3 or newer. Recommended is 2.1 or newer.<br />
See documentation for your Shibboleth federation on how to set up Shibboleth.<br />
<br />
Changes:<br />
- 11. 2004: Created by Markus Hagman<br />
- 05. 2005: Modifications to login process by Martin Dougiamas<br />
- 05. 2005: Various extensions and fixes by Lukas Haemmerle<br />
- 06. 2005: Adaptions to new field locks and plugin config structures by Martin<br />
Langhoff and Lukas Haemmerle<br />
- 10. 2005: Added better error messages and moved text to language directories<br />
- 02. 2006: Simplified authentication so that authorization works properly<br />
Added instructions for IIS<br />
- 11. 2006: User capabilities are now loaded properly as of Moodle 1.7+<br />
- 03. 2007: Adapted authentication method to Moodle 1.8<br />
- 07. 2007: Fixed a but that caused problems with uppercase usernames<br />
- 10. 2007: Removed the requirement for email address, surname and given name<br />
attributes on request of Markus Hagman<br />
- 11. 2007: Integrated WAYF Service in Moodle<br />
- 12. 2008: Shibboleth 2.x and Single Logout support added<br />
- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth<br />
language files.<br />
- 3. 2009: Added various improvements and bug fixes reported by Ina M�ller from<br />
university Tuebingen and Peter Ellis of University of Washington<br />
- 4. 2009: Added another requirement for logout regarding the call back script<br />
- 6. 2009: Changed handler URL when integrated Discovery Service is used<br />
- 10. 2009: Fixed HTML entity preservation in Shibboleth settings<br />
<br />
Moodle Configuration with Dual login<br />
-------------------------------------------------------------------------------<br />
1. Protect the directory moodle/auth/shibboleth/index.php with Shibboleth.<br />
The page index.php in that directory actually logs in a Shibboleth user.<br />
For Apache you have to define a rule like the following in the Apache config:<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
--<br />
<br />
To restrict access to Moodle, replace the access rule 'require valid-user'<br />
with something that fits your needs, e.g. 'require affiliation student'.<br />
<br />
For IIS you have protect the auth/shibboleth directory directly in the<br />
RequestMap of the Shibboleth configuration file (shibboleth.xml or<br />
shibboleth2.xml).<br />
<br />
--<br />
<Path name="moodle" requireSession="false" ><br />
<Path name="auth/shibboleth/index.php" requireSession="true" ><br />
<AccessControl><br />
...<br />
</AccessControl><br />
</Path><br />
</Path><br />
--<br />
<br />
Also see:<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapper and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAccessControl<br />
<br />
2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and<br />
click on the the 'Shibboleth' settings.<br />
<br />
3. Fill in the fields of the form. The fields 'Username', 'First name',<br />
'Surname', etc. should contain the name of the environment variables of the<br />
Shibboleth attributes that you want to map onto the corresponding Moodle<br />
variable (e.g. 'Shib-Person-surname' for the person's last name, refer<br />
the Shibboleth documentation or the documentation of your Shibboleth<br />
federation for information on which attributes are available).<br />
Especially the 'Username' field is of great importance because<br />
this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
#############################################################################<br />
Shibboleth Attributes needed by Moodle:<br />
For Moodle to work properly Shibboleth should at least provide the attribute<br />
that is used as username in Moodle. It has to be unique for all Shibboleth<br />
Be aware that Moodle converts the username to lowercase. So, the overall<br />
behaviour of the username will be case-insensitive.<br />
All attributes used for moodle must obey a certain length, otherwise Moodle<br />
cuts off the ends. Consult the Moodle documentation for further information<br />
on the maximum lengths for each field in the user profile.<br />
#############################################################################<br />
<br />
4.a If you want Shibboleth as your only authentication method with an external<br />
Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the<br />
'Common settings' in 'Administrations >> Users >> Authentication Options'<br />
to the the URL of the file 'moodle/auth/shibboleth/index.php'.<br />
This will enforce Shibboleth login.<br />
<br />
4.b If you want to use the Moodle integrated WAYF service, you have to activate it<br />
in the Moodle Shibboleth authentication settings by checking the<br />
'Moodle WAYF Service' checkbox and providing a list of entity IDs in the<br />
'Identity Providers' textarea together with a name and an optional<br />
SessionInitiator URL, which usually is an absolute or relative URL pointing<br />
to the same host. If no SessionInitiator URL is given, the default one<br />
'/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For<br />
Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a SessionInitiator.<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB/SessionInitiator<br />
and https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionInitiator<br />
<br />
Important Note: If you upgraded from a previous version of Moodle and now<br />
want to use the integrated WAYF, you have to make sure that<br />
in step 1 only the index.php script in<br />
moodle/auth/shibboleth/ is protected but *not* the other<br />
scripts and especially not the login.php script.<br />
<br />
If you were using the integrated WAYF alread with Shibboleth 1.3, it could<br />
be that the integrated WAYF is not working anymore after you updated Moodle.<br />
The reason is that the implicitly set default SessionInitiator changed in<br />
Moodle as well as in Shibboleth. For Shibboleth 1.3 one therefore has to<br />
add /Shibboleth.sso as third parameter whereas this is /Shibboleth.sso/DS<br />
for Shibboleth 2.x.<br />
<br />
5. Save the changes for the 'Shibboleth settings'.<br />
<br />
Important Note: If you went for 4.b (integrated WAYF service), saving the<br />
settings will overwrite the Moodle Alternate Login URL<br />
using the Moodle web root URL.<br />
<br />
6. If you want to use Shibboleth in addition to another authentication method<br />
not using the integrated WAYF service from 4.b, change the 'Instructions' in<br />
'Administrations >> Users >> Manage authentication' to contain a link to the<br />
moodle/auth/shibboleth/index.php file which is protected by<br />
Shibboleth (see step 1.) and causes the Shibboleth login procedure to start.<br />
You can also use HTML code in that field, e.g. to include an image as a<br />
Shibboleth login button.<br />
<br />
Note: As of now you cannot use dual login together with the integrated<br />
WAYF service provided by Moodle (4.b).<br />
<br />
7. Save the authentication changes.<br />
<br />
How the Shibboleth authentication works<br />
--------------------------------------------------------------------------------<br />
To get Shibboleth authenticated in Moodle a user basically must access the<br />
Shibboleth-protected page /auth/shibboleth/index.php. If Shibboleth is the only<br />
authentication method (see 4.a), this happens automatically when a user selects<br />
his home organization in the Moodle WAYF service or if the alternate login URL<br />
is configured to be the protected /auth/shibboleth/index.php<br />
Otherwise, the user has to click on the link on the dual login page you<br />
provided in step 5.b.<br />
<br />
Moodle basically checks whether the Shibboleth attribute that you mapped<br />
as the username is present. This attribute should only be present if a user is<br />
Shibboleth authenticated.<br />
<br />
If the user's Moodle account has not existed yet, it gets automatically created.<br />
<br />
To prevent that every Shibboleth user can access your Moodle site you have to<br />
adapt the 'require valid-user' line in your webserver's config (see step 1) to<br />
allow only specific users. If you defined some authorization rules in step 1,<br />
these are checked by Shibboleth itself. Only users who met these rules<br />
actually can access /auth/shibboleth/index.php and get logged in.<br />
<br />
You can use Shibboleth AND another authentication method (it was tested with<br />
manual login). So, if there are a few users that don't have a Shibboleth<br />
login, you could create manual accounts for them and they could use the manual<br />
login. For other authentication methods you first have to configure them and<br />
then set Shibboleth as your authentication method. Users can log in only via one<br />
authentication method unless they have two accounts in Moodle.<br />
<br />
Shibboleth dual login with custom login page<br />
--------------------------------------------------------------------------------<br />
You can create a dual login page that better fits your needs. For this<br />
to work, you have to set up the two authentication methods (e.g. 'Manual<br />
Accounts' and 'Shibboleth') and specify an alternate login link to your own dual<br />
login page. On that page you basically need a link to the Shibboleth-protected<br />
page ('/auth/shibboleth/index.php') for the Shibboleth login and a<br />
form that sends 'username' and 'password' to moodle/login/index.php. Set this<br />
web page then als alternate login page.<br />
Consult the Moodle documentation for further instructions and requirements.<br />
<br />
How to customize the way the Shibboleth user data is used in Moodle<br />
--------------------------------------------------------------------------------<br />
Among the Shibboleth settings in Moodle there is a field that should contain a<br />
path to a php file that can be used as data manipulation hook.<br />
You can use this if you want to further process the way your Shibboleth<br />
attributes are used in Moodle. Due to security reasons this file cannot be<br />
located within the current site data directory ($CFG->dataroot).<br />
<br />
Example 1: Your Shibboleth federation uses an attribute that specifies the<br />
user's preferred language, but the content of this attribute is not<br />
compatible with the Moodle data representation, e.g. the Shibboleth<br />
attribute contains 'German' but Moodle needs a two letter value like<br />
'de'.<br />
<br />
Example 2: The country, city and street are provided in one Shibboleth attribute<br />
and you want these values to be used in the Moodle user profile. So<br />
You have to parse the corresponding attribute to fill the user fields.<br />
<br />
If you want to use this hook you have to be a skilled PHP programmer. It is<br />
strongly recommended that you take a look at the file<br />
moodle/auth/shibboleth/auth.php, especially the function 'get_userinfo'<br />
where this file is included.<br />
<br />
The context of the file is the same as within this login function. So you<br />
can directly edit the object $result.<br />
<br />
Example file:<br />
--<br />
<?php<br />
<br />
// Set the zip code and the adress<br />
if ($_SERVER[$this->config->field_map_address] != '')<br />
{<br />
// $address contains something like 'SWITCH$Limmatquai 138$CH-8021 Zurich'<br />
// We want to split this up to get:<br />
// institution, street, zipcode, city and country<br />
$address = $_SERVER[$this->config->field_map_address];<br />
list($institution, $street, $zip_city) = explode('$', $address);<br />
preg_match('/ (.+)/', $zip_city, $regs);<br />
$city = $regs[1];<br />
<br />
preg_match('/(.+)-/',$zip_city, $regs);<br />
$country = $regs[1];<br />
<br />
$result["address"] = $street;<br />
$result["city"] = $city;<br />
$result["country"] = $country;<br />
$result["department"] = $institution;<br />
$result["description"] = "I am a Shibboleth user"; <br />
}<br />
?><br />
--<br />
<br />
How to upgrade your Service Provider to 2.x<br />
-------------------------------------------------------------------------------<br />
In case your upgrade your Service Provider 1.3.x to 2.x, be aware of the fact<br />
that in version 2.0 the default behaviour regarding attribute propagation<br />
changed.<br />
<br />
While the Service Provider 1.3.x published the Shibboleth attributes to the<br />
web server environment as HTTP Request headers, the Service Provider 2.x<br />
publishes attributes as environment variables, which increases the security for<br />
some platforms.<br />
<br />
However, this change has the effect that the attribute names change.<br />
E.g. while the surname attribute was published as 'HTTP_SHIB_PERSON_SURNAME'<br />
with 1.3.x, this attribute will be available in $_SERVER['Shib-Person-surname']<br />
or depending on your /etc/shibboleth/attribute-map.xml file just as<br />
$_SERVER['sn'].<br />
<br />
Because Moodle needs to know what Shibboleth attributes it shall map onto which<br />
Moodle user profile field, one has to make sure the mapping is updated as well<br />
after the Service Provider upgrade.<br />
<br />
********************************************************************************<br />
Because you risk locking yourself out of Moodle it is strongly<br />
recommended to use the following approach when upgrading the Service Provider:<br />
1. Enable manual authentication before the upgrade.<br />
2. Make sure that you have at least one manual account with administration<br />
privileges working before upgrading your Service Provider to 2.x.<br />
3. After the SP upgrade, use this account to log into Moodle and adapt the<br />
attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect<br />
the changed attribute names.<br />
You find the attribute names in the file /etc/shibboleth/attribute-map.xml<br />
listed as the 'id' value of an attribute definition.<br />
4. If you are using the integrated WAYF, you may have to set the third parameter<br />
of each entry to '/Shibboleth.sso/DS'<br />
5. Test the login with a Shibboleth account<br />
6. If all is working, disable manual authentication again<br />
********************************************************************************<br />
<br />
How to add logout support<br />
--------------------------------------------------------------------------------<br />
In order make Moodle support Shibboleth logout, one has to make the Shibboleth<br />
Service Provider (SP) aware of the Moodle logout capability. Only then the SP<br />
can trigger Moodle's front or back channel logout handler.<br />
<br />
To make the SP aware of the Moodle logout, you have to add the following to the<br />
Shibboleth main configuration file shibboleth2.xml (usually in /etc/shibboleth/)<br />
just before the <MetadataProvider> element.<br />
<br />
--<br />
<Notify<br />
Channel="back"<br />
Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" /><br />
--<br />
<br />
Then restart the Shibboleth daemon and check the log file for errors. If there<br />
were no errors, you can test the logout feature by accessing Moodle,<br />
authenticating via Shibboleth and the access the URL:<br />
#YOUR_MOODLE_HOSTNAME#/Shibboleth.sso/Logout (assuming you have a standard<br />
Shibboleth installation). If everything worked well, you should see a Shibboleth<br />
page saying that you were successfully logged out and if you go back to Moodle<br />
you also should be logged out from Moodle.<br />
<br />
Requirements:<br />
- PHP needs the Soap Extension, which maybe must installed manually:<br />
More information is available here http://ch.php.net/soap<br />
- Logout only works with Shibboleth Service Provider 2.1 or higher<br />
- /moodle/auth/shibboleth/logout.php *must not* be protected by Shibboleth!<br />
In case all of Moodle is protected with Shibboleth, you have to add something<br />
like this to your Apache configuration after all the other require rules<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/logout.php><br />
AuthType shibboleth<br />
ShibRequireSession Off<br />
require shibboleth<br />
</Directory><br />
--<br />
<br />
When using IIS, the same can be achieved by something like:<br />
--<br />
<Path name="auth/shibboleth/logout.php" requireSession="false"><br />
--<br />
in the shibboleth2.xml RequestMap.<br />
<br />
Limitations:<br />
Single Logout is only supported when SAML2 is used at the SP and the IdP.<br />
As of October 2009, the Shibboleth Identity Provider 2.1.4 does not yet support<br />
Single Logout (SLO). Therefore, the single logout feature cannot be used yet<br />
in a Shibboleth only setup but there may be other SAML2 products that could<br />
be used as Identity Provider, e.g. SimpleSAML PHP.<br />
<br />
One of the reasons why SLO isn't supported yet is because there aren't many<br />
applications yet that were adapted to support front and back channel<br />
logout. Hopefully, the Moodle logout helps to motivate the developers to<br />
implement SLO. On the other hand, the easiest and safest way to log out<br />
still is to tell users to quit their web browsers :)<br />
<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLogoutInitiator for some<br />
background information on this topic.<br />
<br />
--------------------------------------------------------------------------------<br />
In case of problems and questions with Shibboleth authentication, contact<br />
Lukas Haemmerle <lukas.haemmerle@switch.ch> or Markus Hagman <hagman@hytti.uku.fi><br />
<br />
==Some notable federations==<br />
===UK Access Management Federation for Education and Research===<br />
In the UK Becta and JISC have implemented the education federation [https://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research] using Shibboleth to provide single sign on. This means that education establishments in the UK using Moodle should be able to authenticate their users via Shibboleth if their organization joins the UK Access Management Federation and their users' identity is held by the identity provider the LA/RBC use. For maintained schools in the England and Wales this will probably mean contacting their Local Authority or Regional Broadband Consortium (RBC). A list of current UK federation members can be found [http://www.ukfederation.org.uk/content/Documents/MemberList here].<br />
<br />
===Swiss Authentication and Authorization Infrastructure (SWITCHaai)===<br />
In Switzerland the [https://switch.ch/ SWITCH Foundation] runs the federation called [https://help.switch.ch/aai/ Swiss Authentication and Authorization Infrastructure (SWITCHaai)] encompassing about 160 institutions and a universal login for all living in Switzerland under [https://www.switch.ch/edu-id Switch edu-ID] covering around 900,000 users.<br />
<br />
==A sample configuration in detail==<br />
Here are the steps required in a specific federation as an example to demonstrate the components involved.<br />
<br />
===Notation===<br />
- The expressions in all caps are placeholders for their actual values. For example /PATH/TO/MOODLE in the document could mean /var/www/html/moodle in your server.<br />
<br />
- The '#' in shell commands in the form '# COMMAND" means the COMMAND needs to be run as the super-user. It could be the user 'root' or a different user having sudo privileges. In the latter case he should prepend the command with sudo, as in '$ sudo COMMAND'. The '$' in that command denotes it is a non-privileged user.<br />
<br />
===Prerequisites===<br />
- You have your Moodle site running on Debian GNU/Linux or any of its derivatives like Ubuntu Linux.<br />
<br />
- This documentation assumes that your Linux distribution uses the system manager Systemd. But you can easily change the commands for a different init system, typically SysV or Upstart.<br />
<br />
- You are running the web server Apache2.<br />
<br />
- Your site serves HTTPS on its default port 443. We write its URL as https://DOMAIN, where DOMAIN stands for your the domain name of your Moodle server. So if the URL of your Moodle is https://lms.example.com/ then DOMAIN is lms.example.com.<br />
<br />
===Steps you have to follow===<br />
1. Install the Shibboleth module for Apache2<br />
<br />
Install the Debian package libapache2-mod-shib, which contains the Apache module for Shibboleth service providers (SP) and its supporting Shib daemon:<br />
<br />
# apt install libapache2-mod-shib --no-install-recommends<br />
<br />
It will create a directory /etc/shibboleth with a default set of configuration files and also install the system service shib.<br />
<br />
2. Download federation metadata signing certificate<br />
<br />
# wget https://FEDERATIONREGISTRY/signedmetadata/metadata-signer -O /etc/shibboleth/federation-cert.pem<br />
<br />
3. Configure the Shibboleth service provider<br />
<br />
Edit the /etc/shibboleth/shibboleth2.xml file as described below.<br />
<br />
3.1 Change the ApplicationDefaults tag to your domain<br />
<br />
<ApplicationDefaults entityID="https://DOMAIN/shibboleth"<br />
REMOTE_USER="eppn subject-id pairwise-id persistent-id"<br />
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"><br />
<br />
Notice that the end of the ApplicationDefaults tag is way below. So don't add one here!<br />
<br />
3.2 Set the discovery server<br />
<br />
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://DISCOVERYSERVER"><br />
SAML2<br />
</SSO><br />
<br />
3.3 Set the MetadataProvider<br />
<br />
<MetadataProvider type="XML" url="https://METADATAPROVIDER/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" maxRefreshDelay="7200"><br />
<br />
<MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false" /><br />
<br />
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" /><br />
</MetadataProvider><br />
<br />
3.4 Set the names of the key and certificate files<br />
<br />
<CredentialResolver type="File" use="signing" key="lms-signing-key.pem" certificate="lms-signing-cert.pem" /><br />
<CredentialResolver type="File" use="encryption" key="lms-encrypt-key.pem" certificate="lms-encrypt-cert.pem" /><br />
<br />
We will generate those lms-*.pem files in step 3.6.<br />
<br />
3.5 Add a ApplicationOverride section<br />
(Note: Not necessay, dg 28 Aug 2024)<br />
<br />
Add the following ApplicationOverride section just before the ApplicationDefaults section:<br />
<br />
<ApplicationOverride id="wp" entityID="https://wp.YOUR-DOMAIN/shibboleth"><br />
<CredentialResolver type="File" use="signing" key="wp-signing-key.pem" certificate="wp-signing-cert.pem"/><br />
<CredentialResolver type="File" use="encryption" key="wp-encrypt-key.pem" certificate="wp-encrypt-cert.pem"/><br />
</ApplicationOverride><br />
<br />
3.6 Create SP metadata credentials for both sites:<br />
<br />
# /usr/sbin/shib-keygen -n lms-signing -e https://DOMAIN/shibboleth<br />
# /usr/sbin/shib-keygen -n lms-encrypt -e https://DOMAIN/shibboleth<br />
<br />
4. Start the shibboleth service<br />
<br />
4.1 Test the configuration first:<br />
<br />
# shibd -t /etc/shibboleth/shibboleth2.xml<br />
<br />
4.2 (Re)start the Shibd and Apache2:<br />
<br />
# systemctl start shibd<br />
# systemctl restart apache2<br />
<br />
<br />
5. Enable Shibboleth on the Apache virtual host<br />
<br />
5.1 To enable shibboleth login on the web application add the certificate files and protect the /PATH/TO/MOODLE/auth/shibboleth/index.php by Shibboleth. They are in a /etc/apache2/sites-available/SOMETHING.conf file. Here is the format:<br />
<br />
<IfModule mod_ssl.c><br />
<VirtualHost *:443><br />
<br />
ServerName DOMAIN<br />
ServerAdmin YOU@DOMAIN<br />
DocumentRoot /PATH/TO/MOODLE<br />
<br />
ErrorLog ${APACHE_LOG_DIR}/DOMAIN-error.log<br />
CustomLog ${APACHE_LOG_DIR}/DOMAIN-access.log combined<br />
<br />
SSLCertificateFile /etc/ssl/certs/ssl-DOMAIN.crt<br />
SSLCertificateKeyFile /etc/ssl/private/ssl-DOMAIN.key<br />
<br />
<Location /moodle><br />
# just comment out<br />
# ShibRequestSetting applicationId mdl<br />
</Location><br />
<br />
<Directory /PATH/TO/MOODLE/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
# just comment out the next line and add the two lines below that<br />
# ShibRequestSetting applicationId mdl<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
</VirtualHost><br />
</IfModule><br />
<br />
5.2 Activate Shibd and reload Apache<br />
<br />
# a2enmod shib<br />
# systemctl reload apache2.service <br />
<br />
<br />
6. Register the SP with the federation<br />
<br />
We have now set up Shibboleth SP for Moodle. It has to be registered with the federation so that its WAYF go to the discovery Service to point different IDP's.<br />
<br />
6.1 Download the metadata of the application<br />
<br />
You can get them by visiting the URL https://DOMAIN/Shibboleth.sso/Metadata <br />
<br />
6.2 Submit the metadata to the federation<br />
<br />
Usually there is a web site at the federation for you to upload the metadata and enter various administrative information. Follow the instructions on the screens.<br />
<br />
Once the federation operator approves your request you will receive a SP registration link.<br />
<br />
<br />
7. Enable and configure the Shibboleth plug-in in Moodle<br />
<br />
Once you've registered successfully you have to configure the Shibboleth plug-in in Moodle. For that Moodle you have to enable it first.<br />
<br />
7.1 Enable the Shibboleth plug-in in Moodle<br />
<br />
As Moodle admin, go to the Site administration > Plugins > Authentication and enable Shibboleth by clicking on the "eye". <br />
<br />
7.2 Configure the Shibboleth plug-in in Moodle<br />
Under ''Site administration > Plugins: Authentication > Shibboleth'' the fields 'Username', 'First name', 'Surname', etc. should contain the name of the environment variables of the Shibboleth attributes that you want to map onto them. Especially the 'Username' field is of great importance because this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
Username: eppn<br />
<br />
Moodle WAYF service: No<br />
<br />
Identity providers (auth_shibboleth | organization_selection): Delete everything in the box<br />
<br />
Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout<br />
<br />
Data mapping (First name): givenName<br />
<br />
Data mapping (Surname): sn<br />
<br />
Data mapping (Email address): mail<br />
<br />
In all three set Update local to On every login and Lock value to Unlocked if empty.<br />
<br />
And save. The change will be immediately active, no need to restart any service!<br />
<br />
Now you may browse to https://DOMAIN/ and select your preferred IdP to log in.<br />
<br />
===In case of problems===<br />
(to come)<br />
<br />
==Additional notes==<br />
Some IdPs will only share a minimal set of user fields with your Moodle SP, which can cause problems:<br />
*Moodle errors relating to missing Shibboleth fields can be fixed by altering the data mappings within the Shibboleth authentication plugin, and ensuring that fields are not locked. The user will be asked to manually provide data if Shibboleth does not automatically provide the corresponding information.<br />
*Moodle errors relating to invalid characters in username can be fixed by Allowing extended characters in usernames (found under Security > Site policies).<br />
<br />
==External links==<br />
*[https://incommon.org/software/shibboleth/ Shibboleth Internet2 Website]<br />
*[http://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research]<br />
*[http://www.ukfederation.org.uk/content/Documents/AttributeUsage Current Core Attributes for the UK Federation]<br />
<br />
[[de:Shibboleth-Server]]<br />
[[es:Shibboleth]]<br />
[[fr:Shibboleth]]<br />
[[ja:Shibboleth]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Talk:Shibboleth&diff=149243Talk:Shibboleth2024-09-03T19:46:49Z<p>Ratna: Created an empty page.</p>
<hr />
<div>Talk:Shibboleth</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Shibboleth&diff=149242Shibboleth2024-09-03T19:22:51Z<p>Ratna: </p>
<hr />
<div>{{Authentication}}<br />
<br />
==About==<br />
<br />
[https://en.wikipedia.org/wiki/Shibboleth_(software) Shibboleth] is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions. The federations are often universities or public service organizations. <br />
<br />
Shibboleth is a middleware architecture and an open-source implementation created by the [https://en.wikipedia.org/wiki/Internet2 Internet2] consortium, for federated identity-based authentication and authorization infrastructure based on [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language SAML]. Federated identity allows for information about users in one security domain to be provided to other organizations in a common federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain usernames and passwords. [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language Identity providers (IdP's)] supply user information, while [https://en.wikipedia.org/wiki/Service_provider_(SAML) service providers (SP's)] consume this information and gate access to secure content.<br />
<br />
==README.txt==<br />
<br />
This the auth/shibboleth/README.txt file in the Moodle distribution:<br />
<br />
Shibboleth Authentication for Moodle<br />
-------------------------------------------------------------------------------<br />
<br />
Requirements:<br />
- Shibboleth Service Provider 1.3 or newer. Recommended is 2.1 or newer.<br />
See documentation for your Shibboleth federation on how to set up Shibboleth.<br />
<br />
Changes:<br />
- 11. 2004: Created by Markus Hagman<br />
- 05. 2005: Modifications to login process by Martin Dougiamas<br />
- 05. 2005: Various extensions and fixes by Lukas Haemmerle<br />
- 06. 2005: Adaptions to new field locks and plugin config structures by Martin<br />
Langhoff and Lukas Haemmerle<br />
- 10. 2005: Added better error messages and moved text to language directories<br />
- 02. 2006: Simplified authentication so that authorization works properly<br />
Added instructions for IIS<br />
- 11. 2006: User capabilities are now loaded properly as of Moodle 1.7+<br />
- 03. 2007: Adapted authentication method to Moodle 1.8<br />
- 07. 2007: Fixed a but that caused problems with uppercase usernames<br />
- 10. 2007: Removed the requirement for email address, surname and given name<br />
attributes on request of Markus Hagman<br />
- 11. 2007: Integrated WAYF Service in Moodle<br />
- 12. 2008: Shibboleth 2.x and Single Logout support added<br />
- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth<br />
language files.<br />
- 3. 2009: Added various improvements and bug fixes reported by Ina M�ller from<br />
university Tuebingen and Peter Ellis of University of Washington<br />
- 4. 2009: Added another requirement for logout regarding the call back script<br />
- 6. 2009: Changed handler URL when integrated Discovery Service is used<br />
- 10. 2009: Fixed HTML entity preservation in Shibboleth settings<br />
<br />
Moodle Configuration with Dual login<br />
-------------------------------------------------------------------------------<br />
1. Protect the directory moodle/auth/shibboleth/index.php with Shibboleth.<br />
The page index.php in that directory actually logs in a Shibboleth user.<br />
For Apache you have to define a rule like the following in the Apache config:<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
--<br />
<br />
To restrict access to Moodle, replace the access rule 'require valid-user'<br />
with something that fits your needs, e.g. 'require affiliation student'.<br />
<br />
For IIS you have protect the auth/shibboleth directory directly in the<br />
RequestMap of the Shibboleth configuration file (shibboleth.xml or<br />
shibboleth2.xml).<br />
<br />
--<br />
<Path name="moodle" requireSession="false" ><br />
<Path name="auth/shibboleth/index.php" requireSession="true" ><br />
<AccessControl><br />
...<br />
</AccessControl><br />
</Path><br />
</Path><br />
--<br />
<br />
Also see:<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapper and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAccessControl<br />
<br />
2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and<br />
click on the the 'Shibboleth' settings.<br />
<br />
3. Fill in the fields of the form. The fields 'Username', 'First name',<br />
'Surname', etc. should contain the name of the environment variables of the<br />
Shibboleth attributes that you want to map onto the corresponding Moodle<br />
variable (e.g. 'Shib-Person-surname' for the person's last name, refer<br />
the Shibboleth documentation or the documentation of your Shibboleth<br />
federation for information on which attributes are available).<br />
Especially the 'Username' field is of great importance because<br />
this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
#############################################################################<br />
Shibboleth Attributes needed by Moodle:<br />
For Moodle to work properly Shibboleth should at least provide the attribute<br />
that is used as username in Moodle. It has to be unique for all Shibboleth<br />
Be aware that Moodle converts the username to lowercase. So, the overall<br />
behaviour of the username will be case-insensitive.<br />
All attributes used for moodle must obey a certain length, otherwise Moodle<br />
cuts off the ends. Consult the Moodle documentation for further information<br />
on the maximum lengths for each field in the user profile.<br />
#############################################################################<br />
<br />
4.a If you want Shibboleth as your only authentication method with an external<br />
Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the<br />
'Common settings' in 'Administrations >> Users >> Authentication Options'<br />
to the the URL of the file 'moodle/auth/shibboleth/index.php'.<br />
This will enforce Shibboleth login.<br />
<br />
4.b If you want to use the Moodle integrated WAYF service, you have to activate it<br />
in the Moodle Shibboleth authentication settings by checking the<br />
'Moodle WAYF Service' checkbox and providing a list of entity IDs in the<br />
'Identity Providers' textarea together with a name and an optional<br />
SessionInitiator URL, which usually is an absolute or relative URL pointing<br />
to the same host. If no SessionInitiator URL is given, the default one<br />
'/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For<br />
Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a SessionInitiator.<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB/SessionInitiator<br />
and https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionInitiator<br />
<br />
Important Note: If you upgraded from a previous version of Moodle and now<br />
want to use the integrated WAYF, you have to make sure that<br />
in step 1 only the index.php script in<br />
moodle/auth/shibboleth/ is protected but *not* the other<br />
scripts and especially not the login.php script.<br />
<br />
If you were using the integrated WAYF alread with Shibboleth 1.3, it could<br />
be that the integrated WAYF is not working anymore after you updated Moodle.<br />
The reason is that the implicitly set default SessionInitiator changed in<br />
Moodle as well as in Shibboleth. For Shibboleth 1.3 one therefore has to<br />
add /Shibboleth.sso as third parameter whereas this is /Shibboleth.sso/DS<br />
for Shibboleth 2.x.<br />
<br />
5. Save the changes for the 'Shibboleth settings'.<br />
<br />
Important Note: If you went for 4.b (integrated WAYF service), saving the<br />
settings will overwrite the Moodle Alternate Login URL<br />
using the Moodle web root URL.<br />
<br />
6. If you want to use Shibboleth in addition to another authentication method<br />
not using the integrated WAYF service from 4.b, change the 'Instructions' in<br />
'Administrations >> Users >> Manage authentication' to contain a link to the<br />
moodle/auth/shibboleth/index.php file which is protected by<br />
Shibboleth (see step 1.) and causes the Shibboleth login procedure to start.<br />
You can also use HTML code in that field, e.g. to include an image as a<br />
Shibboleth login button.<br />
<br />
Note: As of now you cannot use dual login together with the integrated<br />
WAYF service provided by Moodle (4.b).<br />
<br />
7. Save the authentication changes.<br />
<br />
How the Shibboleth authentication works<br />
--------------------------------------------------------------------------------<br />
To get Shibboleth authenticated in Moodle a user basically must access the<br />
Shibboleth-protected page /auth/shibboleth/index.php. If Shibboleth is the only<br />
authentication method (see 4.a), this happens automatically when a user selects<br />
his home organization in the Moodle WAYF service or if the alternate login URL<br />
is configured to be the protected /auth/shibboleth/index.php<br />
Otherwise, the user has to click on the link on the dual login page you<br />
provided in step 5.b.<br />
<br />
Moodle basically checks whether the Shibboleth attribute that you mapped<br />
as the username is present. This attribute should only be present if a user is<br />
Shibboleth authenticated.<br />
<br />
If the user's Moodle account has not existed yet, it gets automatically created.<br />
<br />
To prevent that every Shibboleth user can access your Moodle site you have to<br />
adapt the 'require valid-user' line in your webserver's config (see step 1) to<br />
allow only specific users. If you defined some authorization rules in step 1,<br />
these are checked by Shibboleth itself. Only users who met these rules<br />
actually can access /auth/shibboleth/index.php and get logged in.<br />
<br />
You can use Shibboleth AND another authentication method (it was tested with<br />
manual login). So, if there are a few users that don't have a Shibboleth<br />
login, you could create manual accounts for them and they could use the manual<br />
login. For other authentication methods you first have to configure them and<br />
then set Shibboleth as your authentication method. Users can log in only via one<br />
authentication method unless they have two accounts in Moodle.<br />
<br />
Shibboleth dual login with custom login page<br />
--------------------------------------------------------------------------------<br />
You can create a dual login page that better fits your needs. For this<br />
to work, you have to set up the two authentication methods (e.g. 'Manual<br />
Accounts' and 'Shibboleth') and specify an alternate login link to your own dual<br />
login page. On that page you basically need a link to the Shibboleth-protected<br />
page ('/auth/shibboleth/index.php') for the Shibboleth login and a<br />
form that sends 'username' and 'password' to moodle/login/index.php. Set this<br />
web page then als alternate login page.<br />
Consult the Moodle documentation for further instructions and requirements.<br />
<br />
How to customize the way the Shibboleth user data is used in Moodle<br />
--------------------------------------------------------------------------------<br />
Among the Shibboleth settings in Moodle there is a field that should contain a<br />
path to a php file that can be used as data manipulation hook.<br />
You can use this if you want to further process the way your Shibboleth<br />
attributes are used in Moodle. Due to security reasons this file cannot be<br />
located within the current site data directory ($CFG->dataroot).<br />
<br />
Example 1: Your Shibboleth federation uses an attribute that specifies the<br />
user's preferred language, but the content of this attribute is not<br />
compatible with the Moodle data representation, e.g. the Shibboleth<br />
attribute contains 'German' but Moodle needs a two letter value like<br />
'de'.<br />
<br />
Example 2: The country, city and street are provided in one Shibboleth attribute<br />
and you want these values to be used in the Moodle user profile. So<br />
You have to parse the corresponding attribute to fill the user fields.<br />
<br />
If you want to use this hook you have to be a skilled PHP programmer. It is<br />
strongly recommended that you take a look at the file<br />
moodle/auth/shibboleth/auth.php, especially the function 'get_userinfo'<br />
where this file is included.<br />
<br />
The context of the file is the same as within this login function. So you<br />
can directly edit the object $result.<br />
<br />
Example file:<br />
--<br />
<?php<br />
<br />
// Set the zip code and the adress<br />
if ($_SERVER[$this->config->field_map_address] != '')<br />
{<br />
// $address contains something like 'SWITCH$Limmatquai 138$CH-8021 Zurich'<br />
// We want to split this up to get:<br />
// institution, street, zipcode, city and country<br />
$address = $_SERVER[$this->config->field_map_address];<br />
list($institution, $street, $zip_city) = explode('$', $address);<br />
preg_match('/ (.+)/', $zip_city, $regs);<br />
$city = $regs[1];<br />
<br />
preg_match('/(.+)-/',$zip_city, $regs);<br />
$country = $regs[1];<br />
<br />
$result["address"] = $street;<br />
$result["city"] = $city;<br />
$result["country"] = $country;<br />
$result["department"] = $institution;<br />
$result["description"] = "I am a Shibboleth user"; <br />
}<br />
?><br />
--<br />
<br />
How to upgrade your Service Provider to 2.x<br />
-------------------------------------------------------------------------------<br />
In case your upgrade your Service Provider 1.3.x to 2.x, be aware of the fact<br />
that in version 2.0 the default behaviour regarding attribute propagation<br />
changed.<br />
<br />
While the Service Provider 1.3.x published the Shibboleth attributes to the<br />
web server environment as HTTP Request headers, the Service Provider 2.x<br />
publishes attributes as environment variables, which increases the security for<br />
some platforms.<br />
<br />
However, this change has the effect that the attribute names change.<br />
E.g. while the surname attribute was published as 'HTTP_SHIB_PERSON_SURNAME'<br />
with 1.3.x, this attribute will be available in $_SERVER['Shib-Person-surname']<br />
or depending on your /etc/shibboleth/attribute-map.xml file just as<br />
$_SERVER['sn'].<br />
<br />
Because Moodle needs to know what Shibboleth attributes it shall map onto which<br />
Moodle user profile field, one has to make sure the mapping is updated as well<br />
after the Service Provider upgrade.<br />
<br />
********************************************************************************<br />
Because you risk locking yourself out of Moodle it is strongly<br />
recommended to use the following approach when upgrading the Service Provider:<br />
1. Enable manual authentication before the upgrade.<br />
2. Make sure that you have at least one manual account with administration<br />
privileges working before upgrading your Service Provider to 2.x.<br />
3. After the SP upgrade, use this account to log into Moodle and adapt the<br />
attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect<br />
the changed attribute names.<br />
You find the attribute names in the file /etc/shibboleth/attribute-map.xml<br />
listed as the 'id' value of an attribute definition.<br />
4. If you are using the integrated WAYF, you may have to set the third parameter<br />
of each entry to '/Shibboleth.sso/DS'<br />
5. Test the login with a Shibboleth account<br />
6. If all is working, disable manual authentication again<br />
********************************************************************************<br />
<br />
How to add logout support<br />
--------------------------------------------------------------------------------<br />
In order make Moodle support Shibboleth logout, one has to make the Shibboleth<br />
Service Provider (SP) aware of the Moodle logout capability. Only then the SP<br />
can trigger Moodle's front or back channel logout handler.<br />
<br />
To make the SP aware of the Moodle logout, you have to add the following to the<br />
Shibboleth main configuration file shibboleth2.xml (usually in /etc/shibboleth/)<br />
just before the <MetadataProvider> element.<br />
<br />
--<br />
<Notify<br />
Channel="back"<br />
Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" /><br />
--<br />
<br />
Then restart the Shibboleth daemon and check the log file for errors. If there<br />
were no errors, you can test the logout feature by accessing Moodle,<br />
authenticating via Shibboleth and the access the URL:<br />
#YOUR_MOODLE_HOSTNAME#/Shibboleth.sso/Logout (assuming you have a standard<br />
Shibboleth installation). If everything worked well, you should see a Shibboleth<br />
page saying that you were successfully logged out and if you go back to Moodle<br />
you also should be logged out from Moodle.<br />
<br />
Requirements:<br />
- PHP needs the Soap Extension, which maybe must installed manually:<br />
More information is available here http://ch.php.net/soap<br />
- Logout only works with Shibboleth Service Provider 2.1 or higher<br />
- /moodle/auth/shibboleth/logout.php *must not* be protected by Shibboleth!<br />
In case all of Moodle is protected with Shibboleth, you have to add something<br />
like this to your Apache configuration after all the other require rules<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/logout.php><br />
AuthType shibboleth<br />
ShibRequireSession Off<br />
require shibboleth<br />
</Directory><br />
--<br />
<br />
When using IIS, the same can be achieved by something like:<br />
--<br />
<Path name="auth/shibboleth/logout.php" requireSession="false"><br />
--<br />
in the shibboleth2.xml RequestMap.<br />
<br />
Limitations:<br />
Single Logout is only supported when SAML2 is used at the SP and the IdP.<br />
As of October 2009, the Shibboleth Identity Provider 2.1.4 does not yet support<br />
Single Logout (SLO). Therefore, the single logout feature cannot be used yet<br />
in a Shibboleth only setup but there may be other SAML2 products that could<br />
be used as Identity Provider, e.g. SimpleSAML PHP.<br />
<br />
One of the reasons why SLO isn't supported yet is because there aren't many<br />
applications yet that were adapted to support front and back channel<br />
logout. Hopefully, the Moodle logout helps to motivate the developers to<br />
implement SLO. On the other hand, the easiest and safest way to log out<br />
still is to tell users to quit their web browsers :)<br />
<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLogoutInitiator for some<br />
background information on this topic.<br />
<br />
--------------------------------------------------------------------------------<br />
In case of problems and questions with Shibboleth authentication, contact<br />
Lukas Haemmerle <lukas.haemmerle@switch.ch> or Markus Hagman <hagman@hytti.uku.fi><br />
<br />
==Some notable federations==<br />
===UK Access Management Federation for Education and Research===<br />
In the UK Becta and JISC have implemented the education federation [https://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research] using Shibboleth to provide single sign on. This means that education establishments in the UK using Moodle should be able to authenticate their users via Shibboleth if their organization joins the UK Access Management Federation and their users' identity is held by the identity provider the LA/RBC use. For maintained schools in the England and Wales this will probably mean contacting their Local Authority or Regional Broadband Consortium (RBC). A list of current UK federation members can be found [http://www.ukfederation.org.uk/content/Documents/MemberList here].<br />
<br />
===Shibboleth in Switzerland ===<br />
In Switzerland the [https://switch.ch/ SWITCH Foundation] runs the federation [https://help.switch.ch/aai/ SWITCHaai] and a universal login for all living in Switzerland under [https://www.switch.ch/edu-id edu-ID]. It covers 160 institutions and 900,000 users.<br />
<br />
==A sample configuration in detail==<br />
<br />
===Notation===<br />
- The expressions in all caps are placeholders for their actual values. For example /PATH/TO/MOODLE in the document could mean /var/www/html/moodle in your server.<br />
<br />
- The '#' in shell commands in the form '# COMMAND" means the COMMAND needs to be run as the super-user. It could be the user 'root' or a different user having sudo privileges. In the latter case he should prepend the command with sudo, as in '$ sudo COMMAND'. The '$' in that command denotes it is a non-privileged user.<br />
<br />
===Prerequisites===<br />
- You have your Moodle site running on Debian GNU/Linux or any of its derivatives like Ubuntu Linux.<br />
<br />
- This documentation assumes that your Linux distribution uses the system manager Systemd. But you can easily change the commands for a different init system, typically SysV or Upstart.<br />
<br />
- You are running the web server Apache2.<br />
<br />
- Your site serves HTTPS on its default port 443. We write its URL as https://DOMAIN, where DOMAIN stands for your the domain name of your Moodle server. So if the URL of your Moodle is https://lms.example.com/ then DOMAIN is lms.example.com.<br />
<br />
===Steps you have to follow===<br />
1. Install the Shibboleth module for Apache2<br />
<br />
Install the Debian package libapache2-mod-shib, which contains the Apache module for Shibboleth service providers (SP) and its supporting Shib daemon:<br />
<br />
# apt install libapache2-mod-shib --no-install-recommends<br />
<br />
It will create a directory /etc/shibboleth with a default set of configuration files and also install the system service shib.<br />
<br />
2. Download federation metadata signing certificate<br />
<br />
# wget https://FEDERATIONREGISTRY/signedmetadata/metadata-signer -O /etc/shibboleth/federation-cert.pem<br />
<br />
3. Configure the Shibboleth service provider<br />
<br />
Edit the /etc/shibboleth/shibboleth2.xml file as described below.<br />
<br />
3.1 Change the ApplicationDefaults tag to your domain<br />
<br />
<ApplicationDefaults entityID="https://DOMAIN/shibboleth"<br />
REMOTE_USER="eppn subject-id pairwise-id persistent-id"<br />
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"><br />
<br />
Notice that the end of the ApplicationDefaults tag is way below. So don't add one here!<br />
<br />
3.2 Set the discovery server<br />
<br />
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://DISCOVERYSERVER"><br />
SAML2<br />
</SSO><br />
<br />
3.3 Set the MetadataProvider<br />
<br />
<MetadataProvider type="XML" url="https://METADATAPROVIDER/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" maxRefreshDelay="7200"><br />
<br />
<MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false" /><br />
<br />
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" /><br />
</MetadataProvider><br />
<br />
3.4 Set the names of the key and certificate files<br />
<br />
<CredentialResolver type="File" use="signing" key="lms-signing-key.pem" certificate="lms-signing-cert.pem" /><br />
<CredentialResolver type="File" use="encryption" key="lms-encrypt-key.pem" certificate="lms-encrypt-cert.pem" /><br />
<br />
We will generate those lms-*.pem files in step 3.6.<br />
<br />
3.5 Add a ApplicationOverride section<br />
(Note: Not necessay, dg 28 Aug 2024)<br />
<br />
Add the following ApplicationOverride section just before the ApplicationDefaults section:<br />
<br />
<ApplicationOverride id="wp" entityID="https://wp.YOUR-DOMAIN/shibboleth"><br />
<CredentialResolver type="File" use="signing" key="wp-signing-key.pem" certificate="wp-signing-cert.pem"/><br />
<CredentialResolver type="File" use="encryption" key="wp-encrypt-key.pem" certificate="wp-encrypt-cert.pem"/><br />
</ApplicationOverride><br />
<br />
3.6 Create SP metadata credentials for both sites:<br />
<br />
# /usr/sbin/shib-keygen -n lms-signing -e https://DOMAIN/shibboleth<br />
# /usr/sbin/shib-keygen -n lms-encrypt -e https://DOMAIN/shibboleth<br />
<br />
4. Start the shibboleth service<br />
<br />
4.1 Test the configuration first:<br />
<br />
# shibd -t /etc/shibboleth/shibboleth2.xml<br />
<br />
4.2 (Re)start the Shibd and Apache2:<br />
<br />
# systemctl start shibd<br />
# systemctl restart apache2<br />
<br />
<br />
5. Enable Shibboleth on the Apache virtual host<br />
<br />
5.1 To enable shibboleth login on the web application add the certificate files and protect the /PATH/TO/MOODLE/auth/shibboleth/index.php by Shibboleth. They are in a /etc/apache2/sites-available/SOMETHING.conf file. Here is the format:<br />
<br />
<IfModule mod_ssl.c><br />
<VirtualHost *:443><br />
<br />
ServerName DOMAIN<br />
ServerAdmin YOU@DOMAIN<br />
DocumentRoot /PATH/TO/MOODLE<br />
<br />
ErrorLog ${APACHE_LOG_DIR}/DOMAIN-error.log<br />
CustomLog ${APACHE_LOG_DIR}/DOMAIN-access.log combined<br />
<br />
SSLCertificateFile /etc/ssl/certs/ssl-DOMAIN.crt<br />
SSLCertificateKeyFile /etc/ssl/private/ssl-DOMAIN.key<br />
<br />
<Location /moodle><br />
# just comment out<br />
# ShibRequestSetting applicationId mdl<br />
</Location><br />
<br />
<Directory /PATH/TO/MOODLE/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
# just comment out the next line and add the two lines below that<br />
# ShibRequestSetting applicationId mdl<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
</VirtualHost><br />
</IfModule><br />
<br />
5.2 Activate Shibd and reload Apache<br />
<br />
# a2enmod shib<br />
# systemctl reload apache2.service <br />
<br />
<br />
6. Register the SP with the federation<br />
<br />
We have now set up Shibboleth SP for Moodle. It has to be registered with the federation so that its WAYF go to the discovery Service to point different IDP's.<br />
<br />
6.1 Download the metadata of the application<br />
<br />
You can get them by visiting the URL https://DOMAIN/Shibboleth.sso/Metadata <br />
<br />
6.2 Submit the metadata to the federation<br />
<br />
Usually there is a web site at the federation for you to upload the metadata and enter various administrative information. Follow the instructions on the screens.<br />
<br />
Once the federation operator approves your request you will receive a SP registration link.<br />
<br />
<br />
7. Enable and configure the Shibboleth plug-in in Moodle<br />
<br />
Once you've registered successfully you have to configure the Shibboleth plug-in in Moodle. For that Moodle you have to enable it first.<br />
<br />
7.1 Enable the Shibboleth plug-in in Moodle<br />
<br />
As Moodle admin, go to the Site administration > Plugins > Authentication and enable Shibboleth by clicking on the "eye". <br />
<br />
7.2 Configure the Shibboleth plug-in in Moodle<br />
Under ''Site administration > Plugins: Authentication > Shibboleth'' the fields 'Username', 'First name', 'Surname', etc. should contain the name of the environment variables of the Shibboleth attributes that you want to map onto them. Especially the 'Username' field is of great importance because this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
Username: eppn<br />
<br />
Moodle WAYF service: No<br />
<br />
Identity providers (auth_shibboleth | organization_selection): Delete everything in the box<br />
<br />
Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout<br />
<br />
Data mapping (First name): givenName<br />
<br />
Data mapping (Surname): sn<br />
<br />
Data mapping (Email address): mail<br />
<br />
In all three set Update local to On every login and Lock value to Unlocked if empty.<br />
<br />
And save. The change will be immediately active, no need to restart any service!<br />
<br />
Now you may browse to https://DOMAIN/ and select your preferred IdP to log in.<br />
<br />
===In case of problems===<br />
(to come)<br />
<br />
==Additional notes==<br />
Some IdPs will only share a minimal set of user fields with your Moodle SP, which can cause problems:<br />
*Moodle errors relating to missing Shibboleth fields can be fixed by altering the data mappings within the Shibboleth authentication plugin, and ensuring that fields are not locked. The user will be asked to manually provide data if Shibboleth does not automatically provide the corresponding information.<br />
*Moodle errors relating to invalid characters in username can be fixed by Allowing extended characters in usernames (found under Security > Site policies).<br />
<br />
==External links==<br />
*[https://incommon.org/software/shibboleth/ Shibboleth Internet2 Website]<br />
*[http://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research]<br />
*[http://www.ukfederation.org.uk/content/Documents/AttributeUsage Current Core Attributes for the UK Federation]<br />
<br />
[[de:Shibboleth-Server]]<br />
[[es:Shibboleth]]<br />
[[fr:Shibboleth]]<br />
[[ja:Shibboleth]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Shibboleth&diff=149241Shibboleth2024-09-03T19:21:45Z<p>Ratna: </p>
<hr />
<div>{{Authentication}}<br />
<br />
==About==<br />
<br />
[https://en.wikipedia.org/wiki/Shibboleth_(software) Shibboleth] is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions. The federations are often universities or public service organizations. <br />
<br />
Shibboleth is a middleware architecture and an open-source implementation created by the [https://en.wikipedia.org/wiki/Internet2 Internet2] consortium, for federated identity-based authentication and authorization infrastructure based on [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language SAML]. Federated identity allows for information about users in one security domain to be provided to other organizations in a common federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain usernames and passwords. [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language Identity providers (IdP's)] supply user information, while [https://en.wikipedia.org/wiki/Service_provider_(SAML) service providers (SP's)] consume this information and gate access to secure content.<br />
<br />
==README.txt==<br />
<br />
This the auth/shibboleth/README.txt file in the Moodle distribution:<br />
<br />
Shibboleth Authentication for Moodle<br />
-------------------------------------------------------------------------------<br />
<br />
Requirements:<br />
- Shibboleth Service Provider 1.3 or newer. Recommended is 2.1 or newer.<br />
See documentation for your Shibboleth federation on how to set up Shibboleth.<br />
<br />
Changes:<br />
- 11. 2004: Created by Markus Hagman<br />
- 05. 2005: Modifications to login process by Martin Dougiamas<br />
- 05. 2005: Various extensions and fixes by Lukas Haemmerle<br />
- 06. 2005: Adaptions to new field locks and plugin config structures by Martin<br />
Langhoff and Lukas Haemmerle<br />
- 10. 2005: Added better error messages and moved text to language directories<br />
- 02. 2006: Simplified authentication so that authorization works properly<br />
Added instructions for IIS<br />
- 11. 2006: User capabilities are now loaded properly as of Moodle 1.7+<br />
- 03. 2007: Adapted authentication method to Moodle 1.8<br />
- 07. 2007: Fixed a but that caused problems with uppercase usernames<br />
- 10. 2007: Removed the requirement for email address, surname and given name<br />
attributes on request of Markus Hagman<br />
- 11. 2007: Integrated WAYF Service in Moodle<br />
- 12. 2008: Shibboleth 2.x and Single Logout support added<br />
- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth<br />
language files.<br />
- 3. 2009: Added various improvements and bug fixes reported by Ina M�ller from<br />
university Tuebingen and Peter Ellis of University of Washington<br />
- 4. 2009: Added another requirement for logout regarding the call back script<br />
- 6. 2009: Changed handler URL when integrated Discovery Service is used<br />
- 10. 2009: Fixed HTML entity preservation in Shibboleth settings<br />
<br />
Moodle Configuration with Dual login<br />
-------------------------------------------------------------------------------<br />
1. Protect the directory moodle/auth/shibboleth/index.php with Shibboleth.<br />
The page index.php in that directory actually logs in a Shibboleth user.<br />
For Apache you have to define a rule like the following in the Apache config:<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
--<br />
<br />
To restrict access to Moodle, replace the access rule 'require valid-user'<br />
with something that fits your needs, e.g. 'require affiliation student'.<br />
<br />
For IIS you have protect the auth/shibboleth directory directly in the<br />
RequestMap of the Shibboleth configuration file (shibboleth.xml or<br />
shibboleth2.xml).<br />
<br />
--<br />
<Path name="moodle" requireSession="false" ><br />
<Path name="auth/shibboleth/index.php" requireSession="true" ><br />
<AccessControl><br />
...<br />
</AccessControl><br />
</Path><br />
</Path><br />
--<br />
<br />
Also see:<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapper and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAccessControl<br />
<br />
2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and<br />
click on the the 'Shibboleth' settings.<br />
<br />
3. Fill in the fields of the form. The fields 'Username', 'First name',<br />
'Surname', etc. should contain the name of the environment variables of the<br />
Shibboleth attributes that you want to map onto the corresponding Moodle<br />
variable (e.g. 'Shib-Person-surname' for the person's last name, refer<br />
the Shibboleth documentation or the documentation of your Shibboleth<br />
federation for information on which attributes are available).<br />
Especially the 'Username' field is of great importance because<br />
this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
#############################################################################<br />
Shibboleth Attributes needed by Moodle:<br />
For Moodle to work properly Shibboleth should at least provide the attribute<br />
that is used as username in Moodle. It has to be unique for all Shibboleth<br />
Be aware that Moodle converts the username to lowercase. So, the overall<br />
behaviour of the username will be case-insensitive.<br />
All attributes used for moodle must obey a certain length, otherwise Moodle<br />
cuts off the ends. Consult the Moodle documentation for further information<br />
on the maximum lengths for each field in the user profile.<br />
#############################################################################<br />
<br />
4.a If you want Shibboleth as your only authentication method with an external<br />
Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the<br />
'Common settings' in 'Administrations >> Users >> Authentication Options'<br />
to the the URL of the file 'moodle/auth/shibboleth/index.php'.<br />
This will enforce Shibboleth login.<br />
<br />
4.b If you want to use the Moodle integrated WAYF service, you have to activate it<br />
in the Moodle Shibboleth authentication settings by checking the<br />
'Moodle WAYF Service' checkbox and providing a list of entity IDs in the<br />
'Identity Providers' textarea together with a name and an optional<br />
SessionInitiator URL, which usually is an absolute or relative URL pointing<br />
to the same host. If no SessionInitiator URL is given, the default one<br />
'/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For<br />
Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a SessionInitiator.<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB/SessionInitiator<br />
and https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionInitiator<br />
<br />
Important Note: If you upgraded from a previous version of Moodle and now<br />
want to use the integrated WAYF, you have to make sure that<br />
in step 1 only the index.php script in<br />
moodle/auth/shibboleth/ is protected but *not* the other<br />
scripts and especially not the login.php script.<br />
<br />
If you were using the integrated WAYF alread with Shibboleth 1.3, it could<br />
be that the integrated WAYF is not working anymore after you updated Moodle.<br />
The reason is that the implicitly set default SessionInitiator changed in<br />
Moodle as well as in Shibboleth. For Shibboleth 1.3 one therefore has to<br />
add /Shibboleth.sso as third parameter whereas this is /Shibboleth.sso/DS<br />
for Shibboleth 2.x.<br />
<br />
5. Save the changes for the 'Shibboleth settings'.<br />
<br />
Important Note: If you went for 4.b (integrated WAYF service), saving the<br />
settings will overwrite the Moodle Alternate Login URL<br />
using the Moodle web root URL.<br />
<br />
6. If you want to use Shibboleth in addition to another authentication method<br />
not using the integrated WAYF service from 4.b, change the 'Instructions' in<br />
'Administrations >> Users >> Manage authentication' to contain a link to the<br />
moodle/auth/shibboleth/index.php file which is protected by<br />
Shibboleth (see step 1.) and causes the Shibboleth login procedure to start.<br />
You can also use HTML code in that field, e.g. to include an image as a<br />
Shibboleth login button.<br />
<br />
Note: As of now you cannot use dual login together with the integrated<br />
WAYF service provided by Moodle (4.b).<br />
<br />
7. Save the authentication changes.<br />
<br />
How the Shibboleth authentication works<br />
--------------------------------------------------------------------------------<br />
To get Shibboleth authenticated in Moodle a user basically must access the<br />
Shibboleth-protected page /auth/shibboleth/index.php. If Shibboleth is the only<br />
authentication method (see 4.a), this happens automatically when a user selects<br />
his home organization in the Moodle WAYF service or if the alternate login URL<br />
is configured to be the protected /auth/shibboleth/index.php<br />
Otherwise, the user has to click on the link on the dual login page you<br />
provided in step 5.b.<br />
<br />
Moodle basically checks whether the Shibboleth attribute that you mapped<br />
as the username is present. This attribute should only be present if a user is<br />
Shibboleth authenticated.<br />
<br />
If the user's Moodle account has not existed yet, it gets automatically created.<br />
<br />
To prevent that every Shibboleth user can access your Moodle site you have to<br />
adapt the 'require valid-user' line in your webserver's config (see step 1) to<br />
allow only specific users. If you defined some authorization rules in step 1,<br />
these are checked by Shibboleth itself. Only users who met these rules<br />
actually can access /auth/shibboleth/index.php and get logged in.<br />
<br />
You can use Shibboleth AND another authentication method (it was tested with<br />
manual login). So, if there are a few users that don't have a Shibboleth<br />
login, you could create manual accounts for them and they could use the manual<br />
login. For other authentication methods you first have to configure them and<br />
then set Shibboleth as your authentication method. Users can log in only via one<br />
authentication method unless they have two accounts in Moodle.<br />
<br />
Shibboleth dual login with custom login page<br />
--------------------------------------------------------------------------------<br />
You can create a dual login page that better fits your needs. For this<br />
to work, you have to set up the two authentication methods (e.g. 'Manual<br />
Accounts' and 'Shibboleth') and specify an alternate login link to your own dual<br />
login page. On that page you basically need a link to the Shibboleth-protected<br />
page ('/auth/shibboleth/index.php') for the Shibboleth login and a<br />
form that sends 'username' and 'password' to moodle/login/index.php. Set this<br />
web page then als alternate login page.<br />
Consult the Moodle documentation for further instructions and requirements.<br />
<br />
How to customize the way the Shibboleth user data is used in Moodle<br />
--------------------------------------------------------------------------------<br />
Among the Shibboleth settings in Moodle there is a field that should contain a<br />
path to a php file that can be used as data manipulation hook.<br />
You can use this if you want to further process the way your Shibboleth<br />
attributes are used in Moodle. Due to security reasons this file cannot be<br />
located within the current site data directory ($CFG->dataroot).<br />
<br />
Example 1: Your Shibboleth federation uses an attribute that specifies the<br />
user's preferred language, but the content of this attribute is not<br />
compatible with the Moodle data representation, e.g. the Shibboleth<br />
attribute contains 'German' but Moodle needs a two letter value like<br />
'de'.<br />
<br />
Example 2: The country, city and street are provided in one Shibboleth attribute<br />
and you want these values to be used in the Moodle user profile. So<br />
You have to parse the corresponding attribute to fill the user fields.<br />
<br />
If you want to use this hook you have to be a skilled PHP programmer. It is<br />
strongly recommended that you take a look at the file<br />
moodle/auth/shibboleth/auth.php, especially the function 'get_userinfo'<br />
where this file is included.<br />
<br />
The context of the file is the same as within this login function. So you<br />
can directly edit the object $result.<br />
<br />
Example file:<br />
--<br />
<?php<br />
<br />
// Set the zip code and the adress<br />
if ($_SERVER[$this->config->field_map_address] != '')<br />
{<br />
// $address contains something like 'SWITCH$Limmatquai 138$CH-8021 Zurich'<br />
// We want to split this up to get:<br />
// institution, street, zipcode, city and country<br />
$address = $_SERVER[$this->config->field_map_address];<br />
list($institution, $street, $zip_city) = explode('$', $address);<br />
preg_match('/ (.+)/', $zip_city, $regs);<br />
$city = $regs[1];<br />
<br />
preg_match('/(.+)-/',$zip_city, $regs);<br />
$country = $regs[1];<br />
<br />
$result["address"] = $street;<br />
$result["city"] = $city;<br />
$result["country"] = $country;<br />
$result["department"] = $institution;<br />
$result["description"] = "I am a Shibboleth user"; <br />
}<br />
?><br />
--<br />
<br />
How to upgrade your Service Provider to 2.x<br />
-------------------------------------------------------------------------------<br />
In case your upgrade your Service Provider 1.3.x to 2.x, be aware of the fact<br />
that in version 2.0 the default behaviour regarding attribute propagation<br />
changed.<br />
<br />
While the Service Provider 1.3.x published the Shibboleth attributes to the<br />
web server environment as HTTP Request headers, the Service Provider 2.x<br />
publishes attributes as environment variables, which increases the security for<br />
some platforms.<br />
<br />
However, this change has the effect that the attribute names change.<br />
E.g. while the surname attribute was published as 'HTTP_SHIB_PERSON_SURNAME'<br />
with 1.3.x, this attribute will be available in $_SERVER['Shib-Person-surname']<br />
or depending on your /etc/shibboleth/attribute-map.xml file just as<br />
$_SERVER['sn'].<br />
<br />
Because Moodle needs to know what Shibboleth attributes it shall map onto which<br />
Moodle user profile field, one has to make sure the mapping is updated as well<br />
after the Service Provider upgrade.<br />
<br />
********************************************************************************<br />
Because you risk locking yourself out of Moodle it is strongly<br />
recommended to use the following approach when upgrading the Service Provider:<br />
1. Enable manual authentication before the upgrade.<br />
2. Make sure that you have at least one manual account with administration<br />
privileges working before upgrading your Service Provider to 2.x.<br />
3. After the SP upgrade, use this account to log into Moodle and adapt the<br />
attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect<br />
the changed attribute names.<br />
You find the attribute names in the file /etc/shibboleth/attribute-map.xml<br />
listed as the 'id' value of an attribute definition.<br />
4. If you are using the integrated WAYF, you may have to set the third parameter<br />
of each entry to '/Shibboleth.sso/DS'<br />
5. Test the login with a Shibboleth account<br />
6. If all is working, disable manual authentication again<br />
********************************************************************************<br />
<br />
How to add logout support<br />
--------------------------------------------------------------------------------<br />
In order make Moodle support Shibboleth logout, one has to make the Shibboleth<br />
Service Provider (SP) aware of the Moodle logout capability. Only then the SP<br />
can trigger Moodle's front or back channel logout handler.<br />
<br />
To make the SP aware of the Moodle logout, you have to add the following to the<br />
Shibboleth main configuration file shibboleth2.xml (usually in /etc/shibboleth/)<br />
just before the <MetadataProvider> element.<br />
<br />
--<br />
<Notify<br />
Channel="back"<br />
Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" /><br />
--<br />
<br />
Then restart the Shibboleth daemon and check the log file for errors. If there<br />
were no errors, you can test the logout feature by accessing Moodle,<br />
authenticating via Shibboleth and the access the URL:<br />
#YOUR_MOODLE_HOSTNAME#/Shibboleth.sso/Logout (assuming you have a standard<br />
Shibboleth installation). If everything worked well, you should see a Shibboleth<br />
page saying that you were successfully logged out and if you go back to Moodle<br />
you also should be logged out from Moodle.<br />
<br />
Requirements:<br />
- PHP needs the Soap Extension, which maybe must installed manually:<br />
More information is available here http://ch.php.net/soap<br />
- Logout only works with Shibboleth Service Provider 2.1 or higher<br />
- /moodle/auth/shibboleth/logout.php *must not* be protected by Shibboleth!<br />
In case all of Moodle is protected with Shibboleth, you have to add something<br />
like this to your Apache configuration after all the other require rules<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/logout.php><br />
AuthType shibboleth<br />
ShibRequireSession Off<br />
require shibboleth<br />
</Directory><br />
--<br />
<br />
When using IIS, the same can be achieved by something like:<br />
--<br />
<Path name="auth/shibboleth/logout.php" requireSession="false"><br />
--<br />
in the shibboleth2.xml RequestMap.<br />
<br />
Limitations:<br />
Single Logout is only supported when SAML2 is used at the SP and the IdP.<br />
As of October 2009, the Shibboleth Identity Provider 2.1.4 does not yet support<br />
Single Logout (SLO). Therefore, the single logout feature cannot be used yet<br />
in a Shibboleth only setup but there may be other SAML2 products that could<br />
be used as Identity Provider, e.g. SimpleSAML PHP.<br />
<br />
One of the reasons why SLO isn't supported yet is because there aren't many<br />
applications yet that were adapted to support front and back channel<br />
logout. Hopefully, the Moodle logout helps to motivate the developers to<br />
implement SLO. On the other hand, the easiest and safest way to log out<br />
still is to tell users to quit their web browsers :)<br />
<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLogoutInitiator for some<br />
background information on this topic.<br />
<br />
--------------------------------------------------------------------------------<br />
In case of problems and questions with Shibboleth authentication, contact<br />
Lukas Haemmerle <lukas.haemmerle@switch.ch> or Markus Hagman <hagman@hytti.uku.fi><br />
<br />
==Some notable federations==<br />
===UK Access Management Federation for Education and Research===<br />
In the UK Becta and JISC have implemented the education federation [https://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research] using Shibboleth to provide single sign on. This means that education establishments in the UK using Moodle should be able to authenticate their users via Shibboleth if their organization joins the UK Access Management Federation and their users' identity is held by the identity provider the LA/RBC use. For maintained schools in the England and Wales this will probably mean contacting their Local Authority or Regional Broadband Consortium (RBC). A list of current UK federation members can be found [http://www.ukfederation.org.uk/content/Documents/MemberList here].<br />
<br />
===Shibboleth in Switzerland ===<br />
In Switzerland the [https://switch.ch/ SWITCH Foundation] runs the federation [https://help.switch.ch/aai/ SWITCHaai] and a universal login for all living in Switzerland under [https://www.switch.ch/edu-id edu-ID]. It covers 160 institutions and 900,000 users.<br />
<br />
==A sample configuration in detail==<br />
<br />
===Notation===<br />
- The expressions in all caps are placeholders for their actual values. For example /PATH/TO/MOODLE in the document could mean /var/www/html/moodle in your server.<br />
<br />
- The '#' in shell commands in the form '# COMMAND" means the COMMAND needs to be run as the super-user. It could be the user 'root' or a different user having sudo privileges. In the latter case he should prepend the command with sudo, as in '$ sudo COMMAND'. The '$' in that command denotes it is a non-privileged user.<br />
<br />
===Prerequisites===<br />
- You have your Moodle site running on Debian GNU/Linux or any of its derivatives like Ubuntu Linux.<br />
<br />
- This documentation assumes that your Linux distribution uses the system manager Systemd. But you can easily change the commands for a different init system, typically SysV or Upstart.<br />
<br />
- You are running the web server Apache2.<br />
<br />
- Your site serves HTTPS on its default port 443. We write its URL as https://DOMAIN, where DOMAIN stands for your the domain name of your Moodle server. So if the URL of your Moodle is https://lms.example.com/ then DOMAIN is lms.example.com.<br />
<br />
===Steps you have to follow===<br />
1. Install the Shibboleth module for Apache2<br />
<br />
Install the Debian package libapache2-mod-shib, which contains the Apache module for Shibboleth service providers (SP) and its supporting Shib daemon:<br />
<br />
# apt install libapache2-mod-shib --no-install-recommends<br />
<br />
It will create a directory /etc/shibboleth with a default set of configuration files and also install the system service shib.<br />
<br />
2. Download federation metadata signing certificate<br />
<br />
# wget https://FEDERATIONREGISTRY/signedmetadata/metadata-signer -O /etc/shibboleth/federation-cert.pem<br />
<br />
3. Configure the Shibboleth service provider<br />
<br />
Edit the /etc/shibboleth/shibboleth2.xml file as described below.<br />
<br />
3.1 Change the ApplicationDefaults tag to your domain<br />
<br />
<ApplicationDefaults entityID="https://DOMAIN/shibboleth"<br />
REMOTE_USER="eppn subject-id pairwise-id persistent-id"<br />
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"><br />
<br />
Notice that the end of the ApplicationDefaults tag is way below. So don't add one here!<br />
<br />
3.2 Set the discovery server<br />
<br />
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://DISCOVERYSERVER"><br />
SAML2<br />
</SSO><br />
<br />
3.3 Set the MetadataProvider<br />
<br />
<MetadataProvider type="XML" url="https://METADATAPROVIDER/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" maxRefreshDelay="7200"><br />
<br />
<MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false" /><br />
<br />
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" /><br />
</MetadataProvider><br />
<br />
3.4 Set the names of the key and certificate files<br />
<br />
<CredentialResolver type="File" use="signing" key="lms-signing-key.pem" certificate="lms-signing-cert.pem" /><br />
<CredentialResolver type="File" use="encryption" key="lms-encrypt-key.pem" certificate="lms-encrypt-cert.pem" /><br />
<br />
We will generate those lms-*.pem files in step 3.6.<br />
<br />
3.5 Add a ApplicationOverride section<br />
(Note: Not necessay, dg 28 Aug 2024)<br />
<br />
Add the following ApplicationOverride section just before the ApplicationDefaults section:<br />
<br />
<ApplicationOverride id="wp" entityID="https://wp.YOUR-DOMAIN/shibboleth"><br />
<CredentialResolver type="File" use="signing" key="wp-signing-key.pem" certificate="wp-signing-cert.pem"/><br />
<CredentialResolver type="File" use="encryption" key="wp-encrypt-key.pem" certificate="wp-encrypt-cert.pem"/><br />
</ApplicationOverride><br />
<br />
3.6 Create SP metadata credentials for both sites:<br />
<br />
# /usr/sbin/shib-keygen -n lms-signing -e https://DOMAIN/shibboleth<br />
# /usr/sbin/shib-keygen -n lms-encrypt -e https://DOMAIN/shibboleth<br />
<br />
4. Start the shibboleth service<br />
<br />
4.1 Test the configuration first:<br />
<br />
# shibd -t /etc/shibboleth/shibboleth2.xml<br />
<br />
4.2 (Re)start the Shibd and Apache2:<br />
<br />
# systemctl start shibd<br />
# systemctl restart apache2<br />
<br />
<br />
5. Enable Shibboleth on the Apache virtual host<br />
<br />
5.1 To enable shibboleth login on the web application add the certificate files and protect the /PATH/TO/MOODLE/auth/shibboleth/index.php by Shibboleth. They are in a /etc/apache2/sites-available/SOMETHING.conf file. Here is the format:<br />
<br />
<IfModule mod_ssl.c><br />
<VirtualHost *:443><br />
<br />
ServerName DOMAIN<br />
ServerAdmin YOU@DOMAIN<br />
DocumentRoot /PATH/TO/MOODLE<br />
<br />
ErrorLog ${APACHE_LOG_DIR}/DOMAIN-error.log<br />
CustomLog ${APACHE_LOG_DIR}/DOMAIN-access.log combined<br />
<br />
SSLCertificateFile /etc/ssl/certs/ssl-DOMAIN.crt<br />
SSLCertificateKeyFile /etc/ssl/private/ssl-DOMAIN.key<br />
<br />
<Location /moodle><br />
# just comment out<br />
# ShibRequestSetting applicationId mdl<br />
</Location><br />
<br />
<Directory /PATH/TO/MOODLE/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
# just comment out the next line and add the two lines below that<br />
# ShibRequestSetting applicationId mdl<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
</VirtualHost><br />
</IfModule><br />
<br />
5.2 Activate Shibd and reload Apache<br />
<br />
# a2enmod shib<br />
# systemctl reload apache2.service <br />
<br />
<br />
6. Register the SP with the federation<br />
<br />
We have now set up Shibboleth SP for Moodle. It has to be registered with the federation so that its WAYF go to the discovery Service to point different IDP's.<br />
<br />
6.1 Download the metadata of the application<br />
<br />
You can get them by visiting the URL https://DOMAIN/Shibboleth.sso/Metadata <br />
<br />
6.2 Submit the metadata to the federation<br />
<br />
Usually there is a web site at the federation for you to upload the metadata and enter various administrative information. Follow the instructions on the screens.<br />
<br />
Once the federation operator approves your request you will receive a SP registration link.<br />
<br />
<br />
7. Enable and configure the Shibboleth plug-in in Moodle<br />
<br />
Once you've registered successfully you have to configure the Shibboleth plug-in in Moodle. For that Moodle you have to enable it first.<br />
<br />
7.1 Enable the Shibboleth plug-in in Moodle<br />
<br />
As Moodle admin, go to the Site administration > Plugins > Authentication and enable Shibboleth by clicking on the "eye". <br />
<br />
7.2 Configure the Shibboleth plug-in in Moodle<br />
Under ''Site administration > Plugins: Authentication > Shibboleth'' the fields 'Username', 'First name', 'Surname', etc. should contain the name of the environment variables of the Shibboleth attributes that you want to map onto them. Especially the 'Username' field is of great importance because this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
Username: eppn<br />
<br />
Moodle WAYF service: No<br />
<br />
Identity providers (auth_shibboleth | organization_selection): Delete everything in the box<br />
<br />
Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout<br />
<br />
Data mapping (First name): givenName<br />
<br />
Data mapping (Surname): sn<br />
<br />
Data mapping (Email address): mail<br />
<br />
In all three set Update local to On every login and Lock value to Unlocked if empty.<br />
<br />
And save. The change will be immediately active, no need to restart any service!<br />
<br />
===Finished!===<br />
Now you may browse to https://DOMAIN/ and select your preferred IdP to log in.<br />
<br />
===In case of problems===<br />
<br />
<br />
==Additional notes==<br />
Some IdPs will only share a minimal set of user fields with your Moodle SP, which can cause problems:<br />
*Moodle errors relating to missing Shibboleth fields can be fixed by altering the data mappings within the Shibboleth authentication plugin, and ensuring that fields are not locked. The user will be asked to manually provide data if Shibboleth does not automatically provide the corresponding information.<br />
*Moodle errors relating to invalid characters in username can be fixed by Allowing extended characters in usernames (found under Security > Site policies).<br />
<br />
==External links==<br />
*[https://incommon.org/software/shibboleth/ Shibboleth Internet2 Website]<br />
*[http://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research]<br />
*[http://www.ukfederation.org.uk/content/Documents/AttributeUsage Current Core Attributes for the UK Federation]<br />
<br />
[[de:Shibboleth-Server]]<br />
[[es:Shibboleth]]<br />
[[fr:Shibboleth]]<br />
[[ja:Shibboleth]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Shibboleth&diff=149240Shibboleth2024-09-03T19:16:17Z<p>Ratna: /* Shibboleth in Switzerland */</p>
<hr />
<div>{{Authentication}}<br />
<br />
==About==<br />
<br />
[https://en.wikipedia.org/wiki/Shibboleth_(software) Shibboleth] is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions. The federations are often universities or public service organizations. <br />
<br />
Shibboleth is a middleware architecture and an open-source implementation created by the [https://en.wikipedia.org/wiki/Internet2 Internet2] consortium, for federated identity-based authentication and authorization infrastructure based on [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language SAML]. Federated identity allows for information about users in one security domain to be provided to other organizations in a common federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain usernames and passwords. [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language Identity providers (IdP's)] supply user information, while [https://en.wikipedia.org/wiki/Service_provider_(SAML) service providers (SP's)] consume this information and gate access to secure content.<br />
<br />
==README.txt==<br />
<br />
This the auth/shibboleth/README.txt file in the Moodle distribution:<br />
<br />
Shibboleth Authentication for Moodle<br />
-------------------------------------------------------------------------------<br />
<br />
Requirements:<br />
- Shibboleth Service Provider 1.3 or newer. Recommended is 2.1 or newer.<br />
See documentation for your Shibboleth federation on how to set up Shibboleth.<br />
<br />
Changes:<br />
- 11. 2004: Created by Markus Hagman<br />
- 05. 2005: Modifications to login process by Martin Dougiamas<br />
- 05. 2005: Various extensions and fixes by Lukas Haemmerle<br />
- 06. 2005: Adaptions to new field locks and plugin config structures by Martin<br />
Langhoff and Lukas Haemmerle<br />
- 10. 2005: Added better error messages and moved text to language directories<br />
- 02. 2006: Simplified authentication so that authorization works properly<br />
Added instructions for IIS<br />
- 11. 2006: User capabilities are now loaded properly as of Moodle 1.7+<br />
- 03. 2007: Adapted authentication method to Moodle 1.8<br />
- 07. 2007: Fixed a but that caused problems with uppercase usernames<br />
- 10. 2007: Removed the requirement for email address, surname and given name<br />
attributes on request of Markus Hagman<br />
- 11. 2007: Integrated WAYF Service in Moodle<br />
- 12. 2008: Shibboleth 2.x and Single Logout support added<br />
- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth<br />
language files.<br />
- 3. 2009: Added various improvements and bug fixes reported by Ina M�ller from<br />
university Tuebingen and Peter Ellis of University of Washington<br />
- 4. 2009: Added another requirement for logout regarding the call back script<br />
- 6. 2009: Changed handler URL when integrated Discovery Service is used<br />
- 10. 2009: Fixed HTML entity preservation in Shibboleth settings<br />
<br />
Moodle Configuration with Dual login<br />
-------------------------------------------------------------------------------<br />
1. Protect the directory moodle/auth/shibboleth/index.php with Shibboleth.<br />
The page index.php in that directory actually logs in a Shibboleth user.<br />
For Apache you have to define a rule like the following in the Apache config:<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
--<br />
<br />
To restrict access to Moodle, replace the access rule 'require valid-user'<br />
with something that fits your needs, e.g. 'require affiliation student'.<br />
<br />
For IIS you have protect the auth/shibboleth directory directly in the<br />
RequestMap of the Shibboleth configuration file (shibboleth.xml or<br />
shibboleth2.xml).<br />
<br />
--<br />
<Path name="moodle" requireSession="false" ><br />
<Path name="auth/shibboleth/index.php" requireSession="true" ><br />
<AccessControl><br />
...<br />
</AccessControl><br />
</Path><br />
</Path><br />
--<br />
<br />
Also see:<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapper and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAccessControl<br />
<br />
2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and<br />
click on the the 'Shibboleth' settings.<br />
<br />
3. Fill in the fields of the form. The fields 'Username', 'First name',<br />
'Surname', etc. should contain the name of the environment variables of the<br />
Shibboleth attributes that you want to map onto the corresponding Moodle<br />
variable (e.g. 'Shib-Person-surname' for the person's last name, refer<br />
the Shibboleth documentation or the documentation of your Shibboleth<br />
federation for information on which attributes are available).<br />
Especially the 'Username' field is of great importance because<br />
this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
#############################################################################<br />
Shibboleth Attributes needed by Moodle:<br />
For Moodle to work properly Shibboleth should at least provide the attribute<br />
that is used as username in Moodle. It has to be unique for all Shibboleth<br />
Be aware that Moodle converts the username to lowercase. So, the overall<br />
behaviour of the username will be case-insensitive.<br />
All attributes used for moodle must obey a certain length, otherwise Moodle<br />
cuts off the ends. Consult the Moodle documentation for further information<br />
on the maximum lengths for each field in the user profile.<br />
#############################################################################<br />
<br />
4.a If you want Shibboleth as your only authentication method with an external<br />
Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the<br />
'Common settings' in 'Administrations >> Users >> Authentication Options'<br />
to the the URL of the file 'moodle/auth/shibboleth/index.php'.<br />
This will enforce Shibboleth login.<br />
<br />
4.b If you want to use the Moodle integrated WAYF service, you have to activate it<br />
in the Moodle Shibboleth authentication settings by checking the<br />
'Moodle WAYF Service' checkbox and providing a list of entity IDs in the<br />
'Identity Providers' textarea together with a name and an optional<br />
SessionInitiator URL, which usually is an absolute or relative URL pointing<br />
to the same host. If no SessionInitiator URL is given, the default one<br />
'/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For<br />
Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a SessionInitiator.<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB/SessionInitiator<br />
and https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionInitiator<br />
<br />
Important Note: If you upgraded from a previous version of Moodle and now<br />
want to use the integrated WAYF, you have to make sure that<br />
in step 1 only the index.php script in<br />
moodle/auth/shibboleth/ is protected but *not* the other<br />
scripts and especially not the login.php script.<br />
<br />
If you were using the integrated WAYF alread with Shibboleth 1.3, it could<br />
be that the integrated WAYF is not working anymore after you updated Moodle.<br />
The reason is that the implicitly set default SessionInitiator changed in<br />
Moodle as well as in Shibboleth. For Shibboleth 1.3 one therefore has to<br />
add /Shibboleth.sso as third parameter whereas this is /Shibboleth.sso/DS<br />
for Shibboleth 2.x.<br />
<br />
5. Save the changes for the 'Shibboleth settings'.<br />
<br />
Important Note: If you went for 4.b (integrated WAYF service), saving the<br />
settings will overwrite the Moodle Alternate Login URL<br />
using the Moodle web root URL.<br />
<br />
6. If you want to use Shibboleth in addition to another authentication method<br />
not using the integrated WAYF service from 4.b, change the 'Instructions' in<br />
'Administrations >> Users >> Manage authentication' to contain a link to the<br />
moodle/auth/shibboleth/index.php file which is protected by<br />
Shibboleth (see step 1.) and causes the Shibboleth login procedure to start.<br />
You can also use HTML code in that field, e.g. to include an image as a<br />
Shibboleth login button.<br />
<br />
Note: As of now you cannot use dual login together with the integrated<br />
WAYF service provided by Moodle (4.b).<br />
<br />
7. Save the authentication changes.<br />
<br />
How the Shibboleth authentication works<br />
--------------------------------------------------------------------------------<br />
To get Shibboleth authenticated in Moodle a user basically must access the<br />
Shibboleth-protected page /auth/shibboleth/index.php. If Shibboleth is the only<br />
authentication method (see 4.a), this happens automatically when a user selects<br />
his home organization in the Moodle WAYF service or if the alternate login URL<br />
is configured to be the protected /auth/shibboleth/index.php<br />
Otherwise, the user has to click on the link on the dual login page you<br />
provided in step 5.b.<br />
<br />
Moodle basically checks whether the Shibboleth attribute that you mapped<br />
as the username is present. This attribute should only be present if a user is<br />
Shibboleth authenticated.<br />
<br />
If the user's Moodle account has not existed yet, it gets automatically created.<br />
<br />
To prevent that every Shibboleth user can access your Moodle site you have to<br />
adapt the 'require valid-user' line in your webserver's config (see step 1) to<br />
allow only specific users. If you defined some authorization rules in step 1,<br />
these are checked by Shibboleth itself. Only users who met these rules<br />
actually can access /auth/shibboleth/index.php and get logged in.<br />
<br />
You can use Shibboleth AND another authentication method (it was tested with<br />
manual login). So, if there are a few users that don't have a Shibboleth<br />
login, you could create manual accounts for them and they could use the manual<br />
login. For other authentication methods you first have to configure them and<br />
then set Shibboleth as your authentication method. Users can log in only via one<br />
authentication method unless they have two accounts in Moodle.<br />
<br />
Shibboleth dual login with custom login page<br />
--------------------------------------------------------------------------------<br />
You can create a dual login page that better fits your needs. For this<br />
to work, you have to set up the two authentication methods (e.g. 'Manual<br />
Accounts' and 'Shibboleth') and specify an alternate login link to your own dual<br />
login page. On that page you basically need a link to the Shibboleth-protected<br />
page ('/auth/shibboleth/index.php') for the Shibboleth login and a<br />
form that sends 'username' and 'password' to moodle/login/index.php. Set this<br />
web page then als alternate login page.<br />
Consult the Moodle documentation for further instructions and requirements.<br />
<br />
How to customize the way the Shibboleth user data is used in Moodle<br />
--------------------------------------------------------------------------------<br />
Among the Shibboleth settings in Moodle there is a field that should contain a<br />
path to a php file that can be used as data manipulation hook.<br />
You can use this if you want to further process the way your Shibboleth<br />
attributes are used in Moodle. Due to security reasons this file cannot be<br />
located within the current site data directory ($CFG->dataroot).<br />
<br />
Example 1: Your Shibboleth federation uses an attribute that specifies the<br />
user's preferred language, but the content of this attribute is not<br />
compatible with the Moodle data representation, e.g. the Shibboleth<br />
attribute contains 'German' but Moodle needs a two letter value like<br />
'de'.<br />
<br />
Example 2: The country, city and street are provided in one Shibboleth attribute<br />
and you want these values to be used in the Moodle user profile. So<br />
You have to parse the corresponding attribute to fill the user fields.<br />
<br />
If you want to use this hook you have to be a skilled PHP programmer. It is<br />
strongly recommended that you take a look at the file<br />
moodle/auth/shibboleth/auth.php, especially the function 'get_userinfo'<br />
where this file is included.<br />
<br />
The context of the file is the same as within this login function. So you<br />
can directly edit the object $result.<br />
<br />
Example file:<br />
--<br />
<?php<br />
<br />
// Set the zip code and the adress<br />
if ($_SERVER[$this->config->field_map_address] != '')<br />
{<br />
// $address contains something like 'SWITCH$Limmatquai 138$CH-8021 Zurich'<br />
// We want to split this up to get:<br />
// institution, street, zipcode, city and country<br />
$address = $_SERVER[$this->config->field_map_address];<br />
list($institution, $street, $zip_city) = explode('$', $address);<br />
preg_match('/ (.+)/', $zip_city, $regs);<br />
$city = $regs[1];<br />
<br />
preg_match('/(.+)-/',$zip_city, $regs);<br />
$country = $regs[1];<br />
<br />
$result["address"] = $street;<br />
$result["city"] = $city;<br />
$result["country"] = $country;<br />
$result["department"] = $institution;<br />
$result["description"] = "I am a Shibboleth user"; <br />
}<br />
?><br />
--<br />
<br />
How to upgrade your Service Provider to 2.x<br />
-------------------------------------------------------------------------------<br />
In case your upgrade your Service Provider 1.3.x to 2.x, be aware of the fact<br />
that in version 2.0 the default behaviour regarding attribute propagation<br />
changed.<br />
<br />
While the Service Provider 1.3.x published the Shibboleth attributes to the<br />
web server environment as HTTP Request headers, the Service Provider 2.x<br />
publishes attributes as environment variables, which increases the security for<br />
some platforms.<br />
<br />
However, this change has the effect that the attribute names change.<br />
E.g. while the surname attribute was published as 'HTTP_SHIB_PERSON_SURNAME'<br />
with 1.3.x, this attribute will be available in $_SERVER['Shib-Person-surname']<br />
or depending on your /etc/shibboleth/attribute-map.xml file just as<br />
$_SERVER['sn'].<br />
<br />
Because Moodle needs to know what Shibboleth attributes it shall map onto which<br />
Moodle user profile field, one has to make sure the mapping is updated as well<br />
after the Service Provider upgrade.<br />
<br />
********************************************************************************<br />
Because you risk locking yourself out of Moodle it is strongly<br />
recommended to use the following approach when upgrading the Service Provider:<br />
1. Enable manual authentication before the upgrade.<br />
2. Make sure that you have at least one manual account with administration<br />
privileges working before upgrading your Service Provider to 2.x.<br />
3. After the SP upgrade, use this account to log into Moodle and adapt the<br />
attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect<br />
the changed attribute names.<br />
You find the attribute names in the file /etc/shibboleth/attribute-map.xml<br />
listed as the 'id' value of an attribute definition.<br />
4. If you are using the integrated WAYF, you may have to set the third parameter<br />
of each entry to '/Shibboleth.sso/DS'<br />
5. Test the login with a Shibboleth account<br />
6. If all is working, disable manual authentication again<br />
********************************************************************************<br />
<br />
How to add logout support<br />
--------------------------------------------------------------------------------<br />
In order make Moodle support Shibboleth logout, one has to make the Shibboleth<br />
Service Provider (SP) aware of the Moodle logout capability. Only then the SP<br />
can trigger Moodle's front or back channel logout handler.<br />
<br />
To make the SP aware of the Moodle logout, you have to add the following to the<br />
Shibboleth main configuration file shibboleth2.xml (usually in /etc/shibboleth/)<br />
just before the <MetadataProvider> element.<br />
<br />
--<br />
<Notify<br />
Channel="back"<br />
Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" /><br />
--<br />
<br />
Then restart the Shibboleth daemon and check the log file for errors. If there<br />
were no errors, you can test the logout feature by accessing Moodle,<br />
authenticating via Shibboleth and the access the URL:<br />
#YOUR_MOODLE_HOSTNAME#/Shibboleth.sso/Logout (assuming you have a standard<br />
Shibboleth installation). If everything worked well, you should see a Shibboleth<br />
page saying that you were successfully logged out and if you go back to Moodle<br />
you also should be logged out from Moodle.<br />
<br />
Requirements:<br />
- PHP needs the Soap Extension, which maybe must installed manually:<br />
More information is available here http://ch.php.net/soap<br />
- Logout only works with Shibboleth Service Provider 2.1 or higher<br />
- /moodle/auth/shibboleth/logout.php *must not* be protected by Shibboleth!<br />
In case all of Moodle is protected with Shibboleth, you have to add something<br />
like this to your Apache configuration after all the other require rules<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/logout.php><br />
AuthType shibboleth<br />
ShibRequireSession Off<br />
require shibboleth<br />
</Directory><br />
--<br />
<br />
When using IIS, the same can be achieved by something like:<br />
--<br />
<Path name="auth/shibboleth/logout.php" requireSession="false"><br />
--<br />
in the shibboleth2.xml RequestMap.<br />
<br />
Limitations:<br />
Single Logout is only supported when SAML2 is used at the SP and the IdP.<br />
As of October 2009, the Shibboleth Identity Provider 2.1.4 does not yet support<br />
Single Logout (SLO). Therefore, the single logout feature cannot be used yet<br />
in a Shibboleth only setup but there may be other SAML2 products that could<br />
be used as Identity Provider, e.g. SimpleSAML PHP.<br />
<br />
One of the reasons why SLO isn't supported yet is because there aren't many<br />
applications yet that were adapted to support front and back channel<br />
logout. Hopefully, the Moodle logout helps to motivate the developers to<br />
implement SLO. On the other hand, the easiest and safest way to log out<br />
still is to tell users to quit their web browsers :)<br />
<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLogoutInitiator for some<br />
background information on this topic.<br />
<br />
--------------------------------------------------------------------------------<br />
In case of problems and questions with Shibboleth authentication, contact<br />
Lukas Haemmerle <lukas.haemmerle@switch.ch> or Markus Hagman <hagman@hytti.uku.fi><br />
<br />
<br />
==Shibboleth in the UK==<br />
In the UK Becta and JISC have implemented an education federation using Shibboleth to provide single sign on. This means that education establishments in the UK using Moodle should be able to authenticate their users via Shibboleth if their organization joins the UK Access Management Federation and their users' identity is held by the identity provider the LA/RBC use. For maintained schools in the England and Wales this will probably mean contacting their Local Authority or Regional Broadband Consortium (RBC). A list of current UK federation members can be found [http://www.ukfederation.org.uk/content/Documents/MemberList here].<br />
<br />
==Shibboleth in Switzerland ==<br />
In Switzerland the [https://switch.ch/ SWITCH Foundation] runs the federation [https://help.switch.ch/aai/ SWITCHaai] and a universal login for all living in Switzerland under [https://www.switch.ch/edu-id edu-ID]. It covers 160 institutions and 900,000 users.<br />
<br />
==A sample configuration==<br />
<br />
===Notation===<br />
- The expressions in all caps are placeholders for their actual values. For example /PATH/TO/MOODLE in the document could mean /var/www/html/moodle in your server.<br />
<br />
- The '#' in shell commands in the form '# COMMAND" means the COMMAND needs to be run as the super-user. It could be the user 'root' or a different user having sudo privileges. In the latter case he should prepend the command with sudo, as in '$ sudo COMMAND'. The '$' in that command denotes it is a non-privileged user.<br />
<br />
===Prerequisites===<br />
- You have your Moodle site running on Debian GNU/Linux or any of its derivatives like Ubuntu Linux.<br />
<br />
- This documentation assumes that your Linux distribution uses the system manager Systemd. But you can easily change the commands for a different init system, typically SysV or Upstart.<br />
<br />
- You are running the web server Apache2.<br />
<br />
- Your site serves HTTPS on its default port 443. We write its URL as https://DOMAIN, where DOMAIN stands for your the domain name of your Moodle server. So if the URL of your Moodle is https://lms.example.com/ then DOMAIN is lms.example.com.<br />
<br />
===Steps you have to follow===<br />
1. Install the Shibboleth module for Apache2<br />
<br />
Install the Debian package libapache2-mod-shib, which contains the Apache module for Shibboleth service providers (SP) and its supporting Shib daemon:<br />
<br />
# apt install libapache2-mod-shib --no-install-recommends<br />
<br />
It will create a directory /etc/shibboleth with a default set of configuration files and also install the system service shib.<br />
<br />
2. Download federation metadata signing certificate<br />
<br />
# wget https://FEDERATIONREGISTRY/signedmetadata/metadata-signer -O /etc/shibboleth/federation-cert.pem<br />
<br />
3. Configure the Shibboleth service provider<br />
<br />
Edit the /etc/shibboleth/shibboleth2.xml file as described below.<br />
<br />
3.1 Change the ApplicationDefaults tag to your domain<br />
<br />
<ApplicationDefaults entityID="https://DOMAIN/shibboleth"<br />
REMOTE_USER="eppn subject-id pairwise-id persistent-id"<br />
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"><br />
<br />
Notice that the end of the ApplicationDefaults tag is way below. So don't add one here!<br />
<br />
3.2 Set the discovery server<br />
<br />
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://DISCOVERYSERVER"><br />
SAML2<br />
</SSO><br />
<br />
3.3 Set the MetadataProvider<br />
<br />
<MetadataProvider type="XML" url="https://METADATAPROVIDER/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" maxRefreshDelay="7200"><br />
<br />
<MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false" /><br />
<br />
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" /><br />
</MetadataProvider><br />
<br />
3.4 Set the names of the key and certificate files<br />
<br />
<CredentialResolver type="File" use="signing" key="lms-signing-key.pem" certificate="lms-signing-cert.pem" /><br />
<CredentialResolver type="File" use="encryption" key="lms-encrypt-key.pem" certificate="lms-encrypt-cert.pem" /><br />
<br />
We will generate those lms-*.pem files in step 3.6.<br />
<br />
3.5 Add a ApplicationOverride section<br />
(Note: Not necessay, dg 28 Aug 2024)<br />
<br />
Add the following ApplicationOverride section just before the ApplicationDefaults section:<br />
<br />
<ApplicationOverride id="wp" entityID="https://wp.YOUR-DOMAIN/shibboleth"><br />
<CredentialResolver type="File" use="signing" key="wp-signing-key.pem" certificate="wp-signing-cert.pem"/><br />
<CredentialResolver type="File" use="encryption" key="wp-encrypt-key.pem" certificate="wp-encrypt-cert.pem"/><br />
</ApplicationOverride><br />
<br />
3.6 Create SP metadata credentials for both sites:<br />
<br />
# /usr/sbin/shib-keygen -n lms-signing -e https://DOMAIN/shibboleth<br />
# /usr/sbin/shib-keygen -n lms-encrypt -e https://DOMAIN/shibboleth<br />
<br />
4. Start the shibboleth service<br />
<br />
4.1 Test the configuration first:<br />
<br />
# shibd -t /etc/shibboleth/shibboleth2.xml<br />
<br />
4.2 (Re)start the Shibd and Apache2:<br />
<br />
# systemctl start shibd<br />
# systemctl restart apache2<br />
<br />
<br />
5. Enable Shibboleth on the Apache virtual host<br />
<br />
5.1 To enable shibboleth login on the web application add the certificate files and protect the /PATH/TO/MOODLE/auth/shibboleth/index.php by Shibboleth. They are in a /etc/apache2/sites-available/SOMETHING.conf file. Here is the format:<br />
<br />
<IfModule mod_ssl.c><br />
<VirtualHost *:443><br />
<br />
ServerName DOMAIN<br />
ServerAdmin YOU@DOMAIN<br />
DocumentRoot /PATH/TO/MOODLE<br />
<br />
ErrorLog ${APACHE_LOG_DIR}/DOMAIN-error.log<br />
CustomLog ${APACHE_LOG_DIR}/DOMAIN-access.log combined<br />
<br />
SSLCertificateFile /etc/ssl/certs/ssl-DOMAIN.crt<br />
SSLCertificateKeyFile /etc/ssl/private/ssl-DOMAIN.key<br />
<br />
<Location /moodle><br />
# just comment out<br />
# ShibRequestSetting applicationId mdl<br />
</Location><br />
<br />
<Directory /PATH/TO/MOODLE/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
# just comment out the next line and add the two lines below that<br />
# ShibRequestSetting applicationId mdl<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
</VirtualHost><br />
</IfModule><br />
<br />
5.2 Activate Shibd and reload Apache<br />
<br />
# a2enmod shib<br />
# systemctl reload apache2.service <br />
<br />
<br />
6. Register the SP with the federation<br />
<br />
We have now set up Shibboleth SP for Moodle. It has to be registered with the federation so that its WAYF go to the discovery Service to point different IDP's.<br />
<br />
6.1 Download the metadata of the application<br />
<br />
You can get them by visiting the URL https://DOMAIN/Shibboleth.sso/Metadata <br />
<br />
6.2 Submit the metadata to the federation<br />
<br />
Usually there is a web site at the federation for you to upload the metadata and enter various administrative information. Follow the instructions on the screens.<br />
<br />
Once the federation operator approves your request you will receive a SP registration link.<br />
<br />
<br />
7. Enable and configure the Shibboleth plug-in in Moodle<br />
<br />
Once you've registered successfully you have to configure the Shibboleth plug-in in Moodle. For that Moodle you have to enable it first.<br />
<br />
7.1 Enable the Shibboleth plug-in in Moodle<br />
<br />
As Moodle admin, go to the Site administration > Plugins > Authentication and enable Shibboleth by clicking on the "eye". <br />
<br />
7.2 Configure the Shibboleth plug-in in Moodle<br />
Under ''Site administration > Plugins: Authentication > Shibboleth'' the fields 'Username', 'First name', 'Surname', etc. should contain the name of the environment variables of the Shibboleth attributes that you want to map onto them. Especially the 'Username' field is of great importance because this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
Username: eppn<br />
<br />
Moodle WAYF service: No<br />
<br />
Identity providers (auth_shibboleth | organization_selection): Delete everything in the box<br />
<br />
Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout<br />
<br />
Data mapping (First name): givenName<br />
<br />
Data mapping (Surname): sn<br />
<br />
Data mapping (Email address): mail<br />
<br />
In all three set Update local to On every login and Lock value to Unlocked if empty.<br />
<br />
And save. The change will be immediately active, no need to restart any service!<br />
<br />
===Finished!===<br />
Now you may browse to https://DOMAIN/ and select your preferred IdP to log in.<br />
<br />
===In case of problems===<br />
<br />
<br />
==Additional notes==<br />
Some IdPs will only share a minimal set of user fields with your Moodle SP, which can cause problems:<br />
*Moodle errors relating to missing Shibboleth fields can be fixed by altering the data mappings within the Shibboleth authentication plugin, and ensuring that fields are not locked. The user will be asked to manually provide data if Shibboleth does not automatically provide the corresponding information.<br />
*Moodle errors relating to invalid characters in username can be fixed by Allowing extended characters in usernames (found under Security > Site policies).<br />
<br />
==External links==<br />
*[https://incommon.org/software/shibboleth/ Shibboleth Internet2 Website]<br />
*[http://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research]<br />
*[http://www.ukfederation.org.uk/content/Documents/AttributeUsage Current Core Attributes for the UK Federation]<br />
<br />
[[de:Shibboleth-Server]]<br />
[[es:Shibboleth]]<br />
[[fr:Shibboleth]]<br />
[[ja:Shibboleth]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Shibboleth&diff=149239Shibboleth2024-09-03T18:58:46Z<p>Ratna: </p>
<hr />
<div>{{Authentication}}<br />
<br />
==About==<br />
<br />
[https://en.wikipedia.org/wiki/Shibboleth_(software) Shibboleth] is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions. The federations are often universities or public service organizations. <br />
<br />
Shibboleth is a middleware architecture and an open-source implementation created by the [https://en.wikipedia.org/wiki/Internet2 Internet2] consortium, for federated identity-based authentication and authorization infrastructure based on [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language SAML]. Federated identity allows for information about users in one security domain to be provided to other organizations in a common federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain usernames and passwords. [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language Identity providers (IdP's)] supply user information, while [https://en.wikipedia.org/wiki/Service_provider_(SAML) service providers (SP's)] consume this information and gate access to secure content.<br />
<br />
==README.txt==<br />
<br />
This the auth/shibboleth/README.txt file in the Moodle distribution:<br />
<br />
Shibboleth Authentication for Moodle<br />
-------------------------------------------------------------------------------<br />
<br />
Requirements:<br />
- Shibboleth Service Provider 1.3 or newer. Recommended is 2.1 or newer.<br />
See documentation for your Shibboleth federation on how to set up Shibboleth.<br />
<br />
Changes:<br />
- 11. 2004: Created by Markus Hagman<br />
- 05. 2005: Modifications to login process by Martin Dougiamas<br />
- 05. 2005: Various extensions and fixes by Lukas Haemmerle<br />
- 06. 2005: Adaptions to new field locks and plugin config structures by Martin<br />
Langhoff and Lukas Haemmerle<br />
- 10. 2005: Added better error messages and moved text to language directories<br />
- 02. 2006: Simplified authentication so that authorization works properly<br />
Added instructions for IIS<br />
- 11. 2006: User capabilities are now loaded properly as of Moodle 1.7+<br />
- 03. 2007: Adapted authentication method to Moodle 1.8<br />
- 07. 2007: Fixed a but that caused problems with uppercase usernames<br />
- 10. 2007: Removed the requirement for email address, surname and given name<br />
attributes on request of Markus Hagman<br />
- 11. 2007: Integrated WAYF Service in Moodle<br />
- 12. 2008: Shibboleth 2.x and Single Logout support added<br />
- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth<br />
language files.<br />
- 3. 2009: Added various improvements and bug fixes reported by Ina M�ller from<br />
university Tuebingen and Peter Ellis of University of Washington<br />
- 4. 2009: Added another requirement for logout regarding the call back script<br />
- 6. 2009: Changed handler URL when integrated Discovery Service is used<br />
- 10. 2009: Fixed HTML entity preservation in Shibboleth settings<br />
<br />
Moodle Configuration with Dual login<br />
-------------------------------------------------------------------------------<br />
1. Protect the directory moodle/auth/shibboleth/index.php with Shibboleth.<br />
The page index.php in that directory actually logs in a Shibboleth user.<br />
For Apache you have to define a rule like the following in the Apache config:<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
--<br />
<br />
To restrict access to Moodle, replace the access rule 'require valid-user'<br />
with something that fits your needs, e.g. 'require affiliation student'.<br />
<br />
For IIS you have protect the auth/shibboleth directory directly in the<br />
RequestMap of the Shibboleth configuration file (shibboleth.xml or<br />
shibboleth2.xml).<br />
<br />
--<br />
<Path name="moodle" requireSession="false" ><br />
<Path name="auth/shibboleth/index.php" requireSession="true" ><br />
<AccessControl><br />
...<br />
</AccessControl><br />
</Path><br />
</Path><br />
--<br />
<br />
Also see:<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapper and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAccessControl<br />
<br />
2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and<br />
click on the the 'Shibboleth' settings.<br />
<br />
3. Fill in the fields of the form. The fields 'Username', 'First name',<br />
'Surname', etc. should contain the name of the environment variables of the<br />
Shibboleth attributes that you want to map onto the corresponding Moodle<br />
variable (e.g. 'Shib-Person-surname' for the person's last name, refer<br />
the Shibboleth documentation or the documentation of your Shibboleth<br />
federation for information on which attributes are available).<br />
Especially the 'Username' field is of great importance because<br />
this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
#############################################################################<br />
Shibboleth Attributes needed by Moodle:<br />
For Moodle to work properly Shibboleth should at least provide the attribute<br />
that is used as username in Moodle. It has to be unique for all Shibboleth<br />
Be aware that Moodle converts the username to lowercase. So, the overall<br />
behaviour of the username will be case-insensitive.<br />
All attributes used for moodle must obey a certain length, otherwise Moodle<br />
cuts off the ends. Consult the Moodle documentation for further information<br />
on the maximum lengths for each field in the user profile.<br />
#############################################################################<br />
<br />
4.a If you want Shibboleth as your only authentication method with an external<br />
Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the<br />
'Common settings' in 'Administrations >> Users >> Authentication Options'<br />
to the the URL of the file 'moodle/auth/shibboleth/index.php'.<br />
This will enforce Shibboleth login.<br />
<br />
4.b If you want to use the Moodle integrated WAYF service, you have to activate it<br />
in the Moodle Shibboleth authentication settings by checking the<br />
'Moodle WAYF Service' checkbox and providing a list of entity IDs in the<br />
'Identity Providers' textarea together with a name and an optional<br />
SessionInitiator URL, which usually is an absolute or relative URL pointing<br />
to the same host. If no SessionInitiator URL is given, the default one<br />
'/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For<br />
Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a SessionInitiator.<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB/SessionInitiator<br />
and https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionInitiator<br />
<br />
Important Note: If you upgraded from a previous version of Moodle and now<br />
want to use the integrated WAYF, you have to make sure that<br />
in step 1 only the index.php script in<br />
moodle/auth/shibboleth/ is protected but *not* the other<br />
scripts and especially not the login.php script.<br />
<br />
If you were using the integrated WAYF alread with Shibboleth 1.3, it could<br />
be that the integrated WAYF is not working anymore after you updated Moodle.<br />
The reason is that the implicitly set default SessionInitiator changed in<br />
Moodle as well as in Shibboleth. For Shibboleth 1.3 one therefore has to<br />
add /Shibboleth.sso as third parameter whereas this is /Shibboleth.sso/DS<br />
for Shibboleth 2.x.<br />
<br />
5. Save the changes for the 'Shibboleth settings'.<br />
<br />
Important Note: If you went for 4.b (integrated WAYF service), saving the<br />
settings will overwrite the Moodle Alternate Login URL<br />
using the Moodle web root URL.<br />
<br />
6. If you want to use Shibboleth in addition to another authentication method<br />
not using the integrated WAYF service from 4.b, change the 'Instructions' in<br />
'Administrations >> Users >> Manage authentication' to contain a link to the<br />
moodle/auth/shibboleth/index.php file which is protected by<br />
Shibboleth (see step 1.) and causes the Shibboleth login procedure to start.<br />
You can also use HTML code in that field, e.g. to include an image as a<br />
Shibboleth login button.<br />
<br />
Note: As of now you cannot use dual login together with the integrated<br />
WAYF service provided by Moodle (4.b).<br />
<br />
7. Save the authentication changes.<br />
<br />
How the Shibboleth authentication works<br />
--------------------------------------------------------------------------------<br />
To get Shibboleth authenticated in Moodle a user basically must access the<br />
Shibboleth-protected page /auth/shibboleth/index.php. If Shibboleth is the only<br />
authentication method (see 4.a), this happens automatically when a user selects<br />
his home organization in the Moodle WAYF service or if the alternate login URL<br />
is configured to be the protected /auth/shibboleth/index.php<br />
Otherwise, the user has to click on the link on the dual login page you<br />
provided in step 5.b.<br />
<br />
Moodle basically checks whether the Shibboleth attribute that you mapped<br />
as the username is present. This attribute should only be present if a user is<br />
Shibboleth authenticated.<br />
<br />
If the user's Moodle account has not existed yet, it gets automatically created.<br />
<br />
To prevent that every Shibboleth user can access your Moodle site you have to<br />
adapt the 'require valid-user' line in your webserver's config (see step 1) to<br />
allow only specific users. If you defined some authorization rules in step 1,<br />
these are checked by Shibboleth itself. Only users who met these rules<br />
actually can access /auth/shibboleth/index.php and get logged in.<br />
<br />
You can use Shibboleth AND another authentication method (it was tested with<br />
manual login). So, if there are a few users that don't have a Shibboleth<br />
login, you could create manual accounts for them and they could use the manual<br />
login. For other authentication methods you first have to configure them and<br />
then set Shibboleth as your authentication method. Users can log in only via one<br />
authentication method unless they have two accounts in Moodle.<br />
<br />
Shibboleth dual login with custom login page<br />
--------------------------------------------------------------------------------<br />
You can create a dual login page that better fits your needs. For this<br />
to work, you have to set up the two authentication methods (e.g. 'Manual<br />
Accounts' and 'Shibboleth') and specify an alternate login link to your own dual<br />
login page. On that page you basically need a link to the Shibboleth-protected<br />
page ('/auth/shibboleth/index.php') for the Shibboleth login and a<br />
form that sends 'username' and 'password' to moodle/login/index.php. Set this<br />
web page then als alternate login page.<br />
Consult the Moodle documentation for further instructions and requirements.<br />
<br />
How to customize the way the Shibboleth user data is used in Moodle<br />
--------------------------------------------------------------------------------<br />
Among the Shibboleth settings in Moodle there is a field that should contain a<br />
path to a php file that can be used as data manipulation hook.<br />
You can use this if you want to further process the way your Shibboleth<br />
attributes are used in Moodle. Due to security reasons this file cannot be<br />
located within the current site data directory ($CFG->dataroot).<br />
<br />
Example 1: Your Shibboleth federation uses an attribute that specifies the<br />
user's preferred language, but the content of this attribute is not<br />
compatible with the Moodle data representation, e.g. the Shibboleth<br />
attribute contains 'German' but Moodle needs a two letter value like<br />
'de'.<br />
<br />
Example 2: The country, city and street are provided in one Shibboleth attribute<br />
and you want these values to be used in the Moodle user profile. So<br />
You have to parse the corresponding attribute to fill the user fields.<br />
<br />
If you want to use this hook you have to be a skilled PHP programmer. It is<br />
strongly recommended that you take a look at the file<br />
moodle/auth/shibboleth/auth.php, especially the function 'get_userinfo'<br />
where this file is included.<br />
<br />
The context of the file is the same as within this login function. So you<br />
can directly edit the object $result.<br />
<br />
Example file:<br />
--<br />
<?php<br />
<br />
// Set the zip code and the adress<br />
if ($_SERVER[$this->config->field_map_address] != '')<br />
{<br />
// $address contains something like 'SWITCH$Limmatquai 138$CH-8021 Zurich'<br />
// We want to split this up to get:<br />
// institution, street, zipcode, city and country<br />
$address = $_SERVER[$this->config->field_map_address];<br />
list($institution, $street, $zip_city) = explode('$', $address);<br />
preg_match('/ (.+)/', $zip_city, $regs);<br />
$city = $regs[1];<br />
<br />
preg_match('/(.+)-/',$zip_city, $regs);<br />
$country = $regs[1];<br />
<br />
$result["address"] = $street;<br />
$result["city"] = $city;<br />
$result["country"] = $country;<br />
$result["department"] = $institution;<br />
$result["description"] = "I am a Shibboleth user"; <br />
}<br />
?><br />
--<br />
<br />
How to upgrade your Service Provider to 2.x<br />
-------------------------------------------------------------------------------<br />
In case your upgrade your Service Provider 1.3.x to 2.x, be aware of the fact<br />
that in version 2.0 the default behaviour regarding attribute propagation<br />
changed.<br />
<br />
While the Service Provider 1.3.x published the Shibboleth attributes to the<br />
web server environment as HTTP Request headers, the Service Provider 2.x<br />
publishes attributes as environment variables, which increases the security for<br />
some platforms.<br />
<br />
However, this change has the effect that the attribute names change.<br />
E.g. while the surname attribute was published as 'HTTP_SHIB_PERSON_SURNAME'<br />
with 1.3.x, this attribute will be available in $_SERVER['Shib-Person-surname']<br />
or depending on your /etc/shibboleth/attribute-map.xml file just as<br />
$_SERVER['sn'].<br />
<br />
Because Moodle needs to know what Shibboleth attributes it shall map onto which<br />
Moodle user profile field, one has to make sure the mapping is updated as well<br />
after the Service Provider upgrade.<br />
<br />
********************************************************************************<br />
Because you risk locking yourself out of Moodle it is strongly<br />
recommended to use the following approach when upgrading the Service Provider:<br />
1. Enable manual authentication before the upgrade.<br />
2. Make sure that you have at least one manual account with administration<br />
privileges working before upgrading your Service Provider to 2.x.<br />
3. After the SP upgrade, use this account to log into Moodle and adapt the<br />
attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect<br />
the changed attribute names.<br />
You find the attribute names in the file /etc/shibboleth/attribute-map.xml<br />
listed as the 'id' value of an attribute definition.<br />
4. If you are using the integrated WAYF, you may have to set the third parameter<br />
of each entry to '/Shibboleth.sso/DS'<br />
5. Test the login with a Shibboleth account<br />
6. If all is working, disable manual authentication again<br />
********************************************************************************<br />
<br />
How to add logout support<br />
--------------------------------------------------------------------------------<br />
In order make Moodle support Shibboleth logout, one has to make the Shibboleth<br />
Service Provider (SP) aware of the Moodle logout capability. Only then the SP<br />
can trigger Moodle's front or back channel logout handler.<br />
<br />
To make the SP aware of the Moodle logout, you have to add the following to the<br />
Shibboleth main configuration file shibboleth2.xml (usually in /etc/shibboleth/)<br />
just before the <MetadataProvider> element.<br />
<br />
--<br />
<Notify<br />
Channel="back"<br />
Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" /><br />
--<br />
<br />
Then restart the Shibboleth daemon and check the log file for errors. If there<br />
were no errors, you can test the logout feature by accessing Moodle,<br />
authenticating via Shibboleth and the access the URL:<br />
#YOUR_MOODLE_HOSTNAME#/Shibboleth.sso/Logout (assuming you have a standard<br />
Shibboleth installation). If everything worked well, you should see a Shibboleth<br />
page saying that you were successfully logged out and if you go back to Moodle<br />
you also should be logged out from Moodle.<br />
<br />
Requirements:<br />
- PHP needs the Soap Extension, which maybe must installed manually:<br />
More information is available here http://ch.php.net/soap<br />
- Logout only works with Shibboleth Service Provider 2.1 or higher<br />
- /moodle/auth/shibboleth/logout.php *must not* be protected by Shibboleth!<br />
In case all of Moodle is protected with Shibboleth, you have to add something<br />
like this to your Apache configuration after all the other require rules<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/logout.php><br />
AuthType shibboleth<br />
ShibRequireSession Off<br />
require shibboleth<br />
</Directory><br />
--<br />
<br />
When using IIS, the same can be achieved by something like:<br />
--<br />
<Path name="auth/shibboleth/logout.php" requireSession="false"><br />
--<br />
in the shibboleth2.xml RequestMap.<br />
<br />
Limitations:<br />
Single Logout is only supported when SAML2 is used at the SP and the IdP.<br />
As of October 2009, the Shibboleth Identity Provider 2.1.4 does not yet support<br />
Single Logout (SLO). Therefore, the single logout feature cannot be used yet<br />
in a Shibboleth only setup but there may be other SAML2 products that could<br />
be used as Identity Provider, e.g. SimpleSAML PHP.<br />
<br />
One of the reasons why SLO isn't supported yet is because there aren't many<br />
applications yet that were adapted to support front and back channel<br />
logout. Hopefully, the Moodle logout helps to motivate the developers to<br />
implement SLO. On the other hand, the easiest and safest way to log out<br />
still is to tell users to quit their web browsers :)<br />
<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLogoutInitiator for some<br />
background information on this topic.<br />
<br />
--------------------------------------------------------------------------------<br />
In case of problems and questions with Shibboleth authentication, contact<br />
Lukas Haemmerle <lukas.haemmerle@switch.ch> or Markus Hagman <hagman@hytti.uku.fi><br />
<br />
<br />
==Shibboleth in the UK==<br />
In the UK Becta and JISC have implemented an education federation using Shibboleth to provide single sign on. This means that education establishments in the UK using Moodle should be able to authenticate their users via Shibboleth if their organization joins the UK Access Management Federation and their users' identity is held by the identity provider the LA/RBC use. For maintained schools in the England and Wales this will probably mean contacting their Local Authority or Regional Broadband Consortium (RBC). A list of current UK federation members can be found [http://www.ukfederation.org.uk/content/Documents/MemberList here].<br />
<br />
==Shibboleth in Switzerland ==<br />
In Switzerland the [https://switch.ch/ SWITCH Foundation] runs a universal login under [https://www.switch.ch/edu-id edu-ID] for all living in Switzerland. It covers 160 institutions and 900,000 users.<br />
<br />
==A sample configuration==<br />
<br />
===Notation===<br />
- The expressions in all caps are placeholders for their actual values. For example /PATH/TO/MOODLE in the document could mean /var/www/html/moodle in your server.<br />
<br />
- The '#' in shell commands in the form '# COMMAND" means the COMMAND needs to be run as the super-user. It could be the user 'root' or a different user having sudo privileges. In the latter case he should prepend the command with sudo, as in '$ sudo COMMAND'. The '$' in that command denotes it is a non-privileged user.<br />
<br />
===Prerequisites===<br />
- You have your Moodle site running on Debian GNU/Linux or any of its derivatives like Ubuntu Linux.<br />
<br />
- This documentation assumes that your Linux distribution uses the system manager Systemd. But you can easily change the commands for a different init system, typically SysV or Upstart.<br />
<br />
- You are running the web server Apache2.<br />
<br />
- Your site serves HTTPS on its default port 443. We write its URL as https://DOMAIN, where DOMAIN stands for your the domain name of your Moodle server. So if the URL of your Moodle is https://lms.example.com/ then DOMAIN is lms.example.com.<br />
<br />
===Steps you have to follow===<br />
1. Install the Shibboleth module for Apache2<br />
<br />
Install the Debian package libapache2-mod-shib, which contains the Apache module for Shibboleth service providers (SP) and its supporting Shib daemon:<br />
<br />
# apt install libapache2-mod-shib --no-install-recommends<br />
<br />
It will create a directory /etc/shibboleth with a default set of configuration files and also install the system service shib.<br />
<br />
2. Download federation metadata signing certificate<br />
<br />
# wget https://FEDERATIONREGISTRY/signedmetadata/metadata-signer -O /etc/shibboleth/federation-cert.pem<br />
<br />
3. Configure the Shibboleth service provider<br />
<br />
Edit the /etc/shibboleth/shibboleth2.xml file as described below.<br />
<br />
3.1 Change the ApplicationDefaults tag to your domain<br />
<br />
<ApplicationDefaults entityID="https://DOMAIN/shibboleth"<br />
REMOTE_USER="eppn subject-id pairwise-id persistent-id"<br />
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"><br />
<br />
Notice that the end of the ApplicationDefaults tag is way below. So don't add one here!<br />
<br />
3.2 Set the discovery server<br />
<br />
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://DISCOVERYSERVER"><br />
SAML2<br />
</SSO><br />
<br />
3.3 Set the MetadataProvider<br />
<br />
<MetadataProvider type="XML" url="https://METADATAPROVIDER/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" maxRefreshDelay="7200"><br />
<br />
<MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false" /><br />
<br />
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" /><br />
</MetadataProvider><br />
<br />
3.4 Set the names of the key and certificate files<br />
<br />
<CredentialResolver type="File" use="signing" key="lms-signing-key.pem" certificate="lms-signing-cert.pem" /><br />
<CredentialResolver type="File" use="encryption" key="lms-encrypt-key.pem" certificate="lms-encrypt-cert.pem" /><br />
<br />
We will generate those lms-*.pem files in step 3.6.<br />
<br />
3.5 Add a ApplicationOverride section<br />
(Note: Not necessay, dg 28 Aug 2024)<br />
<br />
Add the following ApplicationOverride section just before the ApplicationDefaults section:<br />
<br />
<ApplicationOverride id="wp" entityID="https://wp.YOUR-DOMAIN/shibboleth"><br />
<CredentialResolver type="File" use="signing" key="wp-signing-key.pem" certificate="wp-signing-cert.pem"/><br />
<CredentialResolver type="File" use="encryption" key="wp-encrypt-key.pem" certificate="wp-encrypt-cert.pem"/><br />
</ApplicationOverride><br />
<br />
3.6 Create SP metadata credentials for both sites:<br />
<br />
# /usr/sbin/shib-keygen -n lms-signing -e https://DOMAIN/shibboleth<br />
# /usr/sbin/shib-keygen -n lms-encrypt -e https://DOMAIN/shibboleth<br />
<br />
4. Start the shibboleth service<br />
<br />
4.1 Test the configuration first:<br />
<br />
# shibd -t /etc/shibboleth/shibboleth2.xml<br />
<br />
4.2 (Re)start the Shibd and Apache2:<br />
<br />
# systemctl start shibd<br />
# systemctl restart apache2<br />
<br />
<br />
5. Enable Shibboleth on the Apache virtual host<br />
<br />
5.1 To enable shibboleth login on the web application add the certificate files and protect the /PATH/TO/MOODLE/auth/shibboleth/index.php by Shibboleth. They are in a /etc/apache2/sites-available/SOMETHING.conf file. Here is the format:<br />
<br />
<IfModule mod_ssl.c><br />
<VirtualHost *:443><br />
<br />
ServerName DOMAIN<br />
ServerAdmin YOU@DOMAIN<br />
DocumentRoot /PATH/TO/MOODLE<br />
<br />
ErrorLog ${APACHE_LOG_DIR}/DOMAIN-error.log<br />
CustomLog ${APACHE_LOG_DIR}/DOMAIN-access.log combined<br />
<br />
SSLCertificateFile /etc/ssl/certs/ssl-DOMAIN.crt<br />
SSLCertificateKeyFile /etc/ssl/private/ssl-DOMAIN.key<br />
<br />
<Location /moodle><br />
# just comment out<br />
# ShibRequestSetting applicationId mdl<br />
</Location><br />
<br />
<Directory /PATH/TO/MOODLE/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
# just comment out the next line and add the two lines below that<br />
# ShibRequestSetting applicationId mdl<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
</VirtualHost><br />
</IfModule><br />
<br />
5.2 Activate Shibd and reload Apache<br />
<br />
# a2enmod shib<br />
# systemctl reload apache2.service <br />
<br />
<br />
6. Register the SP with the federation<br />
<br />
We have now set up Shibboleth SP for Moodle. It has to be registered with the federation so that its WAYF go to the discovery Service to point different IDP's.<br />
<br />
6.1 Download the metadata of the application<br />
<br />
You can get them by visiting the URL https://DOMAIN/Shibboleth.sso/Metadata <br />
<br />
6.2 Submit the metadata to the federation<br />
<br />
Usually there is a web site at the federation for you to upload the metadata and enter various administrative information. Follow the instructions on the screens.<br />
<br />
Once the federation operator approves your request you will receive a SP registration link.<br />
<br />
<br />
7. Enable and configure the Shibboleth plug-in in Moodle<br />
<br />
Once you've registered successfully you have to configure the Shibboleth plug-in in Moodle. For that Moodle you have to enable it first.<br />
<br />
7.1 Enable the Shibboleth plug-in in Moodle<br />
<br />
As Moodle admin, go to the Site administration > Plugins > Authentication and enable Shibboleth by clicking on the "eye". <br />
<br />
7.2 Configure the Shibboleth plug-in in Moodle<br />
Under ''Site administration > Plugins: Authentication > Shibboleth'' the fields 'Username', 'First name', 'Surname', etc. should contain the name of the environment variables of the Shibboleth attributes that you want to map onto them. Especially the 'Username' field is of great importance because this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
Username: eppn<br />
<br />
Moodle WAYF service: No<br />
<br />
Identity providers (auth_shibboleth | organization_selection): Delete everything in the box<br />
<br />
Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout<br />
<br />
Data mapping (First name): givenName<br />
<br />
Data mapping (Surname): sn<br />
<br />
Data mapping (Email address): mail<br />
<br />
In all three set Update local to On every login and Lock value to Unlocked if empty.<br />
<br />
And save. The change will be immediately active, no need to restart any service!<br />
<br />
===Finished!===<br />
Now you may browse to https://DOMAIN/ and select your preferred IdP to log in.<br />
<br />
===In case of problems===<br />
<br />
<br />
==Additional notes==<br />
Some IdPs will only share a minimal set of user fields with your Moodle SP, which can cause problems:<br />
*Moodle errors relating to missing Shibboleth fields can be fixed by altering the data mappings within the Shibboleth authentication plugin, and ensuring that fields are not locked. The user will be asked to manually provide data if Shibboleth does not automatically provide the corresponding information.<br />
*Moodle errors relating to invalid characters in username can be fixed by Allowing extended characters in usernames (found under Security > Site policies).<br />
<br />
==External links==<br />
*[https://incommon.org/software/shibboleth/ Shibboleth Internet2 Website]<br />
*[http://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research]<br />
*[http://www.ukfederation.org.uk/content/Documents/AttributeUsage Current Core Attributes for the UK Federation]<br />
<br />
[[de:Shibboleth-Server]]<br />
[[es:Shibboleth]]<br />
[[fr:Shibboleth]]<br />
[[ja:Shibboleth]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Shibboleth&diff=149238Shibboleth2024-09-03T18:42:38Z<p>Ratna: </p>
<hr />
<div>{{Authentication}}<br />
<br />
==About==<br />
<br />
[https://en.wikipedia.org/wiki/Shibboleth_(software) Shibboleth] is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions. The federations are often universities or public service organizations. <br />
<br />
Shibboleth is a middleware architecture and an open-source implementation created by the [https://en.wikipedia.org/wiki/Internet2 Internet2] consortium, for federated identity-based authentication and authorization infrastructure based on [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language SAML]. Federated identity allows for information about users in one security domain to be provided to other organizations in a common federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain usernames and passwords. [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language Identity providers (IdP's)] supply user information, while [https://en.wikipedia.org/wiki/Service_provider_(SAML) service providers (SP's)] consume this information and gate access to secure content.<br />
<br />
==README.txt==<br />
<br />
This the auth/shibboleth/README.txt file in the Moodle distribution:<br />
<br />
Shibboleth Authentication for Moodle<br />
-------------------------------------------------------------------------------<br />
<br />
Requirements:<br />
- Shibboleth Service Provider 1.3 or newer. Recommended is 2.1 or newer.<br />
See documentation for your Shibboleth federation on how to set up Shibboleth.<br />
<br />
Changes:<br />
- 11. 2004: Created by Markus Hagman<br />
- 05. 2005: Modifications to login process by Martin Dougiamas<br />
- 05. 2005: Various extensions and fixes by Lukas Haemmerle<br />
- 06. 2005: Adaptions to new field locks and plugin config structures by Martin<br />
Langhoff and Lukas Haemmerle<br />
- 10. 2005: Added better error messages and moved text to language directories<br />
- 02. 2006: Simplified authentication so that authorization works properly<br />
Added instructions for IIS<br />
- 11. 2006: User capabilities are now loaded properly as of Moodle 1.7+<br />
- 03. 2007: Adapted authentication method to Moodle 1.8<br />
- 07. 2007: Fixed a but that caused problems with uppercase usernames<br />
- 10. 2007: Removed the requirement for email address, surname and given name<br />
attributes on request of Markus Hagman<br />
- 11. 2007: Integrated WAYF Service in Moodle<br />
- 12. 2008: Shibboleth 2.x and Single Logout support added<br />
- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth<br />
language files.<br />
- 3. 2009: Added various improvements and bug fixes reported by Ina M�ller from<br />
university Tuebingen and Peter Ellis of University of Washington<br />
- 4. 2009: Added another requirement for logout regarding the call back script<br />
- 6. 2009: Changed handler URL when integrated Discovery Service is used<br />
- 10. 2009: Fixed HTML entity preservation in Shibboleth settings<br />
<br />
Moodle Configuration with Dual login<br />
-------------------------------------------------------------------------------<br />
1. Protect the directory moodle/auth/shibboleth/index.php with Shibboleth.<br />
The page index.php in that directory actually logs in a Shibboleth user.<br />
For Apache you have to define a rule like the following in the Apache config:<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
--<br />
<br />
To restrict access to Moodle, replace the access rule 'require valid-user'<br />
with something that fits your needs, e.g. 'require affiliation student'.<br />
<br />
For IIS you have protect the auth/shibboleth directory directly in the<br />
RequestMap of the Shibboleth configuration file (shibboleth.xml or<br />
shibboleth2.xml).<br />
<br />
--<br />
<Path name="moodle" requireSession="false" ><br />
<Path name="auth/shibboleth/index.php" requireSession="true" ><br />
<AccessControl><br />
...<br />
</AccessControl><br />
</Path><br />
</Path><br />
--<br />
<br />
Also see:<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapper and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAccessControl<br />
<br />
2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and<br />
click on the the 'Shibboleth' settings.<br />
<br />
3. Fill in the fields of the form. The fields 'Username', 'First name',<br />
'Surname', etc. should contain the name of the environment variables of the<br />
Shibboleth attributes that you want to map onto the corresponding Moodle<br />
variable (e.g. 'Shib-Person-surname' for the person's last name, refer<br />
the Shibboleth documentation or the documentation of your Shibboleth<br />
federation for information on which attributes are available).<br />
Especially the 'Username' field is of great importance because<br />
this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
#############################################################################<br />
Shibboleth Attributes needed by Moodle:<br />
For Moodle to work properly Shibboleth should at least provide the attribute<br />
that is used as username in Moodle. It has to be unique for all Shibboleth<br />
Be aware that Moodle converts the username to lowercase. So, the overall<br />
behaviour of the username will be case-insensitive.<br />
All attributes used for moodle must obey a certain length, otherwise Moodle<br />
cuts off the ends. Consult the Moodle documentation for further information<br />
on the maximum lengths for each field in the user profile.<br />
#############################################################################<br />
<br />
4.a If you want Shibboleth as your only authentication method with an external<br />
Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the<br />
'Common settings' in 'Administrations >> Users >> Authentication Options'<br />
to the the URL of the file 'moodle/auth/shibboleth/index.php'.<br />
This will enforce Shibboleth login.<br />
<br />
4.b If you want to use the Moodle integrated WAYF service, you have to activate it<br />
in the Moodle Shibboleth authentication settings by checking the<br />
'Moodle WAYF Service' checkbox and providing a list of entity IDs in the<br />
'Identity Providers' textarea together with a name and an optional<br />
SessionInitiator URL, which usually is an absolute or relative URL pointing<br />
to the same host. If no SessionInitiator URL is given, the default one<br />
'/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For<br />
Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a SessionInitiator.<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB/SessionInitiator<br />
and https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionInitiator<br />
<br />
Important Note: If you upgraded from a previous version of Moodle and now<br />
want to use the integrated WAYF, you have to make sure that<br />
in step 1 only the index.php script in<br />
moodle/auth/shibboleth/ is protected but *not* the other<br />
scripts and especially not the login.php script.<br />
<br />
If you were using the integrated WAYF alread with Shibboleth 1.3, it could<br />
be that the integrated WAYF is not working anymore after you updated Moodle.<br />
The reason is that the implicitly set default SessionInitiator changed in<br />
Moodle as well as in Shibboleth. For Shibboleth 1.3 one therefore has to<br />
add /Shibboleth.sso as third parameter whereas this is /Shibboleth.sso/DS<br />
for Shibboleth 2.x.<br />
<br />
5. Save the changes for the 'Shibboleth settings'.<br />
<br />
Important Note: If you went for 4.b (integrated WAYF service), saving the<br />
settings will overwrite the Moodle Alternate Login URL<br />
using the Moodle web root URL.<br />
<br />
6. If you want to use Shibboleth in addition to another authentication method<br />
not using the integrated WAYF service from 4.b, change the 'Instructions' in<br />
'Administrations >> Users >> Manage authentication' to contain a link to the<br />
moodle/auth/shibboleth/index.php file which is protected by<br />
Shibboleth (see step 1.) and causes the Shibboleth login procedure to start.<br />
You can also use HTML code in that field, e.g. to include an image as a<br />
Shibboleth login button.<br />
<br />
Note: As of now you cannot use dual login together with the integrated<br />
WAYF service provided by Moodle (4.b).<br />
<br />
7. Save the authentication changes.<br />
<br />
How the Shibboleth authentication works<br />
--------------------------------------------------------------------------------<br />
To get Shibboleth authenticated in Moodle a user basically must access the<br />
Shibboleth-protected page /auth/shibboleth/index.php. If Shibboleth is the only<br />
authentication method (see 4.a), this happens automatically when a user selects<br />
his home organization in the Moodle WAYF service or if the alternate login URL<br />
is configured to be the protected /auth/shibboleth/index.php<br />
Otherwise, the user has to click on the link on the dual login page you<br />
provided in step 5.b.<br />
<br />
Moodle basically checks whether the Shibboleth attribute that you mapped<br />
as the username is present. This attribute should only be present if a user is<br />
Shibboleth authenticated.<br />
<br />
If the user's Moodle account has not existed yet, it gets automatically created.<br />
<br />
To prevent that every Shibboleth user can access your Moodle site you have to<br />
adapt the 'require valid-user' line in your webserver's config (see step 1) to<br />
allow only specific users. If you defined some authorization rules in step 1,<br />
these are checked by Shibboleth itself. Only users who met these rules<br />
actually can access /auth/shibboleth/index.php and get logged in.<br />
<br />
You can use Shibboleth AND another authentication method (it was tested with<br />
manual login). So, if there are a few users that don't have a Shibboleth<br />
login, you could create manual accounts for them and they could use the manual<br />
login. For other authentication methods you first have to configure them and<br />
then set Shibboleth as your authentication method. Users can log in only via one<br />
authentication method unless they have two accounts in Moodle.<br />
<br />
Shibboleth dual login with custom login page<br />
--------------------------------------------------------------------------------<br />
You can create a dual login page that better fits your needs. For this<br />
to work, you have to set up the two authentication methods (e.g. 'Manual<br />
Accounts' and 'Shibboleth') and specify an alternate login link to your own dual<br />
login page. On that page you basically need a link to the Shibboleth-protected<br />
page ('/auth/shibboleth/index.php') for the Shibboleth login and a<br />
form that sends 'username' and 'password' to moodle/login/index.php. Set this<br />
web page then als alternate login page.<br />
Consult the Moodle documentation for further instructions and requirements.<br />
<br />
How to customize the way the Shibboleth user data is used in Moodle<br />
--------------------------------------------------------------------------------<br />
Among the Shibboleth settings in Moodle there is a field that should contain a<br />
path to a php file that can be used as data manipulation hook.<br />
You can use this if you want to further process the way your Shibboleth<br />
attributes are used in Moodle. Due to security reasons this file cannot be<br />
located within the current site data directory ($CFG->dataroot).<br />
<br />
Example 1: Your Shibboleth federation uses an attribute that specifies the<br />
user's preferred language, but the content of this attribute is not<br />
compatible with the Moodle data representation, e.g. the Shibboleth<br />
attribute contains 'German' but Moodle needs a two letter value like<br />
'de'.<br />
<br />
Example 2: The country, city and street are provided in one Shibboleth attribute<br />
and you want these values to be used in the Moodle user profile. So<br />
You have to parse the corresponding attribute to fill the user fields.<br />
<br />
If you want to use this hook you have to be a skilled PHP programmer. It is<br />
strongly recommended that you take a look at the file<br />
moodle/auth/shibboleth/auth.php, especially the function 'get_userinfo'<br />
where this file is included.<br />
<br />
The context of the file is the same as within this login function. So you<br />
can directly edit the object $result.<br />
<br />
Example file:<br />
--<br />
<?php<br />
<br />
// Set the zip code and the adress<br />
if ($_SERVER[$this->config->field_map_address] != '')<br />
{<br />
// $address contains something like 'SWITCH$Limmatquai 138$CH-8021 Zurich'<br />
// We want to split this up to get:<br />
// institution, street, zipcode, city and country<br />
$address = $_SERVER[$this->config->field_map_address];<br />
list($institution, $street, $zip_city) = explode('$', $address);<br />
preg_match('/ (.+)/', $zip_city, $regs);<br />
$city = $regs[1];<br />
<br />
preg_match('/(.+)-/',$zip_city, $regs);<br />
$country = $regs[1];<br />
<br />
$result["address"] = $street;<br />
$result["city"] = $city;<br />
$result["country"] = $country;<br />
$result["department"] = $institution;<br />
$result["description"] = "I am a Shibboleth user"; <br />
}<br />
?><br />
--<br />
<br />
How to upgrade your Service Provider to 2.x<br />
-------------------------------------------------------------------------------<br />
In case your upgrade your Service Provider 1.3.x to 2.x, be aware of the fact<br />
that in version 2.0 the default behaviour regarding attribute propagation<br />
changed.<br />
<br />
While the Service Provider 1.3.x published the Shibboleth attributes to the<br />
web server environment as HTTP Request headers, the Service Provider 2.x<br />
publishes attributes as environment variables, which increases the security for<br />
some platforms.<br />
<br />
However, this change has the effect that the attribute names change.<br />
E.g. while the surname attribute was published as 'HTTP_SHIB_PERSON_SURNAME'<br />
with 1.3.x, this attribute will be available in $_SERVER['Shib-Person-surname']<br />
or depending on your /etc/shibboleth/attribute-map.xml file just as<br />
$_SERVER['sn'].<br />
<br />
Because Moodle needs to know what Shibboleth attributes it shall map onto which<br />
Moodle user profile field, one has to make sure the mapping is updated as well<br />
after the Service Provider upgrade.<br />
<br />
********************************************************************************<br />
Because you risk locking yourself out of Moodle it is strongly<br />
recommended to use the following approach when upgrading the Service Provider:<br />
1. Enable manual authentication before the upgrade.<br />
2. Make sure that you have at least one manual account with administration<br />
privileges working before upgrading your Service Provider to 2.x.<br />
3. After the SP upgrade, use this account to log into Moodle and adapt the<br />
attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect<br />
the changed attribute names.<br />
You find the attribute names in the file /etc/shibboleth/attribute-map.xml<br />
listed as the 'id' value of an attribute definition.<br />
4. If you are using the integrated WAYF, you may have to set the third parameter<br />
of each entry to '/Shibboleth.sso/DS'<br />
5. Test the login with a Shibboleth account<br />
6. If all is working, disable manual authentication again<br />
********************************************************************************<br />
<br />
How to add logout support<br />
--------------------------------------------------------------------------------<br />
In order make Moodle support Shibboleth logout, one has to make the Shibboleth<br />
Service Provider (SP) aware of the Moodle logout capability. Only then the SP<br />
can trigger Moodle's front or back channel logout handler.<br />
<br />
To make the SP aware of the Moodle logout, you have to add the following to the<br />
Shibboleth main configuration file shibboleth2.xml (usually in /etc/shibboleth/)<br />
just before the <MetadataProvider> element.<br />
<br />
--<br />
<Notify<br />
Channel="back"<br />
Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" /><br />
--<br />
<br />
Then restart the Shibboleth daemon and check the log file for errors. If there<br />
were no errors, you can test the logout feature by accessing Moodle,<br />
authenticating via Shibboleth and the access the URL:<br />
#YOUR_MOODLE_HOSTNAME#/Shibboleth.sso/Logout (assuming you have a standard<br />
Shibboleth installation). If everything worked well, you should see a Shibboleth<br />
page saying that you were successfully logged out and if you go back to Moodle<br />
you also should be logged out from Moodle.<br />
<br />
Requirements:<br />
- PHP needs the Soap Extension, which maybe must installed manually:<br />
More information is available here http://ch.php.net/soap<br />
- Logout only works with Shibboleth Service Provider 2.1 or higher<br />
- /moodle/auth/shibboleth/logout.php *must not* be protected by Shibboleth!<br />
In case all of Moodle is protected with Shibboleth, you have to add something<br />
like this to your Apache configuration after all the other require rules<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/logout.php><br />
AuthType shibboleth<br />
ShibRequireSession Off<br />
require shibboleth<br />
</Directory><br />
--<br />
<br />
When using IIS, the same can be achieved by something like:<br />
--<br />
<Path name="auth/shibboleth/logout.php" requireSession="false"><br />
--<br />
in the shibboleth2.xml RequestMap.<br />
<br />
Limitations:<br />
Single Logout is only supported when SAML2 is used at the SP and the IdP.<br />
As of October 2009, the Shibboleth Identity Provider 2.1.4 does not yet support<br />
Single Logout (SLO). Therefore, the single logout feature cannot be used yet<br />
in a Shibboleth only setup but there may be other SAML2 products that could<br />
be used as Identity Provider, e.g. SimpleSAML PHP.<br />
<br />
One of the reasons why SLO isn't supported yet is because there aren't many<br />
applications yet that were adapted to support front and back channel<br />
logout. Hopefully, the Moodle logout helps to motivate the developers to<br />
implement SLO. On the other hand, the easiest and safest way to log out<br />
still is to tell users to quit their web browsers :)<br />
<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLogoutInitiator for some<br />
background information on this topic.<br />
<br />
--------------------------------------------------------------------------------<br />
In case of problems and questions with Shibboleth authentication, contact<br />
Lukas Haemmerle <lukas.haemmerle@switch.ch> or Markus Hagman <hagman@hytti.uku.fi><br />
<br />
<br />
==Shibboleth in the UK==<br />
In the UK Becta and JISC have implemented an education federation using Shibboleth to provide single sign on. This means that education establishments in the UK using Moodle should be able to authenticate their users via Shibboleth if their organization joins the UK Access Management Federation and their users' identity is held by the identity provider the LA/RBC use. For maintained schools in the England and Wales this will probably mean contacting their Local Authority or Regional Broadband Consortium (RBC). A list of current UK federation members can be found [http://www.ukfederation.org.uk/content/Documents/MemberList here].<br />
<br />
==Shibboleth in Switzerland ==<br />
In Switzerland the [https://switch.ch/ SWITCH Foundation] runs a universal login under [https://www.switch.ch/edu-id edu-ID] for all living in Switzerland. It covers 160 institutions and 900,000 users.<br />
<br />
==A sample configuration==<br />
<br />
===Notation===<br />
- The expressions in all caps are placeholders for their actual values. For example /PATH/TO/MOODLE could be /var/www/html/moodle in your server.<br />
<br />
- The '#' in shell commands in the form '# COMMAND" means the COMMAND needs to be run as the super-user. It could be the user 'root' or a different user having sudo privileges. In the latter case he should prepend the command with sudo, as in '$ sudo COMMAND'. The '$' in that command denotes it is a non-privileged user.<br />
<br />
===Prerequisites===<br />
- You have your Moodle site running on Debian GNU/Linux or any of its derivatives like Ubuntu Linux.<br />
<br />
- This documentation assumes that your Linux distribution uses the system manager Systemd. But you can easily change the commands for a different init system, typically SysV or Upstart.<br />
<br />
- You are running the web server Apache2.<br />
<br />
- Your site serves HTTPS on its default port 443. We write its URL as https://DOMAIN, where DOMAIN stands for your the domain name of your Moodle server. So if the URL of your Moodle is https://lms.example.com/ then DOMAIN is lms.example.com.<br />
<br />
===Steps you have to follow===<br />
1. Install the Shibboleth module for Apache2<br />
<br />
Install the Debian package libapache2-mod-shib, which contains the Apache module for Shibboleth service providers (SP) and its supporting Shib daemon:<br />
<br />
# apt install libapache2-mod-shib --no-install-recommends<br />
<br />
It will create a directory /etc/shibboleth with a default set of configuration files and also install the system service shib.<br />
<br />
2. Download federation metadata signing certificate<br />
<br />
# wget https://FEDERATIONREGISTRY/signedmetadata/metadata-signer -O /etc/shibboleth/federation-cert.pem<br />
<br />
<br />
3. Configure the Shibboleth service provider<br />
<br />
Edit the /etc/shibboleth/shibboleth2.xml file as described below.<br />
<br />
3.1 Change the ApplicationDefaults tag to your domain<br />
<br />
<ApplicationDefaults entityID="https://DOMAIN/shibboleth"<br />
REMOTE_USER="eppn subject-id pairwise-id persistent-id"<br />
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"><br />
<br />
Notice that the end of the ApplicationDefaults tag is way below. So don't add one here!<br />
<br />
3.2 Set the discovery server<br />
<br />
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://DISCOVERYSERVER"><br />
SAML2<br />
</SSO><br />
<br />
3.3 Set the MetadataProvider<br />
<br />
<MetadataProvider type="XML" url="https://METADATAPROVIDER/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" maxRefreshDelay="7200"><br />
<br />
<MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false" /><br />
<br />
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" /><br />
</MetadataProvider><br />
<br />
3.4 Set the names of the key and certificate files<br />
<br />
<CredentialResolver type="File" use="signing" key="lms-signing-key.pem" certificate="lms-signing-cert.pem" /><br />
<CredentialResolver type="File" use="encryption" key="lms-encrypt-key.pem" certificate="lms-encrypt-cert.pem" /><br />
<br />
We will generate those lms-*.pem files in step 3.6.<br />
<br />
3.5 Add a ApplicationOverride section<br />
(Note: Not necessay, dg 28 Aug 2024)<br />
<br />
Add the following ApplicationOverride section just before the ApplicationDefaults section:<br />
<br />
<ApplicationOverride id="wp" entityID="https://wp.YOUR-DOMAIN/shibboleth"><br />
<CredentialResolver type="File" use="signing" key="wp-signing-key.pem" certificate="wp-signing-cert.pem"/><br />
<CredentialResolver type="File" use="encryption" key="wp-encrypt-key.pem" certificate="wp-encrypt-cert.pem"/><br />
</ApplicationOverride><br />
<br />
3.6 Create SP metadata credentials for both sites:<br />
<br />
/usr/sbin/shib-keygen -n lms-signing -e https://DOMAIN/shibboleth<br />
/usr/sbin/shib-keygen -n lms-encrypt -e https://DOMAIN/shibboleth<br />
<br />
<br />
4. Start the shibboleth service<br />
<br />
4.1 Test the configuration first:<br />
<br />
# shibd -t /etc/shibboleth/shibboleth2.xml<br />
<br />
4.2 (Re)start the Shibd and Apache2:<br />
<br />
# systemctl start shibd<br />
# systemctl restart apache2<br />
<br />
<br />
5. Enable Shibboleth on the Apache virtual host<br />
<br />
5.1 To enable shibboleth login on the web application add the certificate files and protect the /PATH/TO/MOODLE/auth/shibboleth/index.php by Shibboleth. They are in a /etc/apache2/sites-available/SOMETHING.conf file. Here is the format:<br />
<br />
<IfModule mod_ssl.c><br />
<VirtualHost *:443><br />
<br />
ServerName DOMAIN<br />
ServerAdmin YOU@DOMAIN<br />
DocumentRoot /PATH/TO/MOODLE<br />
<br />
ErrorLog ${APACHE_LOG_DIR}/DOMAIN-error.log<br />
CustomLog ${APACHE_LOG_DIR}/DOMAIN-access.log combined<br />
<br />
SSLCertificateFile /etc/ssl/certs/ssl-DOMAIN.crt<br />
SSLCertificateKeyFile /etc/ssl/private/ssl-DOMAIN.key<br />
<br />
<Location /moodle><br />
# just comment out<br />
# ShibRequestSetting applicationId mdl<br />
</Location><br />
<br />
<Directory /PATH/TO/MOODLE/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
# just comment out the next line and add the two lines below that<br />
# ShibRequestSetting applicationId mdl<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
</VirtualHost><br />
</IfModule><br />
<br />
5.2 Activate Shibd and reload Apache<br />
<br />
# a2enmod shib<br />
# systemctl reload apache2.service <br />
<br />
<br />
6. Register the SP with the federation<br />
<br />
We have now set up Shibboleth SP for Moodle. It has to be registered with the federation so that its WAYF go to the discovery Service to point different IDP's.<br />
<br />
6.1 Download the metadata of the application<br />
<br />
You can get them by visiting the URL https://DOMAIN/Shibboleth.sso/Metadata <br />
<br />
6.2 Submit the metadata to the federation<br />
<br />
Usually there is a web site at the federation for you to upload the metadata and enter various administrative information. Follow the instructions on the screens.<br />
<br />
Once the federation operator approves your request you will receive a SP registration link.<br />
<br />
<br />
7. Enable and configure the Shibboleth plug-in in Moodle<br />
<br />
Once you've registered successfully you have to configure the Shibboleth plug-in in Moodle. For that Moodle you have to enable it first.<br />
<br />
7.1 Enable the Shibboleth plug-in in Moodle<br />
<br />
As Moodle admin, go to the Site administration > Plugins > Authentication and enable Shibboleth by clicking on the "eye". <br />
<br />
7.2 Configure the Shibboleth plug-in in Moodle<br />
Under ''Site administration > Plugins: Authentication > Shibboleth'' the fields 'Username', 'First name', 'Surname', etc. should contain the name of the environment variables of the Shibboleth attributes that you want to map onto them. Especially the 'Username' field is of great importance because this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
Username: eppn<br />
<br />
Moodle WAYF service: No<br />
<br />
Identity providers (auth_shibboleth | organization_selection): Delete everything in the box<br />
<br />
Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout<br />
<br />
Data mapping (First name): givenName<br />
<br />
Data mapping (Surname): sn<br />
<br />
Data mapping (Email address): mail<br />
<br />
In all three set Update local to On every login and Lock value to Unlocked if empty.<br />
<br />
And save. The change will be immediately active, no need to restart any service!<br />
<br />
===Finished!===<br />
Now you may browse to https://DOMAIN/ and select your preferred IdP to log in.<br />
<br />
===In case of problems===<br />
<br />
<br />
==Additional notes==<br />
Some IdPs will only share a minimal set of user fields with your Moodle SP, which can cause problems:<br />
*Moodle errors relating to missing Shibboleth fields can be fixed by altering the data mappings within the Shibboleth authentication plugin, and ensuring that fields are not locked. The user will be asked to manually provide data if Shibboleth does not automatically provide the corresponding information.<br />
*Moodle errors relating to invalid characters in username can be fixed by Allowing extended characters in usernames (found under Security > Site policies).<br />
<br />
==External links==<br />
*[https://incommon.org/software/shibboleth/ Shibboleth Internet2 Website]<br />
*[http://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research]<br />
*[http://www.ukfederation.org.uk/content/Documents/AttributeUsage Current Core Attributes for the UK Federation]<br />
<br />
[[de:Shibboleth-Server]]<br />
[[es:Shibboleth]]<br />
[[fr:Shibboleth]]<br />
[[ja:Shibboleth]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Shibboleth&diff=149237Shibboleth2024-09-03T18:37:05Z<p>Ratna: </p>
<hr />
<div>{{Authentication}}<br />
<br />
Location: ''Site administration > Plugins: Authentication > Shibboleth'' <br />
<br />
[https://en.wikipedia.org/wiki/Shibboleth_(software) Shibboleth] is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions. The federations are often universities or public service organizations. <br />
<br />
Shibboleth is a middleware architecture and an open-source implementation created by the [https://en.wikipedia.org/wiki/Internet2 Internet2] consortium, for federated identity-based authentication and authorization infrastructure based on [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language SAML]. Federated identity allows for information about users in one security domain to be provided to other organizations in a common federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain usernames and passwords. [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language Identity providers (IdP's)] supply user information, while [https://en.wikipedia.org/wiki/Service_provider_(SAML) service providers (SP's)] consume this information and gate access to secure content.<br />
<br />
<br />
==README.txt==<br />
<br />
This the auth/shibboleth/README.txt file in the Moodle distribution:<br />
<br />
Shibboleth Authentication for Moodle<br />
-------------------------------------------------------------------------------<br />
<br />
Requirements:<br />
- Shibboleth Service Provider 1.3 or newer. Recommended is 2.1 or newer.<br />
See documentation for your Shibboleth federation on how to set up Shibboleth.<br />
<br />
Changes:<br />
- 11. 2004: Created by Markus Hagman<br />
- 05. 2005: Modifications to login process by Martin Dougiamas<br />
- 05. 2005: Various extensions and fixes by Lukas Haemmerle<br />
- 06. 2005: Adaptions to new field locks and plugin config structures by Martin<br />
Langhoff and Lukas Haemmerle<br />
- 10. 2005: Added better error messages and moved text to language directories<br />
- 02. 2006: Simplified authentication so that authorization works properly<br />
Added instructions for IIS<br />
- 11. 2006: User capabilities are now loaded properly as of Moodle 1.7+<br />
- 03. 2007: Adapted authentication method to Moodle 1.8<br />
- 07. 2007: Fixed a but that caused problems with uppercase usernames<br />
- 10. 2007: Removed the requirement for email address, surname and given name<br />
attributes on request of Markus Hagman<br />
- 11. 2007: Integrated WAYF Service in Moodle<br />
- 12. 2008: Shibboleth 2.x and Single Logout support added<br />
- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth<br />
language files.<br />
- 3. 2009: Added various improvements and bug fixes reported by Ina M�ller from<br />
university Tuebingen and Peter Ellis of University of Washington<br />
- 4. 2009: Added another requirement for logout regarding the call back script<br />
- 6. 2009: Changed handler URL when integrated Discovery Service is used<br />
- 10. 2009: Fixed HTML entity preservation in Shibboleth settings<br />
<br />
Moodle Configuration with Dual login<br />
-------------------------------------------------------------------------------<br />
1. Protect the directory moodle/auth/shibboleth/index.php with Shibboleth.<br />
The page index.php in that directory actually logs in a Shibboleth user.<br />
For Apache you have to define a rule like the following in the Apache config:<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
--<br />
<br />
To restrict access to Moodle, replace the access rule 'require valid-user'<br />
with something that fits your needs, e.g. 'require affiliation student'.<br />
<br />
For IIS you have protect the auth/shibboleth directory directly in the<br />
RequestMap of the Shibboleth configuration file (shibboleth.xml or<br />
shibboleth2.xml).<br />
<br />
--<br />
<Path name="moodle" requireSession="false" ><br />
<Path name="auth/shibboleth/index.php" requireSession="true" ><br />
<AccessControl><br />
...<br />
</AccessControl><br />
</Path><br />
</Path><br />
--<br />
<br />
Also see:<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapper and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAccessControl<br />
<br />
2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and<br />
click on the the 'Shibboleth' settings.<br />
<br />
3. Fill in the fields of the form. The fields 'Username', 'First name',<br />
'Surname', etc. should contain the name of the environment variables of the<br />
Shibboleth attributes that you want to map onto the corresponding Moodle<br />
variable (e.g. 'Shib-Person-surname' for the person's last name, refer<br />
the Shibboleth documentation or the documentation of your Shibboleth<br />
federation for information on which attributes are available).<br />
Especially the 'Username' field is of great importance because<br />
this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
#############################################################################<br />
Shibboleth Attributes needed by Moodle:<br />
For Moodle to work properly Shibboleth should at least provide the attribute<br />
that is used as username in Moodle. It has to be unique for all Shibboleth<br />
Be aware that Moodle converts the username to lowercase. So, the overall<br />
behaviour of the username will be case-insensitive.<br />
All attributes used for moodle must obey a certain length, otherwise Moodle<br />
cuts off the ends. Consult the Moodle documentation for further information<br />
on the maximum lengths for each field in the user profile.<br />
#############################################################################<br />
<br />
4.a If you want Shibboleth as your only authentication method with an external<br />
Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the<br />
'Common settings' in 'Administrations >> Users >> Authentication Options'<br />
to the the URL of the file 'moodle/auth/shibboleth/index.php'.<br />
This will enforce Shibboleth login.<br />
<br />
4.b If you want to use the Moodle integrated WAYF service, you have to activate it<br />
in the Moodle Shibboleth authentication settings by checking the<br />
'Moodle WAYF Service' checkbox and providing a list of entity IDs in the<br />
'Identity Providers' textarea together with a name and an optional<br />
SessionInitiator URL, which usually is an absolute or relative URL pointing<br />
to the same host. If no SessionInitiator URL is given, the default one<br />
'/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For<br />
Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a SessionInitiator.<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB/SessionInitiator<br />
and https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionInitiator<br />
<br />
Important Note: If you upgraded from a previous version of Moodle and now<br />
want to use the integrated WAYF, you have to make sure that<br />
in step 1 only the index.php script in<br />
moodle/auth/shibboleth/ is protected but *not* the other<br />
scripts and especially not the login.php script.<br />
<br />
If you were using the integrated WAYF alread with Shibboleth 1.3, it could<br />
be that the integrated WAYF is not working anymore after you updated Moodle.<br />
The reason is that the implicitly set default SessionInitiator changed in<br />
Moodle as well as in Shibboleth. For Shibboleth 1.3 one therefore has to<br />
add /Shibboleth.sso as third parameter whereas this is /Shibboleth.sso/DS<br />
for Shibboleth 2.x.<br />
<br />
5. Save the changes for the 'Shibboleth settings'.<br />
<br />
Important Note: If you went for 4.b (integrated WAYF service), saving the<br />
settings will overwrite the Moodle Alternate Login URL<br />
using the Moodle web root URL.<br />
<br />
6. If you want to use Shibboleth in addition to another authentication method<br />
not using the integrated WAYF service from 4.b, change the 'Instructions' in<br />
'Administrations >> Users >> Manage authentication' to contain a link to the<br />
moodle/auth/shibboleth/index.php file which is protected by<br />
Shibboleth (see step 1.) and causes the Shibboleth login procedure to start.<br />
You can also use HTML code in that field, e.g. to include an image as a<br />
Shibboleth login button.<br />
<br />
Note: As of now you cannot use dual login together with the integrated<br />
WAYF service provided by Moodle (4.b).<br />
<br />
7. Save the authentication changes.<br />
<br />
How the Shibboleth authentication works<br />
--------------------------------------------------------------------------------<br />
To get Shibboleth authenticated in Moodle a user basically must access the<br />
Shibboleth-protected page /auth/shibboleth/index.php. If Shibboleth is the only<br />
authentication method (see 4.a), this happens automatically when a user selects<br />
his home organization in the Moodle WAYF service or if the alternate login URL<br />
is configured to be the protected /auth/shibboleth/index.php<br />
Otherwise, the user has to click on the link on the dual login page you<br />
provided in step 5.b.<br />
<br />
Moodle basically checks whether the Shibboleth attribute that you mapped<br />
as the username is present. This attribute should only be present if a user is<br />
Shibboleth authenticated.<br />
<br />
If the user's Moodle account has not existed yet, it gets automatically created.<br />
<br />
To prevent that every Shibboleth user can access your Moodle site you have to<br />
adapt the 'require valid-user' line in your webserver's config (see step 1) to<br />
allow only specific users. If you defined some authorization rules in step 1,<br />
these are checked by Shibboleth itself. Only users who met these rules<br />
actually can access /auth/shibboleth/index.php and get logged in.<br />
<br />
You can use Shibboleth AND another authentication method (it was tested with<br />
manual login). So, if there are a few users that don't have a Shibboleth<br />
login, you could create manual accounts for them and they could use the manual<br />
login. For other authentication methods you first have to configure them and<br />
then set Shibboleth as your authentication method. Users can log in only via one<br />
authentication method unless they have two accounts in Moodle.<br />
<br />
Shibboleth dual login with custom login page<br />
--------------------------------------------------------------------------------<br />
You can create a dual login page that better fits your needs. For this<br />
to work, you have to set up the two authentication methods (e.g. 'Manual<br />
Accounts' and 'Shibboleth') and specify an alternate login link to your own dual<br />
login page. On that page you basically need a link to the Shibboleth-protected<br />
page ('/auth/shibboleth/index.php') for the Shibboleth login and a<br />
form that sends 'username' and 'password' to moodle/login/index.php. Set this<br />
web page then als alternate login page.<br />
Consult the Moodle documentation for further instructions and requirements.<br />
<br />
How to customize the way the Shibboleth user data is used in Moodle<br />
--------------------------------------------------------------------------------<br />
Among the Shibboleth settings in Moodle there is a field that should contain a<br />
path to a php file that can be used as data manipulation hook.<br />
You can use this if you want to further process the way your Shibboleth<br />
attributes are used in Moodle. Due to security reasons this file cannot be<br />
located within the current site data directory ($CFG->dataroot).<br />
<br />
Example 1: Your Shibboleth federation uses an attribute that specifies the<br />
user's preferred language, but the content of this attribute is not<br />
compatible with the Moodle data representation, e.g. the Shibboleth<br />
attribute contains 'German' but Moodle needs a two letter value like<br />
'de'.<br />
<br />
Example 2: The country, city and street are provided in one Shibboleth attribute<br />
and you want these values to be used in the Moodle user profile. So<br />
You have to parse the corresponding attribute to fill the user fields.<br />
<br />
If you want to use this hook you have to be a skilled PHP programmer. It is<br />
strongly recommended that you take a look at the file<br />
moodle/auth/shibboleth/auth.php, especially the function 'get_userinfo'<br />
where this file is included.<br />
<br />
The context of the file is the same as within this login function. So you<br />
can directly edit the object $result.<br />
<br />
Example file:<br />
<br />
--<br />
<?php<br />
<br />
// Set the zip code and the adress<br />
if ($_SERVER[$this->config->field_map_address] != '')<br />
{<br />
// $address contains something like 'SWITCH$Limmatquai 138$CH-8021 Zurich'<br />
// We want to split this up to get:<br />
// institution, street, zipcode, city and country<br />
$address = $_SERVER[$this->config->field_map_address];<br />
list($institution, $street, $zip_city) = explode('$', $address);<br />
preg_match('/ (.+)/', $zip_city, $regs);<br />
$city = $regs[1];<br />
<br />
preg_match('/(.+)-/',$zip_city, $regs);<br />
$country = $regs[1];<br />
<br />
$result["address"] = $street;<br />
$result["city"] = $city;<br />
$result["country"] = $country;<br />
$result["department"] = $institution;<br />
$result["description"] = "I am a Shibboleth user";<br />
<br />
}<br />
?><br />
--<br />
<br />
How to upgrade your Service Provider to 2.x<br />
-------------------------------------------------------------------------------<br />
<br />
In case your upgrade your Service Provider 1.3.x to 2.x, be aware of the fact<br />
that in version 2.0 the default behaviour regarding attribute propagation<br />
changed.<br />
<br />
While the Service Provider 1.3.x published the Shibboleth attributes to the<br />
web server environment as HTTP Request headers, the Service Provider 2.x<br />
publishes attributes as environment variables, which increases the security for<br />
some platforms.<br />
<br />
However, this change has the effect that the attribute names change.<br />
E.g. while the surname attribute was published as 'HTTP_SHIB_PERSON_SURNAME'<br />
with 1.3.x, this attribute will be available in $_SERVER['Shib-Person-surname']<br />
or depending on your /etc/shibboleth/attribute-map.xml file just as<br />
$_SERVER['sn'].<br />
<br />
Because Moodle needs to know what Shibboleth attributes it shall map onto which<br />
Moodle user profile field, one has to make sure the mapping is updated as well<br />
after the Service Provider upgrade.<br />
<br />
********************************************************************************<br />
Because you risk locking yourself out of Moodle it is strongly<br />
recommended to use the following approach when upgrading the Service Provider:<br />
1. Enable manual authentication before the upgrade.<br />
2. Make sure that you have at least one manual account with administration<br />
privileges working before upgrading your Service Provider to 2.x.<br />
3. After the SP upgrade, use this account to log into Moodle and adapt the<br />
attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect<br />
the changed attribute names.<br />
You find the attribute names in the file /etc/shibboleth/attribute-map.xml<br />
listed as the 'id' value of an attribute definition.<br />
4. If you are using the integrated WAYF, you may have to set the third parameter<br />
of each entry to '/Shibboleth.sso/DS'<br />
5. Test the login with a Shibboleth account<br />
6. If all is working, disable manual authentication again<br />
********************************************************************************<br />
<br />
How to add logout support<br />
--------------------------------------------------------------------------------<br />
In order make Moodle support Shibboleth logout, one has to make the Shibboleth<br />
Service Provider (SP) aware of the Moodle logout capability. Only then the SP<br />
can trigger Moodle's front or back channel logout handler.<br />
<br />
To make the SP aware of the Moodle logout, you have to add the following to the<br />
Shibboleth main configuration file shibboleth2.xml (usually in /etc/shibboleth/)<br />
just before the <MetadataProvider> element.<br />
<br />
--<br />
<Notify<br />
Channel="back"<br />
Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" /><br />
--<br />
<br />
Then restart the Shibboleth daemon and check the log file for errors. If there<br />
were no errors, you can test the logout feature by accessing Moodle,<br />
authenticating via Shibboleth and the access the URL:<br />
#YOUR_MOODLE_HOSTNAME#/Shibboleth.sso/Logout (assuming you have a standard<br />
Shibboleth installation). If everything worked well, you should see a Shibboleth<br />
page saying that you were successfully logged out and if you go back to Moodle<br />
you also should be logged out from Moodle.<br />
<br />
Requirements:<br />
- PHP needs the Soap Extension, which maybe must installed manually:<br />
More information is available here http://ch.php.net/soap<br />
- Logout only works with Shibboleth Service Provider 2.1 or higher<br />
- /moodle/auth/shibboleth/logout.php *must not* be protected by Shibboleth!<br />
In case all of Moodle is protected with Shibboleth, you have to add something<br />
like this to your Apache configuration after all the other require rules<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/logout.php><br />
AuthType shibboleth<br />
ShibRequireSession Off<br />
require shibboleth<br />
</Directory><br />
--<br />
When using IIS, the same can be achieved by something like:<br />
--<br />
<Path name="auth/shibboleth/logout.php" requireSession="false" ><br />
--<br />
in the shibboleth2.xml RequestMap.<br />
<br />
<br />
Limitations:<br />
Single Logout is only supported when SAML2 is used at the SP and the IdP.<br />
As of October 2009, the Shibboleth Identity Provider 2.1.4 does not yet support<br />
Single Logout (SLO). Therefore, the single logout feature cannot be used yet<br />
in a Shibboleth only setup but there may be other SAML2 products that could<br />
be used as Identity Provider, e.g. SimpleSAML PHP.<br />
One of the reasons why SLO isn't supported yet is because there aren't many<br />
applications yet that were adapted to support front and back channel<br />
logout. Hopefully, the Moodle logout helps to motivate the developers to<br />
implement SLO. On the other hand, the easiest and safest way to log out<br />
still is to tell users to quit their web browsers :)<br />
<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLogoutInitiator for some<br />
background information on this topic.<br />
<br />
--------------------------------------------------------------------------------<br />
In case of problems and questions with Shibboleth authentication, contact<br />
Lukas Haemmerle <lukas.haemmerle@switch.ch> or Markus Hagman <hagman@hytti.uku.fi><br />
<br />
<br />
==Shibboleth in the UK==<br />
In the UK Becta and JISC have implemented an education federation using Shibboleth to provide single sign on. This means that education establishments in the UK using Moodle should be able to authenticate their users via Shibboleth if their organization joins the UK Access Management Federation and their users' identity is held by the identity provider the LA/RBC use. For maintained schools in the England and Wales this will probably mean contacting their Local Authority or Regional Broadband Consortium (RBC). A list of current UK federation members can be found [http://www.ukfederation.org.uk/content/Documents/MemberList here].<br />
<br />
==Shibboleth in Switzerland ==<br />
In Switzerland the [https://switch.ch/ SWITCH Foundation] runs a universal login under [https://www.switch.ch/edu-id edu-ID] for all living in Switzerland. It covers 160 institutions and 900,000 users.<br />
<br />
==A sample configuration==<br />
<br />
===Notation===<br />
- The expressions in all caps are placeholders for their actual values. For example /PATH/TO/MOODLE could be /var/www/html/moodle in your server.<br />
<br />
- The '#' in shell commands in the form '# COMMAND" means the COMMAND needs to be run as the super-user. It could be the user 'root' or a different user having sudo privileges. In the latter case he should prepend the command with sudo, as in '$ sudo COMMAND'. The '$' in that command denotes it is a non-privileged user.<br />
<br />
===Prerequisites===<br />
- You have your Moodle site running on Debian GNU/Linux or any of its derivatives like Ubuntu Linux.<br />
<br />
- This documentation assumes that your Linux distribution uses the system manager Systemd. But you can easily change the commands for a different init system, typically SysV or Upstart.<br />
<br />
- You are running the web server Apache2.<br />
<br />
- Your site serves HTTPS on its default port 443. We write its URL as https://DOMAIN, where DOMAIN stands for your the domain name of your Moodle server. So if the URL of your Moodle is https://lms.example.com/ then DOMAIN is lms.example.com.<br />
<br />
===Steps you have to follow===<br />
1. Install the Shibboleth module for Apache2<br />
<br />
Install the Debian package libapache2-mod-shib, which contains the Apache module for Shibboleth service providers (SP) and its supporting Shib daemon:<br />
<br />
# apt install libapache2-mod-shib --no-install-recommends<br />
<br />
It will create a directory /etc/shibboleth with a default set of configuration files and also install the system service shib.<br />
<br />
2. Download federation metadata signing certificate<br />
<br />
# wget https://FEDERATIONREGISTRY/signedmetadata/metadata-signer -O /etc/shibboleth/federation-cert.pem<br />
<br />
<br />
3. Configure the Shibboleth service provider<br />
<br />
Edit the /etc/shibboleth/shibboleth2.xml file as described below.<br />
<br />
3.1 Change the ApplicationDefaults tag to your domain<br />
<br />
<ApplicationDefaults entityID="https://DOMAIN/shibboleth"<br />
REMOTE_USER="eppn subject-id pairwise-id persistent-id"<br />
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"><br />
<br />
Notice that the end of the ApplicationDefaults tag is way below. So don't add one here!<br />
<br />
3.2 Set the discovery server<br />
<br />
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://DISCOVERYSERVER"><br />
SAML2<br />
</SSO><br />
<br />
3.3 Set the MetadataProvider<br />
<br />
<MetadataProvider type="XML" url="https://METADATAPROVIDER/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" maxRefreshDelay="7200"><br />
<br />
<MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false" /><br />
<br />
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" /><br />
</MetadataProvider><br />
<br />
3.4 Set the names of the key and certificate files<br />
<br />
<CredentialResolver type="File" use="signing" key="lms-signing-key.pem" certificate="lms-signing-cert.pem" /><br />
<CredentialResolver type="File" use="encryption" key="lms-encrypt-key.pem" certificate="lms-encrypt-cert.pem" /><br />
<br />
We will generate those lms-*.pem files in step 3.6.<br />
<br />
3.5 Add a ApplicationOverride section<br />
(Note: Not necessay, dg 28 Aug 2024)<br />
<br />
Add the following ApplicationOverride section just before the ApplicationDefaults section:<br />
<br />
<ApplicationOverride id="wp" entityID="https://wp.YOUR-DOMAIN/shibboleth"><br />
<CredentialResolver type="File" use="signing" key="wp-signing-key.pem" certificate="wp-signing-cert.pem"/><br />
<CredentialResolver type="File" use="encryption" key="wp-encrypt-key.pem" certificate="wp-encrypt-cert.pem"/><br />
</ApplicationOverride><br />
<br />
3.6 Create SP metadata credentials for both sites:<br />
<br />
/usr/sbin/shib-keygen -n lms-signing -e https://DOMAIN/shibboleth<br />
/usr/sbin/shib-keygen -n lms-encrypt -e https://DOMAIN/shibboleth<br />
<br />
<br />
4. Start the shibboleth service<br />
<br />
4.1 Test the configuration first:<br />
<br />
# shibd -t /etc/shibboleth/shibboleth2.xml<br />
<br />
4.2 (Re)start the Shibd and Apache2:<br />
<br />
# systemctl start shibd<br />
# systemctl restart apache2<br />
<br />
<br />
5. Enable Shibboleth on the Apache virtual host<br />
<br />
5.1 To enable shibboleth login on the web application add the certificate files and protect the /PATH/TO/MOODLE/auth/shibboleth/index.php by Shibboleth. They are in a /etc/apache2/sites-available/SOMETHING.conf file. Here is the format:<br />
<br />
<IfModule mod_ssl.c><br />
<VirtualHost *:443><br />
<br />
ServerName DOMAIN<br />
ServerAdmin YOU@DOMAIN<br />
DocumentRoot /PATH/TO/MOODLE<br />
<br />
ErrorLog ${APACHE_LOG_DIR}/DOMAIN-error.log<br />
CustomLog ${APACHE_LOG_DIR}/DOMAIN-access.log combined<br />
<br />
SSLCertificateFile /etc/ssl/certs/ssl-DOMAIN.crt<br />
SSLCertificateKeyFile /etc/ssl/private/ssl-DOMAIN.key<br />
<br />
<Location /moodle><br />
# just comment out<br />
# ShibRequestSetting applicationId mdl<br />
</Location><br />
<br />
<Directory /PATH/TO/MOODLE/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
# just comment out the next line and add the two lines below that<br />
# ShibRequestSetting applicationId mdl<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
</VirtualHost><br />
</IfModule><br />
<br />
5.2 Activate Shibd and reload Apache<br />
<br />
# a2enmod shib<br />
# systemctl reload apache2.service <br />
<br />
<br />
6. Register the SP with the federation<br />
<br />
We have now set up Shibboleth SP for Moodle. It has to be registered with the federation so that its WAYF go to the discovery Service to point different IDP's.<br />
<br />
6.1 Download the metadata of the application<br />
<br />
You can get them by visiting the URL https://DOMAIN/Shibboleth.sso/Metadata <br />
<br />
6.2 Submit the metadata to the federation<br />
<br />
Usually there is a web site at the federation for you to upload the metadata and enter various administrative information. Follow the instructions on the screens.<br />
<br />
Once the federation operator approves your request you will receive a SP registration link.<br />
<br />
<br />
7. Enable and configure the Shibboleth plug-in in Moodle<br />
<br />
Once you've registered successfully you have to configure the Shibboleth plug-in in Moodle. For that Moodle you have to enable it first.<br />
<br />
7.1 Enable the Shibboleth plug-in in Moodle<br />
<br />
As Moodle admin, go to the Site administration > Plugins > Authentication and enable Shibboleth by clicking on the "eye". <br />
<br />
7.2 Configure the Shibboleth plug-in in Moodle<br />
Under ''Site administration > Plugins: Authentication > Shibboleth'' the fields 'Username', 'First name', 'Surname', etc. should contain the name of the environment variables of the Shibboleth attributes that you want to map onto them. Especially the 'Username' field is of great importance because this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
Username: eppn<br />
<br />
Moodle WAYF service: No<br />
<br />
Identity providers (auth_shibboleth | organization_selection): Delete everything in the box<br />
<br />
Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout<br />
<br />
Data mapping (First name): givenName<br />
<br />
Data mapping (Surname): sn<br />
<br />
Data mapping (Email address): mail<br />
<br />
In all three set Update local to On every login and Lock value to Unlocked if empty.<br />
<br />
And save. The change will be immediately active, no need to restart any service!<br />
<br />
===Finished!===<br />
Now you may browse to https://DOMAIN/ and select your preferred IdP to log in.<br />
<br />
===In case of problems===<br />
<br />
<br />
==Additional notes==<br />
Some IdPs will only share a minimal set of user fields with your Moodle SP, which can cause problems:<br />
*Moodle errors relating to missing Shibboleth fields can be fixed by altering the data mappings within the Shibboleth authentication plugin, and ensuring that fields are not locked. The user will be asked to manually provide data if Shibboleth does not automatically provide the corresponding information.<br />
*Moodle errors relating to invalid characters in username can be fixed by Allowing extended characters in usernames (found under Security > Site policies).<br />
<br />
==External links==<br />
*[https://incommon.org/software/shibboleth/ Shibboleth Internet2 Website]<br />
*[http://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research]<br />
*[http://www.ukfederation.org.uk/content/Documents/AttributeUsage Current Core Attributes for the UK Federation]<br />
<br />
[[de:Shibboleth-Server]]<br />
[[es:Shibboleth]]<br />
[[fr:Shibboleth]]<br />
[[ja:Shibboleth]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Shibboleth&diff=149236Shibboleth2024-09-03T18:07:03Z<p>Ratna: </p>
<hr />
<div>{{Authentication}}<br />
<br />
Location: ''Site administration > Plugins: Authentication > Shibboleth'' <br />
<br />
[Shibboleth https://en.wikipedia.org/wiki/Shibboleth_(software)] is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions. The federations are often universities or public service organizations. <br />
<br />
Shibboleth is a middleware architecture and an open-source implementation created by the [https://en.wikipedia.org/wiki/Internet2 Internet2] consortium, for federated identity-based authentication and authorization infrastructure based on [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language SAML]. Federated identity allows for information about users in one security domain to be provided to other organizations in a common federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain usernames and passwords. [Identity providers (IdP's) https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language] supply user information, while [service providers (SP's) https://en.wikipedia.org/wiki/Service_provider_(SAML)] consume this information and gate access to secure content.<br />
<br />
<br />
==README.txt==<br />
<br />
This the auth/shibboleth/README.txt file in the Moodle distribution:<br />
<br />
Shibboleth Authentication for Moodle<br />
-------------------------------------------------------------------------------<br />
<br />
Requirements:<br />
- Shibboleth Service Provider 1.3 or newer. Recommended is 2.1 or newer.<br />
See documentation for your Shibboleth federation on how to set up Shibboleth.<br />
<br />
Changes:<br />
- 11. 2004: Created by Markus Hagman<br />
- 05. 2005: Modifications to login process by Martin Dougiamas<br />
- 05. 2005: Various extensions and fixes by Lukas Haemmerle<br />
- 06. 2005: Adaptions to new field locks and plugin config structures by Martin<br />
Langhoff and Lukas Haemmerle<br />
- 10. 2005: Added better error messages and moved text to language directories<br />
- 02. 2006: Simplified authentication so that authorization works properly<br />
Added instructions for IIS<br />
- 11. 2006: User capabilities are now loaded properly as of Moodle 1.7+<br />
- 03. 2007: Adapted authentication method to Moodle 1.8<br />
- 07. 2007: Fixed a but that caused problems with uppercase usernames<br />
- 10. 2007: Removed the requirement for email address, surname and given name<br />
attributes on request of Markus Hagman<br />
- 11. 2007: Integrated WAYF Service in Moodle<br />
- 12. 2008: Shibboleth 2.x and Single Logout support added<br />
- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth<br />
language files.<br />
- 3. 2009: Added various improvements and bug fixes reported by Ina M�ller from<br />
university Tuebingen and Peter Ellis of University of Washington<br />
- 4. 2009: Added another requirement for logout regarding the call back script<br />
- 6. 2009: Changed handler URL when integrated Discovery Service is used<br />
- 10. 2009: Fixed HTML entity preservation in Shibboleth settings<br />
<br />
Moodle Configuration with Dual login<br />
-------------------------------------------------------------------------------<br />
1. Protect the directory moodle/auth/shibboleth/index.php with Shibboleth.<br />
The page index.php in that directory actually logs in a Shibboleth user.<br />
For Apache you have to define a rule like the following in the Apache config:<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
--<br />
<br />
To restrict access to Moodle, replace the access rule 'require valid-user'<br />
with something that fits your needs, e.g. 'require affiliation student'.<br />
<br />
For IIS you have protect the auth/shibboleth directory directly in the<br />
RequestMap of the Shibboleth configuration file (shibboleth.xml or<br />
shibboleth2.xml).<br />
<br />
--<br />
<Path name="moodle" requireSession="false" ><br />
<Path name="auth/shibboleth/index.php" requireSession="true" ><br />
<AccessControl><br />
...<br />
</AccessControl><br />
</Path><br />
</Path><br />
--<br />
<br />
Also see:<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapper and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAccessControl<br />
<br />
2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and<br />
click on the the 'Shibboleth' settings.<br />
<br />
3. Fill in the fields of the form. The fields 'Username', 'First name',<br />
'Surname', etc. should contain the name of the environment variables of the<br />
Shibboleth attributes that you want to map onto the corresponding Moodle<br />
variable (e.g. 'Shib-Person-surname' for the person's last name, refer<br />
the Shibboleth documentation or the documentation of your Shibboleth<br />
federation for information on which attributes are available).<br />
Especially the 'Username' field is of great importance because<br />
this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
#############################################################################<br />
Shibboleth Attributes needed by Moodle:<br />
For Moodle to work properly Shibboleth should at least provide the attribute<br />
that is used as username in Moodle. It has to be unique for all Shibboleth<br />
Be aware that Moodle converts the username to lowercase. So, the overall<br />
behaviour of the username will be case-insensitive.<br />
All attributes used for moodle must obey a certain length, otherwise Moodle<br />
cuts off the ends. Consult the Moodle documentation for further information<br />
on the maximum lengths for each field in the user profile.<br />
#############################################################################<br />
<br />
4.a If you want Shibboleth as your only authentication method with an external<br />
Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the<br />
'Common settings' in 'Administrations >> Users >> Authentication Options'<br />
to the the URL of the file 'moodle/auth/shibboleth/index.php'.<br />
This will enforce Shibboleth login.<br />
<br />
4.b If you want to use the Moodle integrated WAYF service, you have to activate it<br />
in the Moodle Shibboleth authentication settings by checking the<br />
'Moodle WAYF Service' checkbox and providing a list of entity IDs in the<br />
'Identity Providers' textarea together with a name and an optional<br />
SessionInitiator URL, which usually is an absolute or relative URL pointing<br />
to the same host. If no SessionInitiator URL is given, the default one<br />
'/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For<br />
Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a SessionInitiator.<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB/SessionInitiator<br />
and https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionInitiator<br />
<br />
Important Note: If you upgraded from a previous version of Moodle and now<br />
want to use the integrated WAYF, you have to make sure that<br />
in step 1 only the index.php script in<br />
moodle/auth/shibboleth/ is protected but *not* the other<br />
scripts and especially not the login.php script.<br />
<br />
If you were using the integrated WAYF alread with Shibboleth 1.3, it could<br />
be that the integrated WAYF is not working anymore after you updated Moodle.<br />
The reason is that the implicitly set default SessionInitiator changed in<br />
Moodle as well as in Shibboleth. For Shibboleth 1.3 one therefore has to<br />
add /Shibboleth.sso as third parameter whereas this is /Shibboleth.sso/DS<br />
for Shibboleth 2.x.<br />
<br />
<br />
5. Save the changes for the 'Shibboleth settings'.<br />
<br />
Important Note: If you went for 4.b (integrated WAYF service), saving the<br />
settings will overwrite the Moodle Alternate Login URL<br />
using the Moodle web root URL.<br />
<br />
6. If you want to use Shibboleth in addition to another authentication method<br />
not using the integrated WAYF service from 4.b, change the 'Instructions' in<br />
'Administrations >> Users >> Manage authentication' to contain a link to the<br />
moodle/auth/shibboleth/index.php file which is protected by<br />
Shibboleth (see step 1.) and causes the Shibboleth login procedure to start.<br />
You can also use HTML code in that field, e.g. to include an image as a<br />
Shibboleth login button.<br />
<br />
Note: As of now you cannot use dual login together with the integrated<br />
WAYF service provided by Moodle (4.b).<br />
<br />
7. Save the authentication changes.<br />
<br />
How the Shibboleth authentication works<br />
--------------------------------------------------------------------------------<br />
To get Shibboleth authenticated in Moodle a user basically must access the<br />
Shibboleth-protected page /auth/shibboleth/index.php. If Shibboleth is the only<br />
authentication method (see 4.a), this happens automatically when a user selects<br />
his home organization in the Moodle WAYF service or if the alternate login URL<br />
is configured to be the protected /auth/shibboleth/index.php<br />
Otherwise, the user has to click on the link on the dual login page you<br />
provided in step 5.b.<br />
<br />
Moodle basically checks whether the Shibboleth attribute that you mapped<br />
as the username is present. This attribute should only be present if a user is<br />
Shibboleth authenticated.<br />
<br />
If the user's Moodle account has not existed yet, it gets automatically created.<br />
<br />
To prevent that every Shibboleth user can access your Moodle site you have to<br />
adapt the 'require valid-user' line in your webserver's config (see step 1) to<br />
allow only specific users. If you defined some authorization rules in step 1,<br />
these are checked by Shibboleth itself. Only users who met these rules<br />
actually can access /auth/shibboleth/index.php and get logged in.<br />
<br />
You can use Shibboleth AND another authentication method (it was tested with<br />
manual login). So, if there are a few users that don't have a Shibboleth<br />
login, you could create manual accounts for them and they could use the manual<br />
login. For other authentication methods you first have to configure them and<br />
then set Shibboleth as your authentication method. Users can log in only via one<br />
authentication method unless they have two accounts in Moodle.<br />
<br />
Shibboleth dual login with custom login page<br />
--------------------------------------------------------------------------------<br />
You can create a dual login page that better fits your needs. For this<br />
to work, you have to set up the two authentication methods (e.g. 'Manual<br />
Accounts' and 'Shibboleth') and specify an alternate login link to your own dual<br />
login page. On that page you basically need a link to the Shibboleth-protected<br />
page ('/auth/shibboleth/index.php') for the Shibboleth login and a<br />
form that sends 'username' and 'password' to moodle/login/index.php. Set this<br />
web page then als alternate login page.<br />
Consult the Moodle documentation for further instructions and requirements.<br />
<br />
How to customize the way the Shibboleth user data is used in Moodle<br />
--------------------------------------------------------------------------------<br />
Among the Shibboleth settings in Moodle there is a field that should contain a<br />
path to a php file that can be used as data manipulation hook.<br />
You can use this if you want to further process the way your Shibboleth<br />
attributes are used in Moodle. Due to security reasons this file cannot be<br />
located within the current site data directory ($CFG->dataroot).<br />
<br />
Example 1: Your Shibboleth federation uses an attribute that specifies the<br />
user's preferred language, but the content of this attribute is not<br />
compatible with the Moodle data representation, e.g. the Shibboleth<br />
attribute contains 'German' but Moodle needs a two letter value like<br />
'de'.<br />
Example 2: The country, city and street are provided in one Shibboleth attribute<br />
and you want these values to be used in the Moodle user profile. So<br />
You have to parse the corresponding attribute to fill the user fields.<br />
<br />
If you want to use this hook you have to be a skilled PHP programmer. It is<br />
strongly recommended that you take a look at the file<br />
moodle/auth/shibboleth/auth.php, especially the function 'get_userinfo'<br />
where this file is included.<br />
The context of the file is the same as within this login function. So you<br />
can directly edit the object $result.<br />
<br />
Example file:<br />
<br />
--<br />
<?php<br />
<br />
// Set the zip code and the adress<br />
if ($_SERVER[$this->config->field_map_address] != '')<br />
{<br />
// $address contains something like 'SWITCH$Limmatquai 138$CH-8021 Zurich'<br />
// We want to split this up to get:<br />
// institution, street, zipcode, city and country<br />
$address = $_SERVER[$this->config->field_map_address];<br />
list($institution, $street, $zip_city) = explode('$', $address);<br />
preg_match('/ (.+)/', $zip_city, $regs);<br />
$city = $regs[1];<br />
<br />
preg_match('/(.+)-/',$zip_city, $regs);<br />
$country = $regs[1];<br />
<br />
$result["address"] = $street;<br />
$result["city"] = $city;<br />
$result["country"] = $country;<br />
$result["department"] = $institution;<br />
$result["description"] = "I am a Shibboleth user";<br />
<br />
}<br />
<br />
?><br />
--<br />
<br />
How to upgrade your Service Provider to 2.x<br />
-------------------------------------------------------------------------------<br />
<br />
In case your upgrade your Service Provider 1.3.x to 2.x, be aware of the fact<br />
that in version 2.0 the default behaviour regarding attribute propagation<br />
changed.<br />
While the Service Provider 1.3.x published the Shibboleth attributes to the<br />
web server environment as HTTP Request headers, the Service Provider 2.x<br />
publishes attributes as environment variables, which increases the security for<br />
some platforms.<br />
However, this change has the effect that the attribute names change.<br />
E.g. while the surname attribute was published as 'HTTP_SHIB_PERSON_SURNAME'<br />
with 1.3.x, this attribute will be available in $_SERVER['Shib-Person-surname']<br />
or depending on your /etc/shibboleth/attribute-map.xml file just as<br />
$_SERVER['sn'].<br />
Because Moodle needs to know what Shibboleth attributes it shall map onto which<br />
Moodle user profile field, one has to make sure the mapping is updated as well<br />
after the Service Provider upgrade.<br />
<br />
********************************************************************************<br />
Because you risk locking yourself out of Moodle it is strongly<br />
recommended to use the following approach when upgrading the Service Provider:<br />
1. Enable manual authentication before the upgrade.<br />
2. Make sure that you have at least one manual account with administration<br />
privileges working before upgrading your Service Provider to 2.x.<br />
3. After the SP upgrade, use this account to log into Moodle and adapt the<br />
attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect<br />
the changed attribute names.<br />
You find the attribute names in the file /etc/shibboleth/attribute-map.xml<br />
listed as the 'id' value of an attribute definition.<br />
4. If you are using the integrated WAYF, you may have to set the third parameter<br />
of each entry to '/Shibboleth.sso/DS'<br />
5. Test the login with a Shibboleth account<br />
6. If all is working, disable manual authentication again<br />
********************************************************************************<br />
<br />
How to add logout support<br />
--------------------------------------------------------------------------------<br />
In order make Moodle support Shibboleth logout, one has to make the Shibboleth<br />
Service Provider (SP) aware of the Moodle logout capability. Only then the SP<br />
can trigger Moodle's front or back channel logout handler.<br />
<br />
To make the SP aware of the Moodle logout, you have to add the following to the<br />
Shibboleth main configuration file shibboleth2.xml (usually in /etc/shibboleth/)<br />
just before the <MetadataProvider> element.<br />
<br />
--<br />
<Notify<br />
Channel="back"<br />
Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" /><br />
--<br />
<br />
Then restart the Shibboleth daemon and check the log file for errors. If there<br />
were no errors, you can test the logout feature by accessing Moodle,<br />
authenticating via Shibboleth and the access the URL:<br />
#YOUR_MOODLE_HOSTNAME#/Shibboleth.sso/Logout (assuming you have a standard<br />
Shibboleth installation). If everything worked well, you should see a Shibboleth<br />
page saying that you were successfully logged out and if you go back to Moodle<br />
you also should be logged out from Moodle.<br />
<br />
Requirements:<br />
- PHP needs the Soap Extension, which maybe must installed manually:<br />
More information is available here http://ch.php.net/soap<br />
- Logout only works with Shibboleth Service Provider 2.1 or higher<br />
- /moodle/auth/shibboleth/logout.php *must not* be protected by Shibboleth!<br />
In case all of Moodle is protected with Shibboleth, you have to add something<br />
like this to your Apache configuration after all the other require rules<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/logout.php><br />
AuthType shibboleth<br />
ShibRequireSession Off<br />
require shibboleth<br />
</Directory><br />
--<br />
When using IIS, the same can be achieved by something like:<br />
--<br />
<Path name="auth/shibboleth/logout.php" requireSession="false" ><br />
--<br />
in the shibboleth2.xml RequestMap.<br />
<br />
<br />
Limitations:<br />
Single Logout is only supported when SAML2 is used at the SP and the IdP.<br />
As of October 2009, the Shibboleth Identity Provider 2.1.4 does not yet support<br />
Single Logout (SLO). Therefore, the single logout feature cannot be used yet<br />
in a Shibboleth only setup but there may be other SAML2 products that could<br />
be used as Identity Provider, e.g. SimpleSAML PHP.<br />
One of the reasons why SLO isn't supported yet is because there aren't many<br />
applications yet that were adapted to support front and back channel<br />
logout. Hopefully, the Moodle logout helps to motivate the developers to<br />
implement SLO. On the other hand, the easiest and safest way to log out<br />
still is to tell users to quit their web browsers :)<br />
<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLogoutInitiator for some<br />
background information on this topic.<br />
<br />
--------------------------------------------------------------------------------<br />
In case of problems and questions with Shibboleth authentication, contact<br />
Lukas Haemmerle <lukas.haemmerle@switch.ch> or Markus Hagman <hagman@hytti.uku.fi><br />
<br />
<br />
==Shibboleth in the UK==<br />
In the UK Becta and JISC have implemented an education federation using Shibboleth to provide single sign on. This means that education establishments in the UK using Moodle should be able to authenticate their users via Shibboleth if their organization joins the UK Access Management Federation and their users' identity is held by the identity provider the LA/RBC use. For maintained schools in the England and Wales this will probably mean contacting their Local Authority or Regional Broadband Consortium (RBC). A list of current UK federation members can be found [http://www.ukfederation.org.uk/content/Documents/MemberList here].<br />
<br />
==Shibboleth in Switzerland ==<br />
In Switzerland the [https://switch.ch/ SWITCH Foundation] runs a universal login under [https://www.switch.ch/edu-id edu-ID] for all living in Switzerland. It covers 160 institutions and 900,000 users.<br />
<br />
==A sample configuration==<br />
<br />
===Notation===<br />
- The expressions in all caps are placeholders for their actual values. For example /PATH/TO/MOODLE could be /var/www/html/moodle in your server.<br />
<br />
- The '#' in shell commands in the form '# COMMAND" means the COMMAND needs to be run as the super-user. It could be the user 'root' or a different user having sudo privileges. In the latter case he should prepend the command with sudo, as in '$ sudo COMMAND'. The '$' in that command denotes it is a non-privileged user.<br />
<br />
===Prerequisites===<br />
- You have your Moodle site running on Debian GNU/Linux or any of its derivatives like Ubuntu Linux.<br />
<br />
- This documentation assumes that your Linux distribution uses the system manager Systemd. But you can easily change the commands for a different init system, typically SysV or Upstart.<br />
<br />
- You are running the web server Apache2.<br />
<br />
- Your site serves HTTPS on its default port 443. We write its URL as https://DOMAIN, where DOMAIN stands for your the domain name of your Moodle server. So if the URL of your Moodle is https://lms.example.com/ then DOMAIN is lms.example.com.<br />
<br />
===Steps you have to follow===<br />
1. Install the Shibboleth module for Apache2<br />
<br />
Install the Debian package libapache2-mod-shib, which contains the Apache module for Shibboleth service providers (SP) and its supporting Shib daemon:<br />
<br />
# apt install libapache2-mod-shib --no-install-recommends<br />
<br />
It will create a directory /etc/shibboleth with a default set of configuration files and also install the system service shib.<br />
<br />
2. Download federation metadata signing certificate<br />
<br />
# wget https://FEDERATIONREGISTRY/signedmetadata/metadata-signer -O /etc/shibboleth/federation-cert.pem<br />
<br />
<br />
3. Configure the Shibboleth service provider<br />
<br />
Edit the /etc/shibboleth/shibboleth2.xml file as described below.<br />
<br />
3.1 Change the ApplicationDefaults tag to your domain<br />
<br />
<ApplicationDefaults entityID="https://DOMAIN/shibboleth"<br />
REMOTE_USER="eppn subject-id pairwise-id persistent-id"<br />
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"><br />
<br />
Notice that the end of the ApplicationDefaults tag is way below. So don't add one here!<br />
<br />
3.2 Set the discovery server<br />
<br />
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://DISCOVERYSERVER"><br />
SAML2<br />
</SSO><br />
<br />
3.3 Set the MetadataProvider<br />
<br />
<MetadataProvider type="XML" url="https://METADATAPROVIDER/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" maxRefreshDelay="7200"><br />
<br />
<MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false" /><br />
<br />
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" /><br />
</MetadataProvider><br />
<br />
3.4 Set the names of the key and certificate files<br />
<br />
<CredentialResolver type="File" use="signing" key="lms-signing-key.pem" certificate="lms-signing-cert.pem" /><br />
<CredentialResolver type="File" use="encryption" key="lms-encrypt-key.pem" certificate="lms-encrypt-cert.pem" /><br />
<br />
We will generate those lms-*.pem files in step 3.6.<br />
<br />
3.5 Add a ApplicationOverride section<br />
(Note: Not necessay, dg 28 Aug 2024)<br />
<br />
Add the following ApplicationOverride section just before the ApplicationDefaults section:<br />
<br />
<ApplicationOverride id="wp" entityID="https://wp.YOUR-DOMAIN/shibboleth"><br />
<CredentialResolver type="File" use="signing" key="wp-signing-key.pem" certificate="wp-signing-cert.pem"/><br />
<CredentialResolver type="File" use="encryption" key="wp-encrypt-key.pem" certificate="wp-encrypt-cert.pem"/><br />
</ApplicationOverride><br />
<br />
3.6 Create SP metadata credentials for both sites:<br />
<br />
/usr/sbin/shib-keygen -n lms-signing -e https://DOMAIN/shibboleth<br />
/usr/sbin/shib-keygen -n lms-encrypt -e https://DOMAIN/shibboleth<br />
<br />
<br />
4. Start the shibboleth service<br />
<br />
4.1 Test the configuration first:<br />
<br />
# shibd -t /etc/shibboleth/shibboleth2.xml<br />
<br />
4.2 (Re)start the Shibd and Apache2:<br />
<br />
# systemctl start shibd<br />
# systemctl restart apache2<br />
<br />
<br />
5. Enable Shibboleth on the Apache virtual host<br />
<br />
5.1 To enable shibboleth login on the web application add the certificate files and protect the /PATH/TO/MOODLE/auth/shibboleth/index.php by Shibboleth. They are in a /etc/apache2/sites-available/SOMETHING.conf file. Here is the format:<br />
<br />
<IfModule mod_ssl.c><br />
<VirtualHost *:443><br />
<br />
ServerName DOMAIN<br />
ServerAdmin YOU@DOMAIN<br />
DocumentRoot /PATH/TO/MOODLE<br />
<br />
ErrorLog ${APACHE_LOG_DIR}/DOMAIN-error.log<br />
CustomLog ${APACHE_LOG_DIR}/DOMAIN-access.log combined<br />
<br />
SSLCertificateFile /etc/ssl/certs/ssl-DOMAIN.crt<br />
SSLCertificateKeyFile /etc/ssl/private/ssl-DOMAIN.key<br />
<br />
<Location /moodle><br />
# just comment out<br />
# ShibRequestSetting applicationId mdl<br />
</Location><br />
<br />
<Directory /PATH/TO/MOODLE/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
# just comment out the next line and add the two lines below that<br />
# ShibRequestSetting applicationId mdl<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
</VirtualHost><br />
</IfModule><br />
<br />
5.2 Activate Shibd and reload Apache<br />
<br />
# a2enmod shib<br />
# systemctl reload apache2.service <br />
<br />
<br />
6. Register the SP with the federation<br />
<br />
We have now set up Shibboleth SP for Moodle. It has to be registered with the federation so that its WAYF go to the discovery Service to point different IDP's.<br />
<br />
6.1 Download the metadata of the application<br />
<br />
You can get them by visiting the URL https://DOMAIN/Shibboleth.sso/Metadata <br />
<br />
6.2 Register the metadata with the federation<br />
<br />
Visit https://FEDERATTION/ and go to Join. You will be asked to upload the metadata on line and go through a couple of screens answering administrative questions. Follow the instructions on the screens.<br />
<br />
Once the federation operator approves your request you will receive a SP registration link.<br />
<br />
<br />
7. Enable and configure the Shibboleth plug-in in Moodle<br />
<br />
Once you've registered successfully you have to configure the Shibboleth plug-in in Moodle. For that Moodle you have to enable it first.<br />
<br />
7.1 Enable the Shibboleth plug-in in Moodle<br />
<br />
As Moodle admin, go to the Site administration > Plugins > Authentication and enable Shibboleth by clicking on the "eye". <br />
<br />
7.2 Configure the Shibboleth plug-in in Moodle<br />
<br />
The fields 'Username', 'First name', 'Surname', etc. should contain the name of the environment variables of the Shibboleth attributes that you want to map onto the corresponding Moodle variable. Especially the 'Username' field is of great importance because this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
Username: eppn<br />
<br />
Moodle WAYF service: No<br />
<br />
Identity providers (auth_shibboleth | organization_selection): Delete everything in the box<br />
<br />
Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout<br />
<br />
Data mapping (First name): givenName<br />
<br />
Data mapping (Surname): sn<br />
<br />
Data mapping (Email address): mail<br />
<br />
In all three set Update local to On every login and Lock value to Unlocked if empty.<br />
<br />
And save. The change will be immediately active, no need to restart any service!<br />
<br />
===Finished!===<br />
Now you may browse to https://DOMAIN/ and select your preferred IdP to log in.<br />
<br />
===How to debug<br />
<br />
<br />
==Additional notes==<br />
Some IdPs will only share a minimal set of user fields with your Moodle SP, which can cause problems:<br />
*Moodle errors relating to missing Shibboleth fields can be fixed by altering the data mappings within the Shibboleth authentication plugin, and ensuring that fields are not locked. The user will be asked to manually provide data if Shibboleth does not automatically provide the corresponding information.<br />
*Moodle errors relating to invalid characters in username can be fixed by Allowing extended characters in usernames (found under Security > Site policies).<br />
<br />
==External links==<br />
*[https://incommon.org/software/shibboleth/ Shibboleth Internet2 Website]<br />
*[http://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research]<br />
*[http://www.ukfederation.org.uk/content/Documents/AttributeUsage Current Core Attributes for the UK Federation]<br />
<br />
[[de:Shibboleth-Server]]<br />
[[es:Shibboleth]]<br />
[[fr:Shibboleth]]<br />
[[ja:Shibboleth]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Shibboleth&diff=149235Shibboleth2024-09-03T17:59:50Z<p>Ratna: Added auth/shibboleth/README.txt</p>
<hr />
<div>{{Authentication}}<br />
<br />
Location: ''Site administration > Plugins: Authentication > Shibboleth'' <br />
<br />
[Shibboleth https://en.wikipedia.org/wiki/Shibboleth_(software) Wikipedia, Shibboleth_(software)] is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions. The federations are often universities or public service organizations. <br />
<br />
Shibboleth is a middleware architecture and an open-source implementation created by the [https://en.wikipedia.org/wiki/Internet2 Internet2] consortium, for federated identity-based authentication and authorization infrastructure based on [https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language SAML]. Federated identity allows for information about users in one security domain to be provided to other organizations in a common federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain usernames and passwords. [Identity providers (IdP's) https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language] supply user information, while [service providers (SP's) https://en.wikipedia.org/wiki/Service_provider_(SAML)] consume this information and gate access to secure content.<br />
<br />
<br />
==README.txt==<br />
<br />
This the auth/shibboleth/README.txt file in the Moodle distribution:<br />
<br />
Shibboleth Authentication for Moodle<br />
-------------------------------------------------------------------------------<br />
<br />
Requirements:<br />
- Shibboleth Service Provider 1.3 or newer. Recommended is 2.1 or newer.<br />
See documentation for your Shibboleth federation on how to set up Shibboleth.<br />
<br />
Changes:<br />
- 11. 2004: Created by Markus Hagman<br />
- 05. 2005: Modifications to login process by Martin Dougiamas<br />
- 05. 2005: Various extensions and fixes by Lukas Haemmerle<br />
- 06. 2005: Adaptions to new field locks and plugin config structures by Martin<br />
Langhoff and Lukas Haemmerle<br />
- 10. 2005: Added better error messages and moved text to language directories<br />
- 02. 2006: Simplified authentication so that authorization works properly<br />
Added instructions for IIS<br />
- 11. 2006: User capabilities are now loaded properly as of Moodle 1.7+<br />
- 03. 2007: Adapted authentication method to Moodle 1.8<br />
- 07. 2007: Fixed a but that caused problems with uppercase usernames<br />
- 10. 2007: Removed the requirement for email address, surname and given name<br />
attributes on request of Markus Hagman<br />
- 11. 2007: Integrated WAYF Service in Moodle<br />
- 12. 2008: Shibboleth 2.x and Single Logout support added<br />
- 1. 2008: Added logout hook and moved Shibboleth config strings to utf8 auth<br />
language files.<br />
- 3. 2009: Added various improvements and bug fixes reported by Ina M�ller from<br />
university Tuebingen and Peter Ellis of University of Washington<br />
- 4. 2009: Added another requirement for logout regarding the call back script<br />
- 6. 2009: Changed handler URL when integrated Discovery Service is used<br />
- 10. 2009: Fixed HTML entity preservation in Shibboleth settings<br />
<br />
Moodle Configuration with Dual login<br />
-------------------------------------------------------------------------------<br />
1. Protect the directory moodle/auth/shibboleth/index.php with Shibboleth.<br />
The page index.php in that directory actually logs in a Shibboleth user.<br />
For Apache you have to define a rule like the following in the Apache config:<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
--<br />
<br />
To restrict access to Moodle, replace the access rule 'require valid-user'<br />
with something that fits your needs, e.g. 'require affiliation student'.<br />
<br />
For IIS you have protect the auth/shibboleth directory directly in the<br />
RequestMap of the Shibboleth configuration file (shibboleth.xml or<br />
shibboleth2.xml).<br />
<br />
--<br />
<Path name="moodle" requireSession="false" ><br />
<Path name="auth/shibboleth/index.php" requireSession="true" ><br />
<AccessControl><br />
...<br />
</AccessControl><br />
</Path><br />
</Path><br />
--<br />
<br />
Also see:<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapper and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAccessControl<br />
<br />
2. As Moodle admin, go to the 'Administrations >> Users >> Authentication' and<br />
click on the the 'Shibboleth' settings.<br />
<br />
3. Fill in the fields of the form. The fields 'Username', 'First name',<br />
'Surname', etc. should contain the name of the environment variables of the<br />
Shibboleth attributes that you want to map onto the corresponding Moodle<br />
variable (e.g. 'Shib-Person-surname' for the person's last name, refer<br />
the Shibboleth documentation or the documentation of your Shibboleth<br />
federation for information on which attributes are available).<br />
Especially the 'Username' field is of great importance because<br />
this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
#############################################################################<br />
Shibboleth Attributes needed by Moodle:<br />
For Moodle to work properly Shibboleth should at least provide the attribute<br />
that is used as username in Moodle. It has to be unique for all Shibboleth<br />
Be aware that Moodle converts the username to lowercase. So, the overall<br />
behaviour of the username will be case-insensitive.<br />
All attributes used for moodle must obey a certain length, otherwise Moodle<br />
cuts off the ends. Consult the Moodle documentation for further information<br />
on the maximum lengths for each field in the user profile.<br />
#############################################################################<br />
<br />
4.a If you want Shibboleth as your only authentication method with an external<br />
Where Are You From (WAYF) Service , set the 'Alternate Login URL' in the<br />
'Common settings' in 'Administrations >> Users >> Authentication Options'<br />
to the the URL of the file 'moodle/auth/shibboleth/index.php'.<br />
This will enforce Shibboleth login.<br />
<br />
4.b If you want to use the Moodle integrated WAYF service, you have to activate it<br />
in the Moodle Shibboleth authentication settings by checking the<br />
'Moodle WAYF Service' checkbox and providing a list of entity IDs in the<br />
'Identity Providers' textarea together with a name and an optional<br />
SessionInitiator URL, which usually is an absolute or relative URL pointing<br />
to the same host. If no SessionInitiator URL is given, the default one<br />
'/Shibboleth.sso' (only works for Shibboleth 1.3.x) will be used. For<br />
Shibboleth 2.x you have to add '/Shibboleth.sso/DS' as a SessionInitiator.<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB/SessionInitiator<br />
and https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionInitiator<br />
<br />
Important Note: If you upgraded from a previous version of Moodle and now<br />
want to use the integrated WAYF, you have to make sure that<br />
in step 1 only the index.php script in<br />
moodle/auth/shibboleth/ is protected but *not* the other<br />
scripts and especially not the login.php script.<br />
<br />
If you were using the integrated WAYF alread with Shibboleth 1.3, it could<br />
be that the integrated WAYF is not working anymore after you updated Moodle.<br />
The reason is that the implicitly set default SessionInitiator changed in<br />
Moodle as well as in Shibboleth. For Shibboleth 1.3 one therefore has to<br />
add /Shibboleth.sso as third parameter whereas this is /Shibboleth.sso/DS<br />
for Shibboleth 2.x.<br />
<br />
<br />
5. Save the changes for the 'Shibboleth settings'.<br />
<br />
Important Note: If you went for 4.b (integrated WAYF service), saving the<br />
settings will overwrite the Moodle Alternate Login URL<br />
using the Moodle web root URL.<br />
<br />
6. If you want to use Shibboleth in addition to another authentication method<br />
not using the integrated WAYF service from 4.b, change the 'Instructions' in<br />
'Administrations >> Users >> Manage authentication' to contain a link to the<br />
moodle/auth/shibboleth/index.php file which is protected by<br />
Shibboleth (see step 1.) and causes the Shibboleth login procedure to start.<br />
You can also use HTML code in that field, e.g. to include an image as a<br />
Shibboleth login button.<br />
<br />
Note: As of now you cannot use dual login together with the integrated<br />
WAYF service provided by Moodle (4.b).<br />
<br />
7. Save the authentication changes.<br />
<br />
How the Shibboleth authentication works<br />
--------------------------------------------------------------------------------<br />
To get Shibboleth authenticated in Moodle a user basically must access the<br />
Shibboleth-protected page /auth/shibboleth/index.php. If Shibboleth is the only<br />
authentication method (see 4.a), this happens automatically when a user selects<br />
his home organization in the Moodle WAYF service or if the alternate login URL<br />
is configured to be the protected /auth/shibboleth/index.php<br />
Otherwise, the user has to click on the link on the dual login page you<br />
provided in step 5.b.<br />
<br />
Moodle basically checks whether the Shibboleth attribute that you mapped<br />
as the username is present. This attribute should only be present if a user is<br />
Shibboleth authenticated.<br />
<br />
If the user's Moodle account has not existed yet, it gets automatically created.<br />
<br />
To prevent that every Shibboleth user can access your Moodle site you have to<br />
adapt the 'require valid-user' line in your webserver's config (see step 1) to<br />
allow only specific users. If you defined some authorization rules in step 1,<br />
these are checked by Shibboleth itself. Only users who met these rules<br />
actually can access /auth/shibboleth/index.php and get logged in.<br />
<br />
You can use Shibboleth AND another authentication method (it was tested with<br />
manual login). So, if there are a few users that don't have a Shibboleth<br />
login, you could create manual accounts for them and they could use the manual<br />
login. For other authentication methods you first have to configure them and<br />
then set Shibboleth as your authentication method. Users can log in only via one<br />
authentication method unless they have two accounts in Moodle.<br />
<br />
Shibboleth dual login with custom login page<br />
--------------------------------------------------------------------------------<br />
You can create a dual login page that better fits your needs. For this<br />
to work, you have to set up the two authentication methods (e.g. 'Manual<br />
Accounts' and 'Shibboleth') and specify an alternate login link to your own dual<br />
login page. On that page you basically need a link to the Shibboleth-protected<br />
page ('/auth/shibboleth/index.php') for the Shibboleth login and a<br />
form that sends 'username' and 'password' to moodle/login/index.php. Set this<br />
web page then als alternate login page.<br />
Consult the Moodle documentation for further instructions and requirements.<br />
<br />
How to customize the way the Shibboleth user data is used in Moodle<br />
--------------------------------------------------------------------------------<br />
Among the Shibboleth settings in Moodle there is a field that should contain a<br />
path to a php file that can be used as data manipulation hook.<br />
You can use this if you want to further process the way your Shibboleth<br />
attributes are used in Moodle. Due to security reasons this file cannot be<br />
located within the current site data directory ($CFG->dataroot).<br />
<br />
Example 1: Your Shibboleth federation uses an attribute that specifies the<br />
user's preferred language, but the content of this attribute is not<br />
compatible with the Moodle data representation, e.g. the Shibboleth<br />
attribute contains 'German' but Moodle needs a two letter value like<br />
'de'.<br />
Example 2: The country, city and street are provided in one Shibboleth attribute<br />
and you want these values to be used in the Moodle user profile. So<br />
You have to parse the corresponding attribute to fill the user fields.<br />
<br />
If you want to use this hook you have to be a skilled PHP programmer. It is<br />
strongly recommended that you take a look at the file<br />
moodle/auth/shibboleth/auth.php, especially the function 'get_userinfo'<br />
where this file is included.<br />
The context of the file is the same as within this login function. So you<br />
can directly edit the object $result.<br />
<br />
Example file:<br />
<br />
--<br />
<?php<br />
<br />
// Set the zip code and the adress<br />
if ($_SERVER[$this->config->field_map_address] != '')<br />
{<br />
// $address contains something like 'SWITCH$Limmatquai 138$CH-8021 Zurich'<br />
// We want to split this up to get:<br />
// institution, street, zipcode, city and country<br />
$address = $_SERVER[$this->config->field_map_address];<br />
list($institution, $street, $zip_city) = explode('$', $address);<br />
preg_match('/ (.+)/', $zip_city, $regs);<br />
$city = $regs[1];<br />
<br />
preg_match('/(.+)-/',$zip_city, $regs);<br />
$country = $regs[1];<br />
<br />
$result["address"] = $street;<br />
$result["city"] = $city;<br />
$result["country"] = $country;<br />
$result["department"] = $institution;<br />
$result["description"] = "I am a Shibboleth user";<br />
<br />
}<br />
<br />
?><br />
--<br />
<br />
How to upgrade your Service Provider to 2.x<br />
-------------------------------------------------------------------------------<br />
<br />
In case your upgrade your Service Provider 1.3.x to 2.x, be aware of the fact<br />
that in version 2.0 the default behaviour regarding attribute propagation<br />
changed.<br />
While the Service Provider 1.3.x published the Shibboleth attributes to the<br />
web server environment as HTTP Request headers, the Service Provider 2.x<br />
publishes attributes as environment variables, which increases the security for<br />
some platforms.<br />
However, this change has the effect that the attribute names change.<br />
E.g. while the surname attribute was published as 'HTTP_SHIB_PERSON_SURNAME'<br />
with 1.3.x, this attribute will be available in $_SERVER['Shib-Person-surname']<br />
or depending on your /etc/shibboleth/attribute-map.xml file just as<br />
$_SERVER['sn'].<br />
Because Moodle needs to know what Shibboleth attributes it shall map onto which<br />
Moodle user profile field, one has to make sure the mapping is updated as well<br />
after the Service Provider upgrade.<br />
<br />
********************************************************************************<br />
Because you risk locking yourself out of Moodle it is strongly<br />
recommended to use the following approach when upgrading the Service Provider:<br />
1. Enable manual authentication before the upgrade.<br />
2. Make sure that you have at least one manual account with administration<br />
privileges working before upgrading your Service Provider to 2.x.<br />
3. After the SP upgrade, use this account to log into Moodle and adapt the<br />
attribute mapping in 'Site Administration -> Users -> Shibboleth' to reflect<br />
the changed attribute names.<br />
You find the attribute names in the file /etc/shibboleth/attribute-map.xml<br />
listed as the 'id' value of an attribute definition.<br />
4. If you are using the integrated WAYF, you may have to set the third parameter<br />
of each entry to '/Shibboleth.sso/DS'<br />
5. Test the login with a Shibboleth account<br />
6. If all is working, disable manual authentication again<br />
********************************************************************************<br />
<br />
How to add logout support<br />
--------------------------------------------------------------------------------<br />
In order make Moodle support Shibboleth logout, one has to make the Shibboleth<br />
Service Provider (SP) aware of the Moodle logout capability. Only then the SP<br />
can trigger Moodle's front or back channel logout handler.<br />
<br />
To make the SP aware of the Moodle logout, you have to add the following to the<br />
Shibboleth main configuration file shibboleth2.xml (usually in /etc/shibboleth/)<br />
just before the <MetadataProvider> element.<br />
<br />
--<br />
<Notify<br />
Channel="back"<br />
Location="https://#YOUR_MOODLE_HOSTNAME#/moodle/auth/shibboleth/logout.php" /><br />
--<br />
<br />
Then restart the Shibboleth daemon and check the log file for errors. If there<br />
were no errors, you can test the logout feature by accessing Moodle,<br />
authenticating via Shibboleth and the access the URL:<br />
#YOUR_MOODLE_HOSTNAME#/Shibboleth.sso/Logout (assuming you have a standard<br />
Shibboleth installation). If everything worked well, you should see a Shibboleth<br />
page saying that you were successfully logged out and if you go back to Moodle<br />
you also should be logged out from Moodle.<br />
<br />
Requirements:<br />
- PHP needs the Soap Extension, which maybe must installed manually:<br />
More information is available here http://ch.php.net/soap<br />
- Logout only works with Shibboleth Service Provider 2.1 or higher<br />
- /moodle/auth/shibboleth/logout.php *must not* be protected by Shibboleth!<br />
In case all of Moodle is protected with Shibboleth, you have to add something<br />
like this to your Apache configuration after all the other require rules<br />
<br />
--<br />
<Directory /path/to/moodle/auth/shibboleth/logout.php><br />
AuthType shibboleth<br />
ShibRequireSession Off<br />
require shibboleth<br />
</Directory><br />
--<br />
When using IIS, the same can be achieved by something like:<br />
--<br />
<Path name="auth/shibboleth/logout.php" requireSession="false" ><br />
--<br />
in the shibboleth2.xml RequestMap.<br />
<br />
<br />
Limitations:<br />
Single Logout is only supported when SAML2 is used at the SP and the IdP.<br />
As of October 2009, the Shibboleth Identity Provider 2.1.4 does not yet support<br />
Single Logout (SLO). Therefore, the single logout feature cannot be used yet<br />
in a Shibboleth only setup but there may be other SAML2 products that could<br />
be used as Identity Provider, e.g. SimpleSAML PHP.<br />
One of the reasons why SLO isn't supported yet is because there aren't many<br />
applications yet that were adapted to support front and back channel<br />
logout. Hopefully, the Moodle logout helps to motivate the developers to<br />
implement SLO. On the other hand, the easiest and safest way to log out<br />
still is to tell users to quit their web browsers :)<br />
<br />
Also see https://wiki.shibboleth.net/confluence/display/SHIB2/SLOIssues and<br />
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLogoutInitiator for some<br />
background information on this topic.<br />
<br />
--------------------------------------------------------------------------------<br />
In case of problems and questions with Shibboleth authentication, contact<br />
Lukas Haemmerle <lukas.haemmerle@switch.ch> or Markus Hagman <hagman@hytti.uku.fi><br />
<br />
<br />
==Shibboleth in the UK==<br />
In the UK Becta and JISC have implemented an education federation using Shibboleth to provide single sign on. This means that education establishments in the UK using Moodle should be able to authenticate their users via Shibboleth if their organization joins the UK Access Management Federation and their users' identity is held by the identity provider the LA/RBC use. For maintained schools in the England and Wales this will probably mean contacting their Local Authority or Regional Broadband Consortium (RBC). A list of current UK federation members can be found [http://www.ukfederation.org.uk/content/Documents/MemberList here].<br />
<br />
==Shibboleth in Switzerland ==<br />
In Switzerland the [https://switch.ch/ SWITCH Foundation] runs a universal login under [https://www.switch.ch/edu-id edu-ID] for all living in Switzerland. It covers 160 institutions and 900,000 users.<br />
<br />
==A sample configuration==<br />
<br />
===Notation===<br />
- The expressions in all caps are placeholders for their actual values. For example /PATH/TO/MOODLE could be /var/www/html/moodle in your server.<br />
<br />
- The '#' in shell commands in the form '# COMMAND" means the COMMAND needs to be run as the super-user. It could be the user 'root' or a different user having sudo privileges. In the latter case he should prepend the command with sudo, as in '$ sudo COMMAND'. The '$' in that command denotes it is a non-privileged user.<br />
<br />
===Prerequisites===<br />
- You have your Moodle site running on Debian GNU/Linux or any of its derivatives like Ubuntu Linux.<br />
<br />
- This documentation assumes that your Linux distribution uses the system manager Systemd. But you can easily change the commands for a different init system, typically SysV or Upstart.<br />
<br />
- You are running the web server Apache2.<br />
<br />
- Your site serves HTTPS on its default port 443. We write its URL as https://DOMAIN, where DOMAIN stands for your the domain name of your Moodle server. So if the URL of your Moodle is https://lms.example.com/ then DOMAIN is lms.example.com.<br />
<br />
===Steps you have to follow===<br />
1. Install the Shibboleth module for Apache2<br />
<br />
Install the Debian package libapache2-mod-shib, which contains the Apache module for Shibboleth service providers (SP) and its supporting Shib daemon:<br />
<br />
# apt install libapache2-mod-shib --no-install-recommends<br />
<br />
It will create a directory /etc/shibboleth with a default set of configuration files and also install the system service shib.<br />
<br />
2. Download federation metadata signing certificate<br />
<br />
# wget https://FEDERATIONREGISTRY/signedmetadata/metadata-signer -O /etc/shibboleth/federation-cert.pem<br />
<br />
<br />
3. Configure the Shibboleth service provider<br />
<br />
Edit the /etc/shibboleth/shibboleth2.xml file as described below.<br />
<br />
3.1 Change the ApplicationDefaults tag to your domain<br />
<br />
<ApplicationDefaults entityID="https://DOMAIN/shibboleth"<br />
REMOTE_USER="eppn subject-id pairwise-id persistent-id"<br />
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"><br />
<br />
Notice that the end of the ApplicationDefaults tag is way below. So don't add one here!<br />
<br />
3.2 Set the discovery server<br />
<br />
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://DISCOVERYSERVER"><br />
SAML2<br />
</SSO><br />
<br />
3.3 Set the MetadataProvider<br />
<br />
<MetadataProvider type="XML" url="https://METADATAPROVIDER/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" maxRefreshDelay="7200"><br />
<br />
<MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false" /><br />
<br />
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" /><br />
</MetadataProvider><br />
<br />
3.4 Set the names of the key and certificate files<br />
<br />
<CredentialResolver type="File" use="signing" key="lms-signing-key.pem" certificate="lms-signing-cert.pem" /><br />
<CredentialResolver type="File" use="encryption" key="lms-encrypt-key.pem" certificate="lms-encrypt-cert.pem" /><br />
<br />
We will generate those lms-*.pem files in step 3.6.<br />
<br />
3.5 Add a ApplicationOverride section<br />
(Note: Not necessay, dg 28 Aug 2024)<br />
<br />
Add the following ApplicationOverride section just before the ApplicationDefaults section:<br />
<br />
<ApplicationOverride id="wp" entityID="https://wp.YOUR-DOMAIN/shibboleth"><br />
<CredentialResolver type="File" use="signing" key="wp-signing-key.pem" certificate="wp-signing-cert.pem"/><br />
<CredentialResolver type="File" use="encryption" key="wp-encrypt-key.pem" certificate="wp-encrypt-cert.pem"/><br />
</ApplicationOverride><br />
<br />
3.6 Create SP metadata credentials for both sites:<br />
<br />
/usr/sbin/shib-keygen -n lms-signing -e https://DOMAIN/shibboleth<br />
/usr/sbin/shib-keygen -n lms-encrypt -e https://DOMAIN/shibboleth<br />
<br />
<br />
4. Start the shibboleth service<br />
<br />
4.1 Test the configuration first:<br />
<br />
# shibd -t /etc/shibboleth/shibboleth2.xml<br />
<br />
4.2 (Re)start the Shibd and Apache2:<br />
<br />
# systemctl start shibd<br />
# systemctl restart apache2<br />
<br />
<br />
5. Enable Shibboleth on the Apache virtual host<br />
<br />
5.1 To enable shibboleth login on the web application add the certificate files and protect the /PATH/TO/MOODLE/auth/shibboleth/index.php by Shibboleth. They are in a /etc/apache2/sites-available/SOMETHING.conf file. Here is the format:<br />
<br />
<IfModule mod_ssl.c><br />
<VirtualHost *:443><br />
<br />
ServerName DOMAIN<br />
ServerAdmin YOU@DOMAIN<br />
DocumentRoot /PATH/TO/MOODLE<br />
<br />
ErrorLog ${APACHE_LOG_DIR}/DOMAIN-error.log<br />
CustomLog ${APACHE_LOG_DIR}/DOMAIN-access.log combined<br />
<br />
SSLCertificateFile /etc/ssl/certs/ssl-DOMAIN.crt<br />
SSLCertificateKeyFile /etc/ssl/private/ssl-DOMAIN.key<br />
<br />
<Location /moodle><br />
# just comment out<br />
# ShibRequestSetting applicationId mdl<br />
</Location><br />
<br />
<Directory /PATH/TO/MOODLE/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
# just comment out the next line and add the two lines below that<br />
# ShibRequestSetting applicationId mdl<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
</VirtualHost><br />
</IfModule><br />
<br />
5.2 Activate Shibd and reload Apache<br />
<br />
# a2enmod shib<br />
# systemctl reload apache2.service <br />
<br />
<br />
6. Register the SP with the federation<br />
<br />
We have now set up Shibboleth SP for Moodle. It has to be registered with the federation so that its WAYF go to the discovery Service to point different IDP's.<br />
<br />
6.1 Download the metadata of the application<br />
<br />
You can get them by visiting the URL https://DOMAIN/Shibboleth.sso/Metadata <br />
<br />
6.2 Register the metadata with the federation<br />
<br />
Visit https://FEDERATTION/ and go to Join. You will be asked to upload the metadata on line and go through a couple of screens answering administrative questions. Follow the instructions on the screens.<br />
<br />
Once the federation operator approves your request you will receive a SP registration link.<br />
<br />
<br />
7. Enable and configure the Shibboleth plug-in in Moodle<br />
<br />
Once you've registered successfully you have to configure the Shibboleth plug-in in Moodle. For that Moodle you have to enable it first.<br />
<br />
7.1 Enable the Shibboleth plug-in in Moodle<br />
<br />
As Moodle admin, go to the Site administration > Plugins > Authentication and enable Shibboleth by clicking on the "eye". <br />
<br />
7.2 Configure the Shibboleth plug-in in Moodle<br />
<br />
The fields 'Username', 'First name', 'Surname', etc. should contain the name of the environment variables of the Shibboleth attributes that you want to map onto the corresponding Moodle variable. Especially the 'Username' field is of great importance because this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
Username: eppn<br />
<br />
Moodle WAYF service: No<br />
<br />
Identity providers (auth_shibboleth | organization_selection): Delete everything in the box<br />
<br />
Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout<br />
<br />
Data mapping (First name): givenName<br />
<br />
Data mapping (Surname): sn<br />
<br />
Data mapping (Email address): mail<br />
<br />
In all three set Update local to On every login and Lock value to Unlocked if empty.<br />
<br />
And save. The change will be immediately active, no need to restart any service!<br />
<br />
===Finished!===<br />
Now you may browse to https://DOMAIN/ and select your preferred IdP to log in.<br />
<br />
===How to debug<br />
<br />
<br />
==Additional notes==<br />
Some IdPs will only share a minimal set of user fields with your Moodle SP, which can cause problems:<br />
*Moodle errors relating to missing Shibboleth fields can be fixed by altering the data mappings within the Shibboleth authentication plugin, and ensuring that fields are not locked. The user will be asked to manually provide data if Shibboleth does not automatically provide the corresponding information.<br />
*Moodle errors relating to invalid characters in username can be fixed by Allowing extended characters in usernames (found under Security > Site policies).<br />
<br />
==External links==<br />
*[http://shibboleth.internet2.edu Shibboleth Internet2 Website]<br />
*[http://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research]<br />
*[http://www.ukfederation.org.uk/content/Documents/AttributeUsage Current Core Attributes for the UK Federation]<br />
<br />
[[de:Shibboleth-Server]]<br />
[[es:Shibboleth]]<br />
[[fr:Shibboleth]]<br />
[[ja:Shibboleth]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Shibboleth&diff=149230Shibboleth2024-09-03T13:46:19Z<p>Ratna: Added the section "A sample configuration", an initial draft</p>
<hr />
<div>{{Authentication}}<br />
{{Update}}<br />
Location: Settings link in ''Settings > Site administration > Plugins > Authentication > Manage authentication'' <br />
<br />
<br />
Shibboleth is a middleware architecture and an open-source implementation created by the [https://en.wikipedia.org/wiki/Internet2 Internet2] consortium, for federated identity-based authentication and authorization infrastructure based on SAML. Federated identity allows for information about users in one security domain to be provided to other organizations in a common federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain usernames and passwords. Identity providers (IdP's) supply user information, while service providers (SP's) consume this information and gate access to secure content.<br />
<br />
Source: [https://en.wikipedia.org/wiki/Shibboleth_(software) Wikipedia, Shibboleth_(software)]<br />
<br />
==Configuring Moodle to use Shibboleth==<br />
<br />
The auth/shibboleth/README.txt file in the in your Moodle distribution contains set-up instructions. Your web server might allow to view it in browser under YOURSITE/auth/shibboleth/README.txt.<br />
<br />
==Shibboleth in the UK==<br />
In the UK Becta and JISC have implemented an education federation using Shibboleth to provide single sign on. This means that education establishments in the UK using Moodle should be able to authenticate their users via Shibboleth if their organization joins the UK Access Management Federation and their users' identity is held by the identity provider the LA/RBC use. For maintained schools in the England and Wales this will probably mean contacting their Local Authority or Regional Broadband Consortium (RBC). A list of current UK federation members can be found [http://www.ukfederation.org.uk/content/Documents/MemberList here].<br />
<br />
==Shibboleth in Switzerland ==<br />
In Switzerland the [https://switch.ch/ SWITCH Foundation] runs a universal login under [https://www.switch.ch/edu-id edu-ID] for all living in Switzerland. It covers 160 institutions and 900,000 users.<br />
<br />
==A sample configuration==<br />
<br />
===Notation===<br />
- The expressions in all caps are placeholders for their actual values. For example /PATH/TO/MOODLE could be /var/www/html/moodle in your server.<br />
<br />
- The '#' in shell commands in the form '# COMMAND" means the COMMAND needs to be run as the super-user. It could be the user 'root' or a different user having sudo privileges. In the latter case he should prepend the command with sudo, as in '$ sudo COMMAND'. The '$' in that command denotes it is a non-privileged user.<br />
<br />
===Prerequisites===<br />
- You have your Moodle site running on Debian GNU/Linux or any of its derivatives like Ubuntu Linux.<br />
<br />
- This documentation assumes that your Linux distribution uses the system manager Systemd. But you can easily change the commands for a different init system, typically SysV or Upstart.<br />
<br />
- You are running the web server Apache2.<br />
<br />
- Your site serves HTTPS on its default port 443. We write its URL as https://DOMAIN, where DOMAIN stands for your the domain name of your Moodle server. So if the URL of your Moodle is https://lms.example.com/ then DOMAIN is lms.example.com.<br />
<br />
===Steps you have to follow===<br />
1. Install the Shibboleth module for Apache2<br />
<br />
Install the Debian package libapache2-mod-shib, which contains the Apache module for Shibboleth service providers (SP) and its supporting Shib daemon:<br />
<br />
# apt install libapache2-mod-shib --no-install-recommends<br />
<br />
It will create a directory /etc/shibboleth with a default set of configuration files and also install the system service shib.<br />
<br />
2. Download federation metadata signing certificate<br />
<br />
# wget https://FEDERATIONREGISTRY/signedmetadata/metadata-signer -O /etc/shibboleth/federation-cert.pem<br />
<br />
<br />
3. Configure the Shibboleth service provider<br />
<br />
Edit the /etc/shibboleth/shibboleth2.xml file as described below.<br />
<br />
3.1 Change the ApplicationDefaults tag to your domain<br />
<br />
<ApplicationDefaults entityID="https://DOMAIN/shibboleth"<br />
REMOTE_USER="eppn subject-id pairwise-id persistent-id"<br />
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"><br />
<br />
Notice that the end of the ApplicationDefaults tag is way below. So don't add one here!<br />
<br />
3.2 Set the discovery server<br />
<br />
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://DISCOVERYSERVER"><br />
SAML2<br />
</SSO><br />
<br />
3.3 Set the MetadataProvider<br />
<br />
<MetadataProvider type="XML" url="https://METADATAPROVIDER/signedmetadata/metadata.xml" legacyOrgName="true" backingFilePath="test-metadata.xml" maxRefreshDelay="7200"><br />
<br />
<MetadataFilter type="Signature" certificate="federation-cert.pem" verifyBackup="false" /><br />
<br />
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000" /><br />
</MetadataProvider><br />
<br />
3.4 Set the names of the key and certificate files<br />
<br />
<CredentialResolver type="File" use="signing" key="lms-signing-key.pem" certificate="lms-signing-cert.pem" /><br />
<CredentialResolver type="File" use="encryption" key="lms-encrypt-key.pem" certificate="lms-encrypt-cert.pem" /><br />
<br />
We will generate those lms-*.pem files in step 3.6.<br />
<br />
3.5 Add a ApplicationOverride section<br />
(Note: Not necessay, dg 28 Aug 2024)<br />
<br />
Add the following ApplicationOverride section just before the ApplicationDefaults section:<br />
<br />
<ApplicationOverride id="wp" entityID="https://wp.YOUR-DOMAIN/shibboleth"><br />
<CredentialResolver type="File" use="signing" key="wp-signing-key.pem" certificate="wp-signing-cert.pem"/><br />
<CredentialResolver type="File" use="encryption" key="wp-encrypt-key.pem" certificate="wp-encrypt-cert.pem"/><br />
</ApplicationOverride><br />
<br />
3.6 Create SP metadata credentials for both sites:<br />
<br />
/usr/sbin/shib-keygen -n lms-signing -e https://DOMAIN/shibboleth<br />
/usr/sbin/shib-keygen -n lms-encrypt -e https://DOMAIN/shibboleth<br />
<br />
<br />
4. Start the shibboleth service<br />
<br />
4.1 Test the configuration first:<br />
<br />
# shibd -t /etc/shibboleth/shibboleth2.xml<br />
<br />
4.2 (Re)start the Shibd and Apache2:<br />
<br />
# systemctl start shibd<br />
# systemctl restart apache2<br />
<br />
<br />
5. Enable Shibboleth on the Apache virtual host<br />
<br />
5.1 To enable shibboleth login on the web application add the certificate files and protect the /PATH/TO/MOODLE/auth/shibboleth/index.php by Shibboleth. They are in a /etc/apache2/sites-available/SOMETHING.conf file. Here is the format:<br />
<br />
<IfModule mod_ssl.c><br />
<VirtualHost *:443><br />
<br />
ServerName DOMAIN<br />
ServerAdmin YOU@DOMAIN<br />
DocumentRoot /PATH/TO/MOODLE<br />
<br />
ErrorLog ${APACHE_LOG_DIR}/DOMAIN-error.log<br />
CustomLog ${APACHE_LOG_DIR}/DOMAIN-access.log combined<br />
<br />
SSLCertificateFile /etc/ssl/certs/ssl-DOMAIN.crt<br />
SSLCertificateKeyFile /etc/ssl/private/ssl-DOMAIN.key<br />
<br />
<Location /moodle><br />
# just comment out<br />
# ShibRequestSetting applicationId mdl<br />
</Location><br />
<br />
<Directory /PATH/TO/MOODLE/auth/shibboleth/index.php><br />
AuthType shibboleth<br />
# just comment out the next line and add the two lines below that<br />
# ShibRequestSetting applicationId mdl<br />
ShibRequireSession On<br />
require valid-user<br />
</Directory><br />
</VirtualHost><br />
</IfModule><br />
<br />
5.2 Activate Shibd and reload Apache<br />
<br />
# a2enmod shib<br />
# systemctl reload apache2.service <br />
<br />
<br />
6. Register the SP with the federation<br />
<br />
We have now set up Shibboleth SP for Moodle. It has to be registered with the federation so that its WAYF go to the discovery Service to point different IDP's.<br />
<br />
6.1 Download the metadata of the application<br />
<br />
You can get them by visiting the URL https://DOMAIN/Shibboleth.sso/Metadata <br />
<br />
6.2 Register the metadata with the federation<br />
<br />
Visit https://FEDERATTION/ and go to Join. You will be asked to upload the metadata on line and go through a couple of screens answering administrative questions. Follow the instructions on the screens.<br />
<br />
Once the federation operator approves your request you will receive a SP registration link.<br />
<br />
<br />
7. Enable and configure the Shibboleth plug-in in Moodle<br />
<br />
Once you've registered successfully you have to configure the Shibboleth plug-in in Moodle. For that Moodle you have to enable it first.<br />
<br />
7.1 Enable the Shibboleth plug-in in Moodle<br />
<br />
As Moodle admin, go to the Site administration > Plugins > Authentication and enable Shibboleth by clicking on the "eye". <br />
<br />
7.2 Configure the Shibboleth plug-in in Moodle<br />
<br />
The fields 'Username', 'First name', 'Surname', etc. should contain the name of the environment variables of the Shibboleth attributes that you want to map onto the corresponding Moodle variable. Especially the 'Username' field is of great importance because this attribute is used for the Moodle authentication of Shibboleth users.<br />
<br />
Username: eppn<br />
<br />
Moodle WAYF service: No<br />
<br />
Identity providers (auth_shibboleth | organization_selection): Delete everything in the box<br />
<br />
Shibboleth Service Provider logout handler URL: /Shibboleth.sso/Logout<br />
<br />
Data mapping (First name): givenName<br />
<br />
Data mapping (Surname): sn<br />
<br />
Data mapping (Email address): mail<br />
<br />
In all three set Update local to On every login and Lock value to Unlocked if empty.<br />
<br />
And save. The change will be immediately active, no need to restart any service!<br />
<br />
===Finished!===<br />
Now you may browse to https://DOMAIN/ and select your preferred IdP to log in.<br />
<br />
===How to debug<br />
<br />
<br />
==Additional notes==<br />
Some IdPs will only share a minimal set of user fields with your Moodle SP, which can cause problems:<br />
*Moodle errors relating to missing Shibboleth fields can be fixed by altering the data mappings within the Shibboleth authentication plugin, and ensuring that fields are not locked. The user will be asked to manually provide data if Shibboleth does not automatically provide the corresponding information.<br />
*Moodle errors relating to invalid characters in username can be fixed by Allowing extended characters in usernames (found under Security > Site policies).<br />
<br />
==External links==<br />
*[http://shibboleth.internet2.edu Shibboleth Internet2 Website]<br />
*[http://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research]<br />
*[http://www.ukfederation.org.uk/content/Documents/AttributeUsage Current Core Attributes for the UK Federation]<br />
<br />
[[fr:Shibboleth]]<br />
[[ja:Shibboleth]]<br />
[[de:Shibboleth-Server]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Shibboleth&diff=149198Shibboleth2024-08-24T22:21:35Z<p>Ratna: </p>
<hr />
<div>{{Authentication}}<br />
{{Update}}<br />
Location: Settings link in ''Settings > Site administration > Plugins > Authentication > Manage authentication'' <br />
<br />
<br />
Shibboleth is a middleware architecture and an open-source implementation created by the [https://en.wikipedia.org/wiki/Internet2 Internet2] consortium, for federated identity-based authentication and authorization infrastructure based on SAML. Federated identity allows for information about users in one security domain to be provided to other organizations in a common federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain usernames and passwords. Identity providers (IdP's) supply user information, while service providers (SP's) consume this information and gate access to secure content.<br />
<br />
Source: [https://en.wikipedia.org/wiki/Shibboleth_(software) Wikipedia, Shibboleth_(software)]<br />
<br />
==Configuring Moodle to use Shibboleth==<br />
<br />
The auth/shibboleth/README.txt file in the in your Moodle distribution contains set-up instructions. Your web server might allow to view it in browser under YOURSITE/auth/shibboleth/README.txt.<br />
<br />
==Shibboleth in the UK==<br />
In the UK Becta and JISC have implemented an education federation using Shibboleth to provide single sign on. This means that education establishments in the UK using Moodle should be able to authenticate their users via Shibboleth if their organization joins the UK Access Management Federation and their users' identity is held by the identity provider the LA/RBC use. For maintained schools in the England and Wales this will probably mean contacting their Local Authority or Regional Broadband Consortium (RBC). A list of current UK federation members can be found [http://www.ukfederation.org.uk/content/Documents/MemberList here].<br />
<br />
==Shibboleth in Switzerland ==<br />
In Switzerland the [https://switch.ch/ SWITCH Foundation] runs a universal login under [https://www.switch.ch/edu-id edu-ID] for all living in Switzerland. It covers 160 institutions and 900,000 users.<br />
<br />
==Additional notes==<br />
Some IdPs will only share a minimal set of user fields with your Moodle SP, which can cause problems:<br />
*Moodle errors relating to missing Shibboleth fields can be fixed by altering the data mappings within the Shibboleth authentication plugin, and ensuring that fields are not locked. The user will be asked to manually provide data if Shibboleth does not automatically provide the corresponding information.<br />
*Moodle errors relating to invalid characters in username can be fixed by Allowing extended characters in usernames (found under Security > Site policies).<br />
<br />
==External links==<br />
*[http://shibboleth.internet2.edu Shibboleth Internet2 Website]<br />
*[http://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research]<br />
*[http://www.ukfederation.org.uk/content/Documents/AttributeUsage Current Core Attributes for the UK Federation]<br />
<br />
[[fr:Shibboleth]]<br />
[[ja:Shibboleth]]<br />
[[de:Shibboleth-Server]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Shibboleth&diff=149197Shibboleth2024-08-24T22:12:34Z<p>Ratna: </p>
<hr />
<div>{{Authentication}}<br />
{{Update}}<br />
Location: Settings link in ''Settings > Site administration > Plugins > Authentication > Manage authentication'' <br />
<br />
<br />
Shibboleth is an Internet2 Middleware Initiative project that has created an architecture and open-source implementation for federated identity-based authentication and authorization infrastructure based on SAML. Federated identity allows for information about users in one security domain to be provided to other organizations in a common federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain usernames and passwords. Identity providers (IdP's) supply user information, while service providers (SP's) consume this information and gate access to secure content.<br />
<br />
Source: [https://en.wikipedia.org/wiki/Shibboleth_(software) Wikipedia, Shibboleth_(software)]<br />
<br />
==Configuring Moodle to use Shibboleth==<br />
<br />
The auth/shibboleth/README.txt file in the in your Moodle distribution contains set-up instructions. Your web server might allow to view it in browser under YOURSITE/auth/shibboleth/README.txt.<br />
<br />
==Shibboleth in the UK==<br />
In the UK Becta and JISC have implemented an education federation using Shibboleth to provide single sign on. This means that education establishments in the UK using Moodle should be able to authenticate their users via Shibboleth if their organization joins the UK Access Management Federation and their users' identity is held by the identity provider the LA/RBC use. For maintained schools in the England and Wales this will probably mean contacting their Local Authority or Regional Broadband Consortium (RBC). A list of current UK federation members can be found [http://www.ukfederation.org.uk/content/Documents/MemberList here].<br />
<br />
==Shibboleth in Switzerland ==<br />
In Switzerland the [https://switch.ch/ SWITCH Foundation] runs a universal login under [https://www.switch.ch/edu-id edu-ID] for all living in Switzerland. It covers 160 institutions and 900,000 users.<br />
<br />
==Additional notes==<br />
Some IdPs will only share a minimal set of user fields with your Moodle SP, which can cause problems:<br />
*Moodle errors relating to missing Shibboleth fields can be fixed by altering the data mappings within the Shibboleth authentication plugin, and ensuring that fields are not locked. The user will be asked to manually provide data if Shibboleth does not automatically provide the corresponding information.<br />
*Moodle errors relating to invalid characters in username can be fixed by Allowing extended characters in usernames (found under Security > Site policies).<br />
<br />
==External links==<br />
*[http://shibboleth.internet2.edu Shibboleth Internet2 Website]<br />
*[http://www.ukfederation.org.uk/ UK Access Management Federation for Education and Research]<br />
*[http://www.ukfederation.org.uk/content/Documents/AttributeUsage Current Core Attributes for the UK Federation]<br />
<br />
[[fr:Shibboleth]]<br />
[[ja:Shibboleth]]<br />
[[de:Shibboleth-Server]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Effective_quiz_practices&diff=145782Effective quiz practices2023-03-30T00:41:46Z<p>Ratna: </p>
<hr />
<div>{{Quiz}}<br />
As we’ve seen, Moodle quiz engine is a powerful, flexible tool for monitoring and diagnosing student performance with certain types of knowledge. Using this tool effectively can boost your course's effectiveness, and promote student performance. While a computer-scored quiz is a different performance than more open-ended assessments, it does give a valuable window onto student thinking, especially when you use good strategies, and a little creativity.<br />
<br />
==Quiz strategies==<br />
Of course, using the quiz engine effectively takes some work and practice. The first thing to do is to use effective question design strategies. If you ask good questions, you'll get useful data about your students’ performance and understanding of the material. Of course, the converse is also true. There is a ton of literature about effective assessment design available. I'll just highlight a few of the most important ideas.<br />
*Tie each question to a course goal. After all, you want to know whether your students are achieving the goals of the course, so why not ask them directly?<br />
*Try to ask multiple questions about each important idea in the class. This gives you more data points about student understanding.<br />
*When writing a multiple-choice question, be sure each wrong answer represents a common mis-conception. This will help you diagnose student thinking and eliminate easy guessing. <br />
*Write questions requiring your students to think at different levels. Include some recall questions, some comprehension questions and some application and analysis questions. You can determine where students are having problems in their thinking. Can they recall the material, but not apply it?<br />
*Test your questions. After you've established an initial question bank, use the system reports to determine which questions are useful, and which aren't. As you write new questions, give them a lower point value and throw in a few to establish their reliability.<br />
<br />
Once you've got a few well-written test banks, be sure to use the [[quiz reports]] and statistics to monitor your classes performance. The detailed reports and statistics available to you are valuable tools for understanding student understanding of the material.<br />
<br />
==Creative quiz uses==<br />
With the Moodle quiz engine, it's easier to utilize educationally sound assessment strategies which would be too difficult to implement with paper and pencil. <br />
<br />
===Formative assessment and summative assessment===<br />
Most people think of tests as an infrequent, high-stakes activity, like mid-terms and finals ([https://en.wikipedia.org/wiki/Summative_assessment summative assessment]). Better strategies involve frequent, low-stakes ([https://en.wikipedia.org/wiki/Formative_assessment formative assessments]) that you and your students can use to guide their performance during the course of the semester. <br />
<br />
Creating a series of small mini-tests gives you a very flexible system for gauging performance and keeping students engaged in the class. Here are a few ideas for quick quizzes you can use as part of a larger assessment strategy.<br />
<br />
===Chapter checks===<br />
Getting students to complete reading assignments has to be one of the hardest motivational tasks in education. Reading is critical to understanding most material, and fundamental to success in many classes. The problem for most students is there is no immediate reward or punishment for procrastinating on a reading assignment. If you haven't done the reading for a class discussion, you can either keep quiet, or, as I used to do occasionally, wing it by skimming in class. If you have a lecture course, there's almost no need to do the reading as the lecturer usually covers most of the material in class anyway. <br />
<br />
Creating a little mini-test for each reading assignment solves a number of problems. First, it encourages students to do the reading so they can do well on the quiz. Second, it gives the students feedback on how well they understood the reading assignment. Third, it gives you data about what aspects of the reading students found confusing, and which they have already mastered so you can focus your class activities.<br />
<br />
For a reading mini-test, I would recommend setting a limited time quiz students can only take once. Because it's a low-stakes activity you want students to use for self-assessment, I would also display feedback and correct answers. If you're concerned about students sharing answers after they've taken the quiz, randomize the question and answer order. If you have a test bank, make some of the questions random as well. As an additional assignment, students should write down one question about a question they got wrong, and bring it to class.<br />
<br />
===Test practice===<br />
The key to effective practice is to have a realistic practice environment. Many students worry about tests, especially high-stakes tests, because they have no idea what to expect. What question format will you use? How detailed will the questions be? What should they study?<br />
<br />
You can help alleviate test anxiety by creating a practice test students can take to help answer these questions. These tests are usually based on old questions similar to the current test questions. Use last year's final as an example test, which will force you into the practice of writing new questions every year. This is a good idea anyway, as you can be sure someone has a copy of last year's test they are sharing with others.<br />
<br />
To set up a practice test, I'd create a zero point test with questions from the year before in random order with random answers. I would also allow students to take the test as many times as they’d like so they can test themselves as much as they need. Display feedback, but not correct answers so it presents more of a challenge.<br />
<br />
[[Gamification]] may be used for quiz practice. See the [[Quizventure activity]].<br />
<br />
===Data gathering===<br />
<br />
As an expert, you know a lot about your field. Your challenge as a teacher is to translate your knowledge for a novice who doesn't share your conceptual structure or experience. An example or lecture you think is brilliant may leave your students completely confused. It can be hard to tell what students really understand and what's leaving them baffled.<br />
<br />
A data-gathering quiz is similar to a chapter check, but it takes place after a class meeting or lecture. Your goal is to quickly get some feedback on student understanding of a lecture. What did they really understand? What do you need to spend more time on? I’ve found many instructors have trouble gauging what students find difficult, and what the students find so easy they are bored. <br />
<br />
Setting up a post-class data-gathering quiz is similar to creating a chapter check. Set the quiz for a limited time, like a day or two before the next meeting. Allow them to take it once and display feedback and correct answers. <br />
<br />
==Quiz security and cheating==<br />
<br />
Of course, online testing also presents another chance for the cheaters in your classes to try to game the system. Most online quizzes are meant to be taken at home, or at least outside of class. Students can download the questions and print them out. They can take the tests with other students, or while reading their textbooks.<br />
<br />
Fortunately, you can counter many of these strategies, making them more trouble than they are worth to the students. Let's look at a few strategies for countering most cheating schemes<br />
<br />
===Printing and sharing questions===<br />
If you display feedback and correct answers, students can print the results page and share it with their friends. Or they can simply print the questions themselves directly from the quiz. The key to discouraging this behavior is to randomize the question order and the answer order. It makes the printouts a lot less useful. Creating larger question banks and giving tests with random subsets is also an effective strategy. If students can only print a small number of questions at a time, they will need to view the test again and again, then sort the questions to eliminate duplicates. <br />
<br />
<blockquote>Warning: Assume there will be printed copies of your questions available to students who want them. Most instructors don’t realize students frequently have copies of old paper based tests, and electronic test delivery is another way for students to get copies of the questions. I know one professor who had over 1100 questions in his online test bank. At the end of the semester, he confiscated a printout from a student. It had every question with the correct answer, neatly formatted and divided by textbook chapter. We decided if students wanted to memorize 1100 questions and answers to the level where they could answer a small number of them displayed at random, then they would have learned more than if they had just studied. Of course, we used timed quizzes and other strategies to minimize using the print-out as a reference manual.</blockquote><br />
<br />
If you activate the '''[[Safe Exam Browser]]''' settings and allow students only to take the quiz with this open-source lock-down browser, students cannot download or print the questions at all. But this setting add the hurdles that students have to install an additional (open-source) software on their devices.<br />
<br />
===Using the textbook===<br />
Students will frequently look up the answer to questions in the textbook or a reading. If you are giving a chapter check quiz, then this is what you want them to do. Otherwise, you need to come up with creative ways of making the textbook less directly useful. Timed quizzes are the single most effective tool for eliminating this strategy. A timed quiz requires the students answer the questions in a certain amount of time. If you give enough questions and make the time short enough, they won't have time to look up all the answers. I usually give about 30 seconds per multiple-choice question. If they answer them faster and have time to look up some answers afterward, I figure they knew enough to deserve to look up an answer or two.<br />
<br />
Asking students to apply their knowledge to novel situation can also make a difference. Synthesis and application questions can't be looked up. Students have to understand the material and apply it creatively to answer the questions. So while they may take the time to review the text, they will still need to try to understand what they've read to successfully answer the question.<br />
<br />
===Working with friends===<br />
If your students are on the same campus, they may get together in a lab and try to take the quiz together. This is an easy strategy to thwart with random question order, random answer order and questions randomly pulled from a test bank. If my screen doesn't look like yours, then it's harder for us to quickly answer all of the questions. A timed quiz also makes it harder for the two of us to cheat if we have different questions and we only have a short amount of time to answer.<br />
<br />
===Have someone else take the test===<br />
The old adage goes “On the Internet, no one knows you’re a dog”, and no one knows who is actually taking the test. Students will sometimes pay classmates, or others who have taken the course in the past, to take online quizzes for them. There are two ways to counter this strategy. One, have an occasional proctored exam where students need to show ID. If they haven't taken the quizzes or done the work until then, they will do poorly on the proctored exam. To eliminate current classmates from taking each other's quizzes, only make them available for a short time. You could require everyone take the test within a 2- or 4-hour block. If the test is properly randomized, it will be very difficult to take it more than once during the testing period. The test taker will worry about their own grade first, then about their employer's grade.<br />
<br />
Obviously, there are many strategies students can use to cheat. While it would be naïve to assume there isn't cheating, the vast majority of your students want to succeed on their own merits. The anonymity of the online environment may open up new avenues for the cheaters, but it's not really much different from your face-to-face classes. A few people will go to great lengths to cheat, but most will be honest as long as it's not too easy to get away with it. A few precautions will eliminate most of the easy cheats, and the classic strategies will work for the others.<br />
<br />
==Robust testing with random variants==<br />
<br />
This section describes a good way to help minimise the potential for cheating, and increase the opportunity for students to learn from the feedback by repeated attempts at the quiz. The basic idea is to take each particular question that you were thinking of, and make several slight variants of it. Then use Moodle's random question feature, so that each student gets one of the variants picked at random.<br />
<br />
===An example===<br />
<br />
A good example of this (although not in Moodle) can be seen at https://students.open.ac.uk/openmark/mu120.m5omdemo/. Take that test once, making a rough note of the questions you are asked. Then after you have done 'End test', do 'Restart entire test' and see that you are asked a different set of questions that have different answers, although they test the same knowledge. This sort of strategy is easier to implement in some subjects than in others.<br />
<br />
===How to set this up in Moodle===<br />
<br />
Suppose we are going to create a quiz with 6 questions about interpreting diagrams (that is, we are going to try to clone the OpenMark example above). For the fourth question, the closest we will be able to get would be [https://moodle.org/plugins/qtype_ddmarker the Image target question type from the Modules and plugins database].<br />
<br />
====1. Create a category for each 'question' in the quiz====<br />
<br />
As you can see from the screen shot, I have created six appropriately named categories, all neatly grouped inside a parent category. You do this on the 'Categories' tab of the question bank interface.<br />
<br />
[[Image:Variants_categories.png]]<br />
<br />
====2. Create the first variant of the first question====<br />
<br />
Create the first variant of the first question, just like you would create any other Moodle question.<br />
<br />
In our example, this might be an Embedded answers (Cloze) question type. The question text might be:<br />
<br />
:Below is a plan of a proposed garden. The scale is that each division in the plan represents a length in the garden of 0.5 metres. What is the proposed length and width of the Patio in the garden? <br />
: [[Image:Variants_flowerbed.gif]]<br />
: The Patio is {''CLOZE syntax''} metres by {''CLOZE syntax''} metres.<br />
<br />
====3. Create the other variants of the first question====<br />
<br />
To easily create a variant, click the duplicate icon next to the first question, then make the changes you need to turn it into the second variant and save it. Repeat this process to create as many variants as you want. <br />
<br />
In our example, we might change the word Patio, and the scale factor each division represents 0.5 metres. We would also need to change the answers and the associated feedback in the {''CLOZE syntax''} bits.<br />
<br />
====4. Repeat 2. and 3. for the other questions====<br />
<br />
The screen shots show the variants of the third question. This one is a bit more of a pain to set up, because each variant will use a different image of a pie chart, so there is a bit more editing to do, and more files to upload to the course files area.<br />
<br />
[[Image:Variants_questionsincat.png]]<br />
<br />
====5. Add the questions to the quiz====<br />
<br />
Once you have created all the questions, add them to the quiz using the 'Add random question' feature. Select the first category (Reading a plan variants). Ensure 'Display questions from sub-categories too' is off. Use the controls at the bottom to Add 1 random question to the quiz.<br />
<br />
Repeat for each of the other categories in order.<br />
<br />
[[Image:Variants_quiz.png]]<br />
<br />
===Creating variant questions in Atto===<br />
In 2016, a new additional plugin, the [[Cloze editor for Atto]] has a 'Duplicate' button, that allows you to easily and quickly create many question variants.<br />
<br />
===Comments===<br />
<br />
Obviously this is more work to set up (although not three times as much work as creating one quiz). It is up to you to do the cost benefit analysis for your particular quiz. Note that once you have set this up, you are more likely to be able to reuse quizzes in future, because you have reduced the potential for simple copying of answers.<br />
<br />
As an alternative to 'Save as new question', you can use Moodle's import and export formats, and copy and paste in your text editor to create variants.<br />
<br />
One issue you have to worry about is, are all the variants you have made of each question really equally difficult? Moodle 2.0 will feature a new Statistics report which should help you analyse your quiz results to see how difficult each variant is.<br />
<br />
Experience shows that 'a few variants' can normally be taken to be 3 variants. This is enough to ensure that two students working at neighbouring computers will mostly get different questions to each other. More is better (providing you can ensure equal difficulty) but is more work, so you get diminishing returns.<br />
<br />
(This section expands some of the advice above under [[#Printing and sharing questions|Printing and sharing questions]]. It also describes how most online assessments at the Open University are constructed. The [[calculated question type]] is sometimes another way to implement quizzes like this.)<br />
<br />
==Certainty Based Marking==<br />
* To make students think about how reliable their answer is.<br />
* To encourage students to try to understand the issues, not just react immediately to a question.<br />
* To challenge: if a student won't risk losing marks if wrong then they don't really know the answer.<br />
* If a student is a careful thinker but not very confident. they will gain in confidence.<br />
* It is more fair - a thoughtful and confident correct answer deserves more marks than a lucky hunch.<br />
* Students need to pay attention if they make confident wrong answers: think, reflect, learn!<br />
* Efficient study requires constantly questioning how our ideas arise and how reliable they are.<br />
<br />
See [[Using certainty-based marking]].<br />
<br />
==Proctored exams==<br />
* As a start, check the info in this discussion: https://moodle.org/mod/forum/discuss.php?d=399255#p1610674. Use advance search for the forums, as there has been a bunch of discussion in 2020 about this subject.<br />
<br />
* One of the better solutions seen recently for lockdown testing, was a combination of things:<br />
**Use of the safe browser and have the proctor call the student via some form of video call. <br />
**Have the student show the proctor their computer setup and the room the test will be taken in. <br />
**Then, have the student set up the phone in a position showing the student and their computer screen, as best they can from across the room. <br />
**This allows the proctor to watch and hopefully, see any attempts to cheat.<br />
<br />
==See also==<br />
<br />
* [[Safe exam browser]] The Safe Exam Browser can work with Moodle to control what a student can do when in Moodle. To use it, it must be enabled the [[Quiz settings]]. This adds some additional options which could be chosen directly in the quiz settings. <br />
<br />
Forum discussions:<br />
* [https://moodle.org/mod/forum/discuss.php?d=399255#p1610674 Implementing remotely invigilated online exams at scale] - The key lessons and successes of the University of New England's experience in implementing large scale remotely invigilated (proctored) online exams<br />
* [http://moodle.org/mod/forum/discuss.php?d=141003 How do you keep people from cheating while taking a quiz?]<br />
* [https://moodle.org/mod/forum/discuss.php?d=271100#p1168345 User dependent locking and unlocking of quizzes]<br />
<br />
External links:<br />
* [https://www.openlms.net/blog/products/30-tips-for-creating-quiz-questions-lms/ 30 tips for creating quiz questions] by Rebecca DeSantis, MSIT, Moodlerooms Instructional Designer<br />
* [https://www.alfiekohn.org/article/whos-cheating/ Who is Cheating Whom] article<br />
* [https://www.ohsu.edu/sites/default/files/2019-03/Teacher%20section%20NBME%20Constructing%20Written%20Test%20questions%20for%20the%20basic%20and%20clinical%20sciences.pdf Constructing written test questions for the basic and clinical sciences] - by the National Board of Medical Examiners (USA)<br />
<br />
[[es:Prácticas Eficaces en los Exámenes]]<br />
[[de:Tests effektiv durchführen]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Effective_quiz_practices&diff=145781Effective quiz practices2023-03-30T00:30:39Z<p>Ratna: </p>
<hr />
<div>{{Quiz}}<br />
As we’ve seen, Moodle quiz engine is a powerful, flexible tool for monitoring and diagnosing student performance with certain types of knowledge. Using this tool effectively can boost your course's effectiveness, and promote student performance. While a computer-scored quiz is a different performance than more open-ended assessments, it does give a valuable window onto student thinking, especially when you use good strategies, and a little creativity.<br />
<br />
==Quiz strategies==<br />
Of course, using the quiz engine effectively takes some work and practice. The first thing to do is to use effective question design strategies. If you ask good questions, you'll get useful data about your students’ performance and understanding of the material. Of course, the converse is also true. There is a ton of literature about effective assessment design available. I'll just highlight a few of the most important ideas.<br />
*Tie each question to a course goal. After all, you want to know whether your students are achieving the goals of the course, so why not ask them directly?<br />
*Try to ask multiple questions about each important idea in the class. This gives you more data points about student understanding.<br />
*When writing a multiple-choice question, be sure each wrong answer represents a common mis-conception. This will help you diagnose student thinking and eliminate easy guessing. <br />
*Write questions requiring your students to think at different levels. Include some recall questions, some comprehension questions and some application and analysis questions. You can determine where students are having problems in their thinking. Can they recall the material, but not apply it?<br />
*Test your questions. After you've established an initial question bank, use the system reports to determine which questions are useful, and which aren't. As you write new questions, give them a lower point value and throw in a few to establish their reliability.<br />
<br />
Once you've got a few well-written test banks, be sure to use the [[quiz reports]] and statistics to monitor your classes performance. The detailed reports and statistics available to you are valuable tools for understanding student understanding of the material.<br />
<br />
==Creative quiz uses==<br />
With the Moodle quiz engine, it's easier to utilize educationally sound assessment strategies which would be too difficult to implement with paper and pencil. <br />
<br />
===Formative assessment and summative assessment===<br />
Most people think of tests as an infrequent, high-stakes activity, like mid-terms and finals ([https://en.wikipedia.org/wiki/Summative_assessment summative assessment]). Better strategies involve frequent, low-stakes ([https://en.wikipedia.org/wiki/Formative_assessment formative assessments]) that you and your students can use to guide their performance during the course of the semester. <br />
<br />
Creating a series of small mini-tests gives you a very flexible system for gauging performance and keeping students engaged in the class. Here are a few ideas for quick quizzes you can use as part of a larger assessment strategy.<br />
<br />
===Chapter checks===<br />
Getting students to complete reading assignments has to be one of the hardest motivational tasks in education. Reading is critical to understanding most material, and fundamental to success in many classes. The problem for most students is there is no immediate reward or punishment for procrastinating on a reading assignment. If you haven't done the reading for a class discussion, you can either keep quiet, or, as I used to do occasionally, wing it by skimming in class. If you have a lecture course, there's almost no need to do the reading as the lecturer usually covers most of the material in class anyway. <br />
<br />
Creating a little mini-test for each reading assignment solves a number of problems. First, it encourages students to do the reading so they can do well on the quiz. Second, it gives the students feedback on how well they understood the reading assignment. Third, it gives you data about what aspects of the reading students found confusing, and which they have already mastered so you can focus your class activities.<br />
<br />
For a reading mini-test, I would recommend setting a limited time quiz students can only take once. Because it's a low-stakes activity you want students to use for self-assessment, I would also display feedback and correct answers. If you're concerned about students sharing answers after they've taken the quiz, randomize the question and answer order. If you have a test bank, make some of the questions random as well. As an additional assignment, students should write down one question about a question they got wrong, and bring it to class.<br />
<br />
===Test practice===<br />
The key to effective practice is to have a realistic practice environment. Many students worry about tests, especially high-stakes tests, because they have no idea what to expect. What question format will you use? How detailed will the questions be? What should they study?<br />
<br />
You can help alleviate test anxiety by creating a practice test students can take to help answer these questions. These tests are usually based on old questions similar to the current test questions. Use last year's final as an example test, which will force you into the practice of writing new questions every year. This is a good idea anyway, as you can be sure someone has a copy of last year's test they are sharing with others.<br />
<br />
To set up a practice test, I'd create a zero point test with questions from the year before in random order with random answers. I would also allow students to take the test as many times as they’d like so they can test themselves as much as they need. Display feedback, but not correct answers so it presents more of a challenge.<br />
<br />
[[Gamification]] may be used for quiz practice. See the [[Quizventure activity]].<br />
<br />
===Data gathering===<br />
<br />
As an expert, you know a lot about your field. Your challenge as a teacher is to translate your knowledge for a novice who doesn't share your conceptual structure or experience. An example or lecture you think is brilliant may leave your students completely confused. It can be hard to tell what students really understand and what's leaving them baffled.<br />
<br />
A data-gathering quiz is similar to a chapter check, but it takes place after a class meeting or lecture. Your goal is to quickly get some feedback on student understanding of a lecture. What did they really understand? What do you need to spend more time on? I’ve found many instructors have trouble gauging what students find difficult, and what the students find so easy they are bored. <br />
<br />
Setting up a post-class data-gathering quiz is similar to creating a chapter check. Set the quiz for a limited time, like a day or two before the next meeting. Allow them to take it once and display feedback and correct answers. <br />
<br />
==Quiz security and cheating==<br />
<br />
Of course, online testing also presents another chance for the cheaters in your classes to try to game the system. Most online quizzes are meant to be taken at home, or at least outside of class. Students can download the questions and print them out. They can take the tests with other students, or while reading their textbooks.<br />
<br />
Fortunately, you can counter many of these strategies, making them more trouble than they are worth to the students. Let's look at a few strategies for countering most cheating schemes<br />
<br />
===Printing and sharing questions===<br />
If you display feedback and correct answers, students can print the results page and share it with their friends. Or they can simply print the questions themselves directly from the quiz. The key to discouraging this behavior is to randomize the question order and the answer order. It makes the printouts a lot less useful. Creating larger question banks and giving tests with random subsets is also an effective strategy. If students can only print a small number of questions at a time, they will need to view the test again and again, then sort the questions to eliminate duplicates. <br />
<br />
<blockquote>Warning: Assume there will be printed copies of your questions available to students who want them. Most instructors don’t realize students frequently have copies of old paper based tests, and electronic test delivery is another way for students to get copies of the questions. I know one professor who had over 1100 questions in his online test bank. At the end of the semester, he confiscated a printout from a student. It had every question with the correct answer, neatly formatted and divided by textbook chapter. We decided if students wanted to memorize 1100 questions and answers to the level where they could answer a small number of them displayed at random, then they would have learned more than if they had just studied. Of course, we used timed quizzes and other strategies to minimize using the print-out as a reference manual.</blockquote><br />
<br />
If you activate the '''[[Safe Exam Browser]]''' settings and allow students only to take the quiz with this open-source lock-down browser, students cannot download or print the questions at all. But this setting add the hurdles that students have to install an additional (open-source) software on their devices.<br />
<br />
===Using the textbook===<br />
Students will frequently look up the answer to questions in the textbook or a reading. If you are giving a chapter check quiz, then this is what you want them to do. Otherwise, you need to come up with creative ways of making the textbook less directly useful. Timed quizzes are the single most effective tool for eliminating this strategy. A timed quiz requires the students answer the questions in a certain amount of time. If you give enough questions and make the time short enough, they won't have time to look up all the answers. I usually give about 30 seconds per multiple-choice question. If they answer them faster and have time to look up some answers afterward, I figure they knew enough to deserve to look up an answer or two.<br />
<br />
Asking students to apply their knowledge to novel situation can also make a difference. Synthesis and application questions can't be looked up. Students have to understand the material and apply it creatively to answer the questions. So while they may take the time to review the text, they will still need to try to understand what they've read to successfully answer the question.<br />
<br />
===Working with friends===<br />
If your students are on the same campus, they may get together in a lab and try to take the quiz together. This is an easy strategy to thwart with random question order, random answer order and questions randomly pulled from a test bank. If my screen doesn't look like yours, then it's harder for us to quickly answer all of the questions. A timed quiz also makes it harder for the two of us to cheat if we have different questions and we only have a short amount of time to answer.<br />
<br />
===Have someone else take the test===<br />
The old adage goes “On the Internet, no one knows you’re a dog”, and no one knows who is actually taking the test. Students will sometimes pay classmates, or others who have taken the course in the past, to take online quizzes for them. There are two ways to counter this strategy. One, have an occasional proctored exam where students need to show ID. If they haven't taken the quizzes or done the work until then, they will do poorly on the proctored exam. To eliminate current classmates from taking each other's quizzes, only make them available for a short time. You could require everyone take the test within a 2- or 4-hour block. If the test is properly randomized, it will be very difficult to take it more than once during the testing period. The test taker will worry about their own grade first, then about their employer's grade.<br />
<br />
Obviously, there are many strategies students can use to cheat. While it would be naïve to assume there isn't cheating, the vast majority of your students want to succeed on their own merits. The anonymity of the online environment may open up new avenues for the cheaters, but it's not really much different from your face-to-face classes. A few people will go to great lengths to cheat, but most will be honest as long as it's not too easy to get away with it. A few precautions will eliminate most of the easy cheats, and the classic strategies will work for the others.<br />
<br />
==Robust testing with random variants==<br />
<br />
This section describes a good way to help minimise the potential for cheating, and increase the opportunity for students to learn from the feedback by repeated attempts at the quiz. The basic idea is to take each particular question that you were thinking of, and make several slight variants of it. Then use Moodle's random question feature, so that each student gets one of the variants picked at random.<br />
<br />
===An example===<br />
<br />
A good example of this (although not in Moodle) can be seen at https://students.open.ac.uk/openmark/mu120.m5omdemo/. Take that test once, making a rough note of the questions you are asked. Then after you have done 'End test', do 'Restart entire test' and see that you are asked a different set of questions that have different answers, although they test the same knowledge. This sort of strategy is easier to implement in some subjects than in others.<br />
<br />
===How to set this up in Moodle===<br />
<br />
Suppose we are going to create a quiz with 6 questions about interpreting diagrams (that is, we are going to try to clone the OpenMark example above). For the fourth question, the closest we will be able to get would be [https://moodle.org/plugins/qtype_ddmarker the Image target question type from the Modules and plugins database].<br />
<br />
====1. Create a category for each 'question' in the quiz====<br />
<br />
As you can see from the screen shot, I have created six appropriately named categories, all neatly grouped inside a parent category. You do this on the 'Categories' tab of the question bank interface.<br />
<br />
[[Image:Variants_categories.png]]<br />
<br />
====2. Create the first variant of the first question====<br />
<br />
Create the first variant of the first question, just like you would create any other Moodle question.<br />
<br />
In our example, this might be an Embedded answers (Cloze) question type. The question text might be:<br />
<br />
:Below is a plan of a proposed garden. The scale is that each division in the plan represents a length in the garden of 0.5 metres. What is the proposed length and width of the Patio in the garden? <br />
: [[Image:Variants_flowerbed.gif]]<br />
: The Patio is {''CLOZE syntax''} metres by {''CLOZE syntax''} metres.<br />
<br />
====3. Create the other variants of the first question====<br />
<br />
To easily create a variant, click the duplicate icon next to the first question, then make the changes you need to turn it into the second variant and save it. Repeat this process to create as many variants as you want. <br />
<br />
In our example, we might change the word Patio, and the scale factor each division represents 0.5 metres. We would also need to change the answers and the associated feedback in the {''CLOZE syntax''} bits.<br />
<br />
====4. Repeat 2. and 3. for the other questions====<br />
<br />
The screen shots show the variants of the third question. This one is a bit more of a pain to set up, because each variant will use a different image of a pie chart, so there is a bit more editing to do, and more files to upload to the course files area.<br />
<br />
[[Image:Variants_questionsincat.png]]<br />
<br />
====5. Add the questions to the quiz====<br />
<br />
Once you have created all the questions, add them to the quiz using the 'Add random question' feature. Select the first category (Reading a plan variants). Ensure 'Display questions from sub-categories too' is off. Use the controls at the bottom to Add 1 random question to the quiz.<br />
<br />
Repeat for each of the other categories in order.<br />
<br />
[[Image:Variants_quiz.png]]<br />
<br />
===Creating variant questions in Atto===<br />
In 2016, a new additional plugin, the [[Cloze editor for Atto]] has a 'Duplicate' button, that allows you to easily and quickly create many question variants.<br />
<br />
===Comments===<br />
<br />
Obviously this is more work to set up (although not three times as much work as creating one quiz). It is up to you to do the cost benefit analysis for your particular quiz. Note that once you have set this up, you are more likely to be able to reuse quizzes in future, because you have reduced the potential for simple copying of answers.<br />
<br />
As an alternative to 'Save as new question', you can use Moodle's import and export formats, and copy and paste in your text editor to create variants.<br />
<br />
One issue you have to worry about is, are all the variants you have made of each question really equally difficult? Moodle 2.0 will feature a new Statistics report which should help you analyse your quiz results to see how difficult each variant is.<br />
<br />
Experience shows that 'a few variants' can normally be taken to be 3 variants. This is enough to ensure that two students working at neighbouring computers will mostly get different questions to each other. More is better (providing you can ensure equal difficulty) but is more work, so you get diminishing returns.<br />
<br />
(This section expands some of the advice above under [[#Printing and sharing questions|Printing and sharing questions]]. It also describes how most online assessments at the Open University are constructed. The [[calculated question type]] is sometimes another way to implement quizzes like this.)<br />
<br />
==Certainty Based Marking==<br />
* To make students think about how reliable their answer is.<br />
* To encourage students to try to understand the issues, not just react immediately to a question.<br />
* To challenge: if a student won't risk losing marks if wrong then they don't really know the answer.<br />
* If a student is a careful thinker but not very confident. they will gain in confidence.<br />
* It is more fair - a thoughtful and confident correct answer deserves more marks than a lucky hunch.<br />
* Students need to pay attention if they make confident wrong answers: think, reflect, learn!<br />
* Efficient study requires constantly questioning how our ideas arise and how reliable they are.<br />
<br />
See [[Using certainty-based marking]].<br />
<br />
==Proctored exams==<br />
* As a start, check the info in this discussion: https://moodle.org/mod/forum/discuss.php?d=399255#p1610674. Use advance search for the forums, as there has been a bunch of discussion in 2020 about this subject.<br />
<br />
* One of the better solutions seen recently for lockdown testing, was a combination of things:<br />
**Use of the safe browser and have the proctor call the student via some form of video call. <br />
**Have the student show the proctor their computer setup and the room the test will be taken in. <br />
**Then, have the student set up the phone in a position showing the student and their computer screen, as best they can from across the room. <br />
**This allows the proctor to watch and hopefully, see any attempts to cheat.<br />
<br />
==See also==<br />
<br />
* [[Safe exam browser]] The Safe Exam Browser can work with Moodle to control what a student can do when in Moodle. To use it, it must be enabled the [[Quiz settings]]. This adds some additional options which could be chosen directly in the quiz settings. <br />
<br />
Forum discussions:<br />
* [https://moodle.org/mod/forum/discuss.php?d=399255#p1610674 Implementing remotely invigilated online exams at scale] - The key lessons and successes of the University of New England's experience in implementing large scale remotely invigilated (proctored) online exams<br />
* [http://moodle.org/mod/forum/discuss.php?d=141003 How do you keep people from cheating while taking a quiz?]<br />
* [https://moodle.org/mod/forum/discuss.php?d=271100#p1168345 User dependent locking and unlocking of quizzes]<br />
<br />
External links:<br />
* [https://www.openlms.net/blog/products/30-tips-for-creating-quiz-questions-lms/ 30 tips for creating quiz questions] by Rebecca DeSantis, MSIT, Moodlerooms Instructional Designer<br />
* [https://www.alfiekohn.org/article/whos-cheating/ Who is Cheating Whom] article<br />
* [https://www.unmc.edu/facdev/_documents/ConstructingWrittenTestQuestions_WritingManual.pdf Constructing written test questions for the basic and clinical sciences] - by the National Board of Medical Examiners (USA)<br />
<br />
[[es:Prácticas Eficaces en los Exámenes]]<br />
[[de:Tests effektiv durchführen]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Upload_users&diff=145540Upload users2023-02-19T15:03:37Z<p>Ratna: </p>
<hr />
<div>{{Accounts}}<br />
==Uploading users via text file==<br />
There are many options for uploading information (fields associated with a user) with this method: from enrolling users in multiple courses with course specific [[roles]] to updating user information in the [[User profile]] to deleting users from the site.<br />
<br />
''Tip:'' It is usually not necessary to upload users in bulk with Upload users. To keep maintenance work down you should first explore forms of authentication that do not require manual maintenance, such as [[External database authentication|connecting to existing external databases]] or letting the users create their own accounts ([[Self enrolment]]). See [[Authentication]] for more information.<br />
{{MediaPlayer | url = https://youtu.be/UCuOOGD7XPI| desc = How to bulk upload users and add to courses}}<br />
==File formats for upload users file==<br />
The upload users file has fields separated by a comma (or other delimiter) ONLY - no space. The first line contains the valid field names. The rest of the lines (records) contain information about each user.<br />
<br />
''Tip:'' Avoid special characters in field information like quotes or other commas. Test a file with only one record before a large upload.<br />
<br />
''Tip:'' You can use a spread sheet program to create the file with the required columns and fields. Then save the file as "CSV (comma delimited)". These files can be opened with simple text editors (e.g., [https://notepad-plus-plus.org/ Notepad++]) for verification. <br />
===Valid upload file for testing===<br />
*From Site administration / Users / Upload users, an example text (.csv) file is available. It includes can be downloaded and adapted to your needs. <br />
username,firstname,lastname,email<br />
<br />
student1,Student,One,s1@example.com<br />
<br />
student2,Student,Two,s2@example.com<br />
<br />
student3,Student,Three,s3@example.com<br />
*Additional fields can be added as below. The course and cohort must already have been manually created.<br />
username,firstname,lastname,email,course1,group1,cohort1<br />
<br />
student1,Student,One,s1@example.com,math102,groupA,cohortZ<br />
<br />
student2,Student,Two,s2@example.com,math102,groupB,cohort Y<br />
<br />
student3,Student,Three,s3@example.com,math102,groupA,cohortZ<br />
== User Fields that can be included==<br />
''Tip:'' We strongly recommend that you test a file that contains fields you proposed to use with one user before attempting a file upload for the first time. <br />
===Required fields===<br />
These are the required user identification fields:<br />
<code>username,firstname,lastname,email</code><br />
Validity checks are performed for:<br />
* '''username''' can only contain alphabetical '''lowercase''' letters, numbers, hypen '-', underscore '_', period '.', or at-sign '@' <br />
* '''email''' is in the form: ''name@example.com''<br />
===Passwords===<br />
The "password" field is optional if the 'New user password' setting on the upload screen is set to "Create password if needed and send via email" but is required if the setting is "Field required in file".<br />
<br />
If included, values should meet the requirements for the site's [[Site policies#Password policy|Password policy]]. <br />
<br />
To force password change for a particular user, set the password field to '''changeme'''. If omitted, a password will be generated for each user (during the next Cron job) and welcome e-mails sent out. The text for the welcome e-mail is in the language settings in ''Site administration > Language > Language customisation'' with a String identifier of 'newusernewpasswordtext'.<br />
===Optional user fields===<br />
Note: Commas within a field must be encoded as &#44 - the script will decode these back to commas.<br />
Tip: For Boolean fields with only two values, use '''0''' for false and '''1'''for true. <br />
<br />
<br />
To provide values other than the default you can include one or more of these optional user fields:<br />
<pre>institution,department,city,country,lang,auth,timezone,idnumber,icq,phone1,phone2,address,url,description,mailformat,maildisplay,maildigest,htmleditor,autosubscribe,interests,theme</pre><br />
Most of the these are user profile fields or user preference fields that belong to the user profile and are the filled in the user or at manual creation. Some however require specific formats:<br />
<br />
See [[Additional name fields]] for more details. Key things to note are:<br />
<br />
'''country''' - use the country TWO LETTER CODE, in upper case, e.g. AU,ES,GB,US. These are all UPPER CASE. Using "au" or "es" or "USA" as a country code will result in a database error. If you are having trouble working out the two-letter code for a country, you can consult the list of [https://www.iso.org/obp/ui/#search country names and code elements] available on the ISO Website. A common error is to use UK for United Kingdom; it should be GB.<br />
<br />
'''lang''' - use the two letter (or extended four letter) code as defined in the Moodle language packs, e.g. en, es, en_us, de, in ''Site administration > Language > Language packs''. <br />
<br />
'''auth''' - The auth field must be used if the site uses an alternative authentication method, such as LDAP, as otherwise the authentication method will default to manual and users using a different auth method won't be able to log in.<br />
Use the shortname codes defined in Plugins > Authentication for the various types, e.g. manual, nlogin, ldap, cas, mnet, db, none. If you do not include an auth column, then newly created users will be created with the manual account type.<br />
<br />
You can set "auth" to "nologin" in your csv file which will mean that then created users cannot login.<br />
<br />
'''timezone''' - Should be in the format as found in the Location settings in terms of Zone/Region, e.g. Australia/Sydney, Asia/Kathmandu, Europe/Madrid, etc. The entry is case sensitive so Europe/London will work but europe/london will not.<br />
<br />
NOTE: Needed: settings for '''mailformat''','''maildisplay''','''htmleditor''','''autosubscribe'''<br />
<br />
'''maildigest''' To prevent users from receiving a large number of emails from courses or forced subscription forums use the '''maildigest'''. The options for this field are 0 = No digest, 1 = Complete digest and 2 = Digest with just subjects.<br />
<br />
'''maildisplay''' allows you to set the email display option for a user. The options for this field are 0 = Hide my email address from non-privileged users, 1 = Allow everyone to see my email address and 2 = Allow only other course members to see my email address.<br />
<br />
'''theme''' User themes may be added by using 'classic', 'boost' or the name of any other installed theme. The value should be the short name of the theme, e.g. 'boost' not 'Boost', 'fordson' not 'Fordson'.<br />
===Custom profile field names===<br />
These are optional and depend on whether you have created any custom profile fields in your site. The name of the header in file is of the form 'profile_field_xxxxx' where xxxx is the unique shortname of custom user profile field name as you created it. <br />
<br />
The field name should match the case of the profile field shortname. So, for instance if the shortname of your custom profile field is all upper case, for example, ''DOB'', then use a header of ''profile_field_DOB'' to match the case, not ''profile_field_dob'', which will produce a "is not a valid field name" error. Likewise, a mixed case shortname such as ''Dob'' should have a header of ''profile_field_Dob''. (The exception to this is if the shortname is all lower case, then any case will work in the field header, which is a historical quirk: but best practice is to match the case and you will avoid errors.)<br />
<pre>profile_field_xxxxx</pre><br />
'''Example''': To create a custom field "genre", you must write a shortname "genre" in the new field, and write "profile_field_genre" in the header of the .csv file.<br />
<br />
<br />
For custom profile fields that are dates, use the ISO standard format YYYY-MM-DD, e.g. 2014-06-19 which will then be properly localized in the interfaced. For example, a field called dohire for date of hire, the fields could be:<br />
<pre><br />
username,firstname,lastname,email,profile_field_dohire<br />
blumbergh,Bill,Lumbergh,blumbergh@example.com,1990-02-19<br />
pgibbons,Peter,BGibbons,pgibbons@example.com,1996-06-05<br />
tsmykowski,Tom,Smykowski,tsmykowski@example.com,1970-01-01 <br />
</pre><br />
<br />
<br />
For custom profile fields that are a menu, use the corresponding value in the menu list from field as you defined it. For example: a custom field 'corporatedivision' with one of three values 'Management', 'Development' or 'Training'. Just insert one of those three words (e.g. 'Training') as the value for that field. E.g.<br />
<pre><br />
username,firstname,lastname,email,profile_field_corporatedivision<br />
blumbergh,Bill,Lumbergh,blumbergh@example.com,Management<br />
pgibbons,Peter,BGibbons,pgibbons@example.com,Development<br />
tsmykowski,Tom,Smykowski,tsmykowski@example.com,Training <br />
</pre><br />
=== Special user change fields===<br />
Three special fields are used for managing user accounts, '''oldusername''', '''deleted''' and '''suspended'''. [[#Allow_renames|See below for details]].<br />
===Enrolment fields===<br />
You may optionally enrol users in already existing courses using manual enrolment. Only manual enrolment is done this way; if the manual enrolment method is disabled in a course, then no enrol is done.<br />
<br />
You use fields in the upload file of this type:<br />
<pre>course1,type1,role1,group1,enroltimestart1,enrolperiod1,enrolstatus1,course2,type2,role2,group2,enroltimestart2,enrolperiod2,enrolstatus2</pre> etc.<br />
Header fields '''must''' have a numeric suffix such that type1,role1,group1,enrolperiod1 and enrolstatus1 all apply to course1 for course'''1''' to course'''n'''. Even if you are just doing one course enrolment, you must still use the number 1 on the heading name, i.e. course1,role1, etc. Do not use the bare headings without numbers, e.g. course,role, etc. as those will generate an error.<br />
<br />
<br />
'''course#''' is the shortname of the course, if present the user will be enrolled in that course. Do not use the fullname of the course or it will generate an error. This field is the ONLY required field for a successful enrolment. All the others are optional. <br />
<br />
'''type#''' sets the role to be used for the enrolment. A value of 1 is default course role, 2 is legacy Teacher role and 3 is legacy Non-editing Teacher.<br />
<br />
'''role#''' may be used to specify roles directly, using either role short name or the role id (numeric names of roles are not supported). Usually you will use the role name that is the shortname of the role as defined in Users > Permissions > Define roles, e.g. student, editingteacher. If the role column is left out, the users will be enroled in the course with the default role, which is normally student.<br />
<br />
'''group#''' may be used to assign users to groups in course, using name or id (numeric group names are not supported). NOTE: if the group does not already exist, it will be created.<br />
<br />
'''enroltimestart#''' may be used to set the enrolment start time, for each course. If not explicitly set here, the enrolment start time is set to be today. To set a date: "2021-02-15" and to set a date and time "2021-02-15 15:30"<br />
<br />
'''enrolperiod#''' may be used to set the enrolment duration, in days, for each course. If not explicitly set here, all the users will get the duration as set in the Manual enrolment method of the course (which defaults to 0 meaning unlimited.)<br />
<br />
'''enrolstatus#''' is optional as by default all newly enrolled users are set to active. If used a value of 1, it will suspend users in the course and if a user is previously set as inactive / suspended then a value of 0 will unsuspend them and make them active again.<br />
=== Cohort membership assignment===<br />
You can assign users to any already existing Cohort by using only the "username" and the "Cohort ID" with just two fields in the file. Note that this is an exception to the usual case where the firstname, lastname and email address of the user are required.<br />
<br />
'''cohort#''' is the form to use and like enrolment in courses, you have to add a number to each header, so cohort1,cohort2, etc.<br />
<br />
Internal cohort ID numbers or non-numeric Cohort IDs of existing cohorts must be used; do not use the full name as this is not allowed. (Note that cohort ID is what is usually known elsewhere as the "shortname".)<br />
<br />
Here is a sample CSV file:<br />
<pre><br />
username,cohort1,cohort2<br />
student1,nursing,2016class<br />
student2,nursing,2014class<br />
student3,nursing,2014class<br />
</pre><br />
=== MNet ===<br />
Existing [[MNet]]users can be added to courses, groups or cohorts as below by using the field header '''mnethostid'''<br />
#enrolling to courses: username+mnethostid+course required<br />
#adding to group: username+mnethostid+course+group required<br />
#adding to cohort: username+mnethostid+cohort required<br />
#suspending/reviving accounts: username+mnethostid+suspended required<br />
All other operations are ignored. You can not add users, delete them or update them (such as change names or email, profile fields, etc.)<br />
=== Set system roles ===<br />
Users may also be assigned to already defined system roles, using the shortname of the system role as defined in ''Site administration > Users > Permissions > Define roles'' for roles with a system context defined.<br />
<br />
<code>sysrole1,sysrole2,sysrole3</code> etc.<br />
<br />
Users may be uploaded to a system role (usually Manager or Course creator) by entering the shortname of that role. Other roles can only be uploaded if they have already been assigned in the 'system' context. See [[Creating custom roles]]. Multiple roles can be assigned using sysrole2, sysrole3, etc. fields. Note that the number suffix in no way relates to the number suffixes on the enrolment fields. The numbers must go up in sequence starting at 1.<br />
<br />
Unassigning system roles<br />
Users can also be removed from a given system role by entering the shortname of that role prefixed with a minus symbol: '-'. If the user is currently assigned to that role, they are removed from it. If the user is not currently assigned to that system role, the field value is ignored. However, the field value must refer to a system role that does exist on the system, otherwise an error will occur.<br />
[[File:GlobalRoles1.png|thumb|500px|center|Example of a file for uploading users with global/system roles]]<br />
==Upload user process==<br />
# Create file for uploading<br />
# Go to ''Site administration > Users > Accounts > Upload users''<br />
# Add file to upload<br />
# Upload users preview - check settings and default user profile settings<br />
# Upload users preview - click "Upload users"<br />
# Upload users results - shows list of users, exceptions made in upload and summary of number of users<br />
# Upload users results - click "Continue"<br />
# Returns to Upload users screen<br />
==Updating users preview==<br />
There are various settings to better control the desired upload behaviour. These settings are found on the "Upload users preview" page.<br />
<br />
'''Warning''': errors updating existing accounts can affect your users badly. '''''Be careful''''' when using the options to update.<br />
====Upload type====<br />
The Upload type specifies how to handle existing accounts.<br />
;Add new only, skip existing users : is the default Moodle upload type. It creates a new user account for each new record in the uploaded file. If an existing username is found in the uploaded file matches an existing username, that record is '''skipped'''. By skipping the existing user account, the data in the existing record is not touched (in contrast to the "Add new and update existing users" option) and a second new user account is '''not''' created (in contrast to the "Add all, append number to usernames if needed" option). <br />
<br />
;Add all, append number to usernames if needed : creates a new user account for each record in the uploaded file. If an existing user account is found, a new account will be created with a number appended to the username. For example, if a user account for username 'jsmith' already exists and a new record in the uploaded file contains a record forusername 'jsmith' an additional user account is created with a 1 '''appended''' to the username to produce user 'jsmith1'. <br />
<br />
;Add new and update existing users: creates a new user account for each new user in the upload file. If an existing user account with the same username is found, the account information is '''updated''' by the data in the uploaded file. <br />
<br />
;Update existing users only : ignores any new users found in the upload file and updates the user account if a matching username record is found in the uploaded file.<br />
====New user password====<br />
When creating a new user account Moodle can create a new password (if one is not provided) or require a password in the uploaded file.<br />
;Create password if needed and send via email: creates a random default password for each new user account if one is not provided in the uploaded file, and emails the user their user information and new password.<br />
<br />
;Field required in file : requires that a password be provided in the uploaded file in order. If a password is not provided, an error is generated and the user account is not created. No notification of this user information or password is sent to the user.<br />
====Existing user details====<br />
The Existing user details options are only available when the Upload type allows existing user accounts to be updated. It specifies how Moodle should process user detail information for existing users.<br />
;No changes : ignores user detail data in the uploaded file and leaves the existing user account data unchanged.<br />
;Override with file : overwrites data in the existing user account with the data provided in the uploaded file.<br />
;Override with file and defaults : overwrites data in the existing user account with data provided in the uploaded file and fills in the default values for existing user details when no data is provided in the uploaded file.<br />
;Fill in missing from file and defaults : adds data in the existing user account with data provided in the uploaded file if the field is empty (does not already contain data) and fills in the default values for existing user details when no data is provided in the uploaded file.<br />
====Existing user password====<br />
The Existing user password option appears when you you have set the "Existing user details" setting to "Overwrite with file". It specifies how to handle password data for existing user accounts, to change them or leave them as it. This is a bit of insurance to make sure that you really want to mass change user passwords.<br />
;No changes : ignores password field in the uploaded user file and leaves the existing user account password untouched<br />
;Update : overwrites the existing user account password with the password provided in the uploaded file<br />
====Force password change====<br />
The Force password change option specifies when to tag a user account so that the next login attempt will require the user to change the user's password.<br />
;Users having a weak password : If the user account has a weak password as defined by the site's [[Password policy#Password policy|Password policy]] then the user will be forced to change the password during the next login attempt. This option is not shown if there the site does not have a [[Password policy#Password policy|Password policy]]. <br />
;None : None of the users in the uploaded file will be forced to change the password during the user's next login attempt.<br />
;All : All of the users in the uploaded file will be forced to change the password during the user's next login attempt.<br />
====Allow renames====<br />
If the uploaded file contains the special '''oldusername''' field, it is possible to rename a user from the '''oldusername''' to a new '''username'''. The default setting is to '''not''' allow renames. Keep in mind that renaming a user will require the user to use the new username when logging in.<br />
;No : ignores the '''oldusername''' field and leaves the existing user account's username field unchanged.<br />
;Yes : allows the existing user account's username to be changed by the data provided in the uploaded file's username field. The '''oldusername''' will be searched for and then updated with the data provided in the username column.<br />
====Allow deletes====<br />
If the uploaded file contains the '''deleted''' special field, it is possible to use the upload file to delete existing user accounts. The default setting is to '''not''' allow deletes. Keep in mind that deleting a user account will prevent that user from logging in. As a protection, site administrator user accounts cannot be deleted with this method. <br />
;No : ignores the '''deleted''' special field in the uploaded file and leaves the existing user account unchanged<br />
;Yes : allows the existing user account to be deleted when the value of the '''deleted''' field is 1. <br />
====Allow suspending and activating of accounts====<br />
If the uploaded file contains the '''suspended''' special field, it is possible to use the upload file to either suspend or make active (unsuspend) existing user accounts. The default setting is to allow suspending/activating of existing user accounts. Keep in mind that suspending an existing user account will prevent that user from logging in. <br />
;Yes : allows the existing user account to be suspended when the value of the '''suspended''' field is 1. <br />
;No : ignores the '''suspended''' special field in the uploaded file and leaves the existing user account status unchanged.<br />
====Prevent email address duplicates====<br />
It is possible, but '''not''' recommended to upload users with duplicate email addresses. By default, uploading users with duplicate email addresses is prevented. To allow duplicate email addresses, go to Site administration ► Plugins ► Authentication ► Manage authentication. You can tick "Allow accounts with same email". Then on the upload users screen you will be allowed to change the "Prevent email address duplicates" setting. <br />
<br />
However, doing this is not recommended for file uploads. Test thoroughly any user uploads before implementing.<br />
<br />
For more info, see the [[Managing authentication#Allow accounts with same email|Managing authentication]] docs page<br />
;Yes :prevents user accounts from being created from the uploaded if an existing user account already has the same email address as found in the uploaded file's '''email''' column.<br />
;No :allows user accounts to be created if an existing user account already has the same email address found in the uploaded file's '''email''' column.<br />
====Standardise usernames====<br />
Standardise usernames is used by default to convert the username to all lower case and to strip out illegal characters. It is possible to not standardise the usernames; however, doing so is '''not''' recommended.<br />
;Yes : standardises usernames found in the uploaded file before updating existing or creating new user accounts so that the username contains only lowercase letters and numbers.<br />
;No : skips standardising usernames found in the uploaded file so that the newly created or updated usernames will be exactly as they are in the uploaded file ('''not recommended''').<br />
For those seeking a more technical explanation, the process for standardising the usernames consists of ensuring the characters are all UTF-8 (fix_utf8) encoded, converting the username to lower case, and then stripping out non-letters/non-number characters (unless ''Site administration > Security > Site policies > Allow extended characters in usernames'' is set on) with something similar to: <br />
<br />
<code>$username = preg_replace('/[^-\.@_a-z0-9]/', '', $username);</code><br />
====Select for bulk user actions====<br />
After the uploaded file has finished being processed (all new accounts have been created and existing accounts updated as specified by the previous settings), there is an option to select some of those user accounts to perform additional [[admin/user/user bulk|bulk user actions]] such as <br />
*Confirm user accounts created through Email-based self-registration which are not yet confirmed by the user<br />
*Send a message (requires Messaging to be enabled)<br />
*Delete user accounts<br />
*Display a list of users on a page<br />
*Download user data in text, ODS or Excel file format<br />
*Force users to change their passwords<br />
*Add users to a cohort<br />
By default, no users are selected for [[admin/user/user bulk|bulk user actions]].<br />
;No : No users are selected for [[admin/user/user bulk|bulk user actions]]<br />
;New users : Only newly created users are selected for [[admin/user/user bulk|bulk user actions]]<br />
;Updated users : Only updated user accounts are selected for [[admin/user/user bulk|bulk user actions]]<br />
;All users : All users found (existing updated users and newly created user accounts) in the uploaded file are selected for [[admin/user/user bulk|bulk user actions]]<br />
===Default values===<br />
You can provide default user values for some fields not included in the uploaded file. Some fields include:<br />
*Email display<br />
*Forum auto-subscribe<br />
*City/town<br />
*ID number<br />
*Institution<br />
*Department<br />
By clicking the '''Show more....''' link, other default user profile fields will show up. You can set 17 different fields here, including the Authentication method, Country. Language, Timezone, as well as most other standard User profile fields.<br />
<br />
'''Other fields'''<br />
<br />
If you have created any custom profile fields for your users, they will show up here.<br />
==Upload user results ==<br />
After accepting the preview settings by clicking on "Upload users", you should see the Upload users results screen.<br />
[[File:Upload users results 2.0.JPG|thumb|center|The results screen; everything went well!]]<br />
This screen will show you any exceptions or changes that were made to each user in the upload process. For example, if you were updating user information, the updated information will be shown. Or if a user was not added that record will be highlighted.<br />
<br />
The screen will summarize how many users were uploaded or updated, indicate the number of weak passwords and the number of errors.<br />
==Advanced potentials of Upload user==<br />
===Templates===<br />
''Note: This section needs checking and updating if necessary for Moodle 2.0. Please do so and remove this note when finished.''<br />
<br />
The default values are processed as templates in which the following codes are allowed:<br />
* %l - will be replaced by the lastname<br />
* %f - will be replaced by the firstname<br />
* %u - will be replaced by the username<br />
* %% - will be replaced by the %<br />
Between the percent sign (%) and any code letter (l, f or u) the following modifiers are allowed:<br />
* (-) minus sign - the information specified by the code letter will be converted to lowercase<br />
* (+) plus sign - the information specified by the code letter will be converted to UPPERCASE<br />
* (~) tilde sign - the information specified by the code letter will be converted to Title Case<br />
* a decimal number - the information specified by the code letter will be truncated to that many characters<br />
For example, if the firstname is John and the lastname is Doe, the following values will be obtained with the specified templates:<br />
* %l%f = DoeJohn<br />
* %l%1f = DoeJ<br />
* %-l%+f = doeJOHN<br />
* %-f_%-l = john_doe<br />
*<nowiki> http://www.example.com/~%u/</nowiki> results in <nowiki>http://www.example.com/~jdoe/</nowiki> (if the username is jdoe or %-1f%-l)<br />
Template processing is done only on default values, and not on the values retrieved from the CSV file.<br />
<br />
In order to create correct Moodle usernames, the username is always converted to lowercase. Moreover, if the "Allow extended characters in usernames" option in the Site policies page is off, characters different to letters, digits, dash (-) and dot (.) are removed. For example, if the firstname is John Jr. and the lastname is Doe, the username %-f_%-l will produce john jr._doe when Allow extended characters in usernames is on, and johnjr.doe when off.<br />
<br />
When the "New username duplicate handling" setting is set to Append counter, an auto-increment counter will be append to duplicate usernames produced by the template. For example, if the CSV file contains the users named John Doe, Jane Doe and Jenny Doe without explicit usernames, the default username is %-1f%-l and New username duplicate handling is set to Append counter, then the usernames produced will be jdoe, jdoe2 and jdoe3.<br />
===Deleting accounts===<br />
If the '''deleted''' field is present, users with value 1 for it will be deleted. In this case, all the fields may be omitted, except for '''username'''. After uploading the file, be sure to change the "Upload type" to "Update existing users only" and the "Allow deletes" option to "Yes".<br />
<br />
''Tip:'' A similar field is available for '''suspended'''. This enables a user account to be temporarily disabled rather than completely removed.<br />
<br />
Deleting and uploading accounts could be done with a single CSV file. For example, the following file will add the user Tom Jones and delete the user reznort:<br />
username,firstname,lastname,deleted<br />
jonest,Tom,Jones,0<br />
reznort,,,1<br />
==Encoding file format==<br />
On the initial Upload user screen, you may select the file encoding format from a pull down list. These include UTF-8 (the default), ASCII, ISO-8859-1 to ISO-8859-11 or any one of over 36 formats.<br />
==Hints==<br />
===Spreadsheet===<br />
If you use a spreadsheet program such as Excel to create your .csv file, check the resulting output in a text editor before you upload it. It is possible to get trailing commas on each line from an empty field if you have added and deleted columns of information prior to saving the final file. Also check the character encoding. A csv file is a simple text file (ASCII or Unicode) that can be used to upload user accounts.<br />
<br />
Excel translates passwords that begin with - (minus) or + (plus) as zero. Even when saving as .csv and saying "Yes" to "Keep this format, and leave out any incompatible features." Check for this before uploading, as a zero halts the upload process.<br />
<br />
If you use a formula in Excel to create fields (for example, the concatenate function to create a user name), then remember to copy the cells with the formula and use special paste with values checked to make them into an acceptable data for a csv file.<br />
<br />
The upload will also fail if you have trailing spaces at the end of your data fields. Often, this can not be removed with a simple Find " " and Replace with "". If information has been copied from web sources than it is possible to include non-breaking spaces which will prevent your upload from being completed correctly. To find these invisible spaces, use the Find and Replace function in Excel. In the find field, hold alt and type 0160. Leave the replace field blank. <br />
===Field size limits===<br />
Some fields have maximum character lengths, as defined in the database fields. Typically the file will import to the preview list screen but not finish the process. Turn on debug to see the fields that are too long. The error will be "User not added - error".<br />
<br />
The sizes of some common fields, in number of characters, are currently (3.2):<br />
*username - 100 <br />
*password - 255 <br />
*idnumber - 255 <br />
*firstname - 100 <br />
*lastname - 100 <br />
*lastnamephonetic - 255 <br />
*firstnamephonetic - 255 <br />
*middlename - 255 <br />
*alternatename - 255 <br />
*institution - 255<br />
*department - 255 <br />
*address - 255 <br />
*city - 120 <br />
*icq -15 <br />
*skype - 50 <br />
*yahoo - 50 <br />
*aim - 50<br />
*msn - 50 <br />
*phone1 - 20 <br />
*phone2 - 20<br />
===All user fields listed here===<br />
:All the user fields that are valid in an upload file are listed below, except for any custom fields you may have created (for which see below.)<br />
<pre>firstname,lastname,username,email,password,auth,idnumber,institution,department,city,country,timezone,lang,mailformat,maildisplay,maildigest,htmleditor,autosubscribe,skype,msn,aim,yahoo,icq,phone1,phone2,address,url,description,descriptionformat,interests,oldusername,deleted,suspended,alternatename,lastnamephonetic,firstnamephonetic,middlename</pre><br />
The enrolments into courses information are <pre>course1,type1,role1,group1,enrolperiod1,enrolstatus1</pre><br />
where each enrolment is grouped by number.<br />
===Capabilities===<br />
You may wish to create a limited role to allow some users access to this function. Create a role at the system/site level with the following capabilities allowed:<br />
* moodle/site:uploadusers<br />
* moodle/role:assign<br />
And <br />
* In 'Allow role assignments' tab of this new role, permit it to assign the required roles that it may be uploading, especially Student, but also Teacher, Non-editing Teacher, and any other custom roles you may have created, which will be used in the uploads to assign users to.<br />
In particular, don't forget the moodle/role:assign capability (even if these users have it in the courses they will be enrolling users in - it won't work).<br />
==Upload users via CLI==<br />
In Moodle 3.10 onwards, an administrator can upload users via a CLI script.<br />
<br />
To obtain instructions on how to use the script, in the command line from the moodle directory run <br />
php admin/tool/uploaduser/cli/uploaduser.php --help<br />
== See also ==<br />
* [[Flat file]] enrolment<br />
* [[User profile fields]] for details of how to include data about custom user profile fields in the upload users file<br />
* [[Upload courses]]<br />
Forum discussions:<br />
*[http://moodle.org/mod/forum/discuss.php?d=97903 Uploading users to custom roles]<br />
*[http://moodle.org/mod/forum/discuss.php?d=144569 Matriculacion con flat file csv] - discussion in Spanish<br />
[[fr:Importer des utilisateurs]]<br />
[[ja:ユーザのアップロード]]<br />
[[de:Nutzerliste hochladen]]<br />
[[es:Subir usuarios]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Talk:Test_course_generator&diff=140910Talk:Test course generator2021-07-17T17:48:29Z<p>Ratna: Created page with "This page overlaps with https://docs.moodle.org/dev/JMeter and has not been updated recently."</p>
<hr />
<div>This page overlaps with https://docs.moodle.org/dev/JMeter and has not been updated recently.</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Talk:JMeter_test_plan_generator&diff=140909Talk:JMeter test plan generator2021-07-17T17:46:58Z<p>Ratna: Created page with "This page overlaps with https://docs.moodle.org/dev/JMeter and not updated since 2014."</p>
<hr />
<div>This page overlaps with https://docs.moodle.org/dev/JMeter and not updated since 2014.</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Large_installations&diff=140725Large installations2021-07-04T07:45:45Z<p>Ratna: </p>
<hr />
<div>{{Main page}}<br />
<br />
== Architecture ==<br />
Large scale Moodle infrastructures can be set up on different types of machines, from bare metal to compartmentalized virtual containers (or Kubernetes Pods).<br /><br />
In this section, we will try to share and put together some case study examples of such technological concepts of running very large scale Moodle systems.<br />
<br />
=== On premise ===<br />
* Bare metal or Virtualization for Moodle [[Server_cluster]] setup.<br />
<br />
=== Public clouds ===<br />
* [https://github.com/aws-samples/aws-refarch-moodle Amazon (AWS) EC2 (VMs)] with auto scaling groups and managed services (Storage, Caching, Database, CI/CD).<br />
** [https://developerck.com/moodle-horizontal-scalable-aws/ Moodle Horizontal Scalable Deployment on AWS stack]<br />
** [https://mxmartempresarial.com/caso-de-estudio-univa.html Hosting high availability Moodle on AWS] (Spanish)<br />
** [https://www.erichartzog.com/blog/horz-scale-moodle Auto-Scaling Moodle Architecture on AWS 2015]<br />
** [https://github.com/Tulkis/aws-ebs-moodle Moodle with AWS Elastic Beanstalk]<br />
** Cloud infrastructure for high concurrency [https://moodle.com/wp-content/events/mootglobal19/Cloudinfrastructureforhighconcurrency.pdf slides], [https://www.youtube.com/watch?v=j_mEOxy9_eo video] 2019 Moodle MOOT Global presentation.<br />
* [https://ktree.com/blog/moodle-ha-setup-using-docker-over-aws.html Amazon (AWS) Docker containers] with auto scaling groups and managed services (Storage, Caching, Database, CI/CD).<br />
* Google (GPC) Kubernetes including automated managed micro services (Storage, Caching, Database, CI/CD, document conversions) <br />
* Microsoft (Azure) - [https://github.com/Azure/Moodle/ Deploy and Manage a Scalable Moodle Cluster on Azure]<br />
<br />
== Custom setup and Tips ==<br />
* A list of [[Performance_recommendations]] tuning tweaks you should consider applying to your system.<br />
* Bare metal vs Virtualization, consideration relevant to the specific way Moodle is built.<br />
* [https://aws.amazon.com/efs/features/infrequent-access/ Save some budget with AWS infrequent access EFS]<br />
* [https://techcommunity.microsoft.com/t5/azure-database-for-mysql/deploying-moodle-on-azure-things-you-should-know/ba-p/814054 Deploying Moodle on Azure – things you should know]<br />
<br />
== Community support ==<br />
* Moodle [https://moodle.org/mod/forum/view.php?id=596 Hardware and performance] forum.<br />
* [https://t.me/large_scale_moodle Large scale Moodle IT support] Telegram group (click to join)<br />
<br />
== List of Moodle systems by user count ==<br />
This page was started in December 2005. Inclusion on these pages is by self selection and completely voluntary. There are more sites which meet these criterion that are not listed.<br />
<br />
*[[Installations 1000 plus]] users<br />
*[[Installations 5000 plus]] users<br />
*[[Installations 10000 plus]] users<br />
*[[Installations 30000 plus]] users<br />
*[[Installations 250000 plus]] users<br />
*[[Installations 300000 plus]] users<br />
<br />
== See also ==<br />
*[http://moodle.org/mod/choice/view.php?id=3934 How big is your Moodle site?] choice activity (Sorry, this activity is currently hidden)<br />
*[http://moodle.org/mod/forum/discuss.php?d=36216 Chart of schools (by size) that are using Moodle] forum discussion<br />
*[http://www.frappr.com/moodle World map of Moodle users]<br />
*[http://moodle.org/stats/ Moodle statistics]<br />
*[[Institutions that have Migrated to Moodle]]<br />
*[https://moodle.com/news/safeguarding-scaling-large-university-moodle-environments Scaling large case studies from Moodle Certified Premium Partner Catalyst IT]<br />
<br />
[[ja:Moodleの大規模インストール]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Performance_recommendations&diff=140724Performance recommendations2021-07-03T07:09:42Z<p>Ratna: </p>
<hr />
<div>{{Performance}}<br />
Moodle can be made to perform very well, at small usage levels or scaling up to many thousands of users. The factors involved in performance are basically the same as for any PHP-based database-driven system. When trying to optimize your server, try to focus on the factor which will make the most difference to the user. For example, if you have relatively more users browsing than accessing the database, look to improve the webserver performance.<br />
<br />
<br />
==Obtain a baseline benchmark==<br />
<br />
Before attempting any optimization, you should obtain a baseline benchmark of the component of the system you are trying to improve. For Linux try [http://lbs.sourceforge.net/ LBS] (Note: Last updated May 2002) and for Windows use the Performance Monitor. Once you have quantitative data about how your system is performing currently, you'll be able to determine if the change you have made has had any real impact.<br />
<br />
The overall aim of adjustments to improve performance is to use RAM (cacheing) and to reduce disk-based activity. It is especially important to try to eliminate swap file usage as much as you can. If your system starts swapping, this is a sign that you need more RAM. <br />
<br />
The '''optimization order preference''' is usually: primary storage (more RAM), secondary storage (faster hard disks/improved hard disk configuration), processor (more and faster).<br />
<br />
It can be interesting to install and use the [https://moodle.org/plugins/report_benchmark Benchmark plugin] in order to find the bottlenecks of your system that specifically affect Moodle or do a load test / stress test with tool like JMeter. See [https://docs.moodle.org/dev/JMeter moodledev JMeter documentation]<br />
<br />
==Scalability==<br />
<br />
Moodle's design (with clear separation of application layers) allows for strongly scalable setups. (Please check the list of [[Large installations|large Moodle installations]].)<br />
<br />
Large sites usually separate the web server and database onto separate servers, although for smaller installations this is typically not necessary.<br />
<br />
It is possible to load-balance a Moodle installation, for example by using more than one webserver. The separate webservers should query the same database and refer to the same filestore and cache areas (see [[Caching]]), but otherwise the separation of the application layers is complete enough to make this kind of clustering feasible. Similarly, the database could be a cluster of servers (e.g. a MySQL cluster), but this is not an easy task and you should seek expert support, e.g. from a Moodle Partner.<br />
<br />
On very large, load-balanced, systems the performance of the shared components become critical. It's important that your shared file areas are properly tuned and that you use an effective cache (Redis is highly recommended). A good understanding of these areas of system administration should be considered a minimum requirement. <br />
<br />
===Server cluster===<br />
<br />
Using Moodle forum discussions:<br />
<br />
*[http://moodle.org/mod/forum/discuss.php?d=57202 Moodle clustering]<br />
*[http://moodle.org/mod/forum/discuss.php?d=44470 Software load balancing]<br />
*[http://moodle.org/mod/forum/discuss.php?d=49986 TCP load balancing]<br />
*[http://moodle.org/mod/forum/discuss.php?d=88214 Installation for 3000 simultaneous users]<br />
<br />
==Hardware configuration==<br />
'''Note''': The fastest and most effective change that you can make to improve performance is to '''increase the amount of RAM on your web server''' - get as much as possible (e.g. 4GB or more). Increasing primary memory will reduce the need for processes to swap to disk and will enable your server to handle more users.<br />
* Better performance is gained by obtaining the best '''processor capability''' you can, i.e. dual or dual core processors. A modern BIOS should allow you to enable hyperthreading, but check if this makes a difference to the overall performance of the processors by using a [http://en.wikipedia.org/wiki/Super_PI CPU benchmarking tool].<br />
* If you can afford them, use '''SCSI hard disks''' instead of SATA drives. SATA drives will increase your system's CPU utilization, whereas SCSI drives have their own integrated processors and come into their own when you have multiple drives. If you must have SATA drives, check that your motherboard and the drives themselves support NCQ (Native Command Queuing).<br />
* Purchase hard disks with a '''low seek time'''. This will improve the overall speed of your system, especially when accessing Moodle's reports.<br />
* Size your '''swap file''' correctly. The general advice is to set it to 4 x physical RAM.<br />
* Use a '''RAID disk system'''. Although there are many different RAID configurations you can create, the following generally works best:<br />
** install a hardware RAID controller (if you can)<br />
** the operating system and swap drive on one set of disks configured as RAID-1.<br />
** Moodle, Web server and Database server on another set of disks configured as RAID-5.<br />
* If your 'moodledata' area is going to be on relatively slow storage (e.g. NFS mount on to a NAS device) you will have performance issues with the default cache configuration (which writes to this storage). See the page on [[Caching]] and choose an alternative. Redis is recommended. Using [https://en.wikipedia.org/wiki/GlusterFS GlusterFS] / [https://en.wikipedia.org/wiki/OCFS2 OCFS2] / [https://en.wikipedia.org/wiki/GFS2 GFS2] on a [https://en.wikipedia.org/wiki/Storage_Area_Network SAN] device and [https://en.wikipedia.org/wiki/Fibre_Channel Fiber Channel] could improve performance (See more info on the Moodle [https://moodle.org/mod/forum/discuss.php?d=214680#p1123124 forum thread], [https://moodle.org/mod/forum/discuss.php?d=310501#p1242382 NFS performance tuing] )<br />
* Use '''gigabit ethernet''' for improved latency and throughput. This is especially important when you have your webserver and database server separated out on different hosts.<br />
* Check the settings on your '''network card'''. You may get an improvement in performance by increasing the use of buffers and transmit/receive descriptors (balance this with processor and memory overheads) and off-loading TCP checksum calculation onto the card instead of the OS.<br />
* Read this [http://moodle.org/mod/forum/discuss.php?d=68579 Case Study] on a server stress test with 300 users. <br />
* See this [http://elearning.sgu.ac.jp/doc/PT/ accompanying report] on network traffic and server loads.<br />
* Also see this SFSU presentation at Educause (using VMWare): [http://www.educause.edu/Resources/AnOpenSourceLMSforaMissionCrit/162843]<br />
<br />
==Operating System==<br />
* You can use [http://en.wikipedia.org/wiki/Linux Linux](recommended), Unix-based, Windows or Mac OS X for the server '''operating system'''. *nix operating systems generally require less memory than Mac OS X or Windows servers for doing the same task as the server is configured with just a shell interface. Additionally Linux does not have licensing fees attached, but can have a big learning curve if you're used to another operating system. If you have a large number of processors running SMP, you may also want to consider using a highly tuned OS such as [http://en.wikipedia.org/wiki/Solaris_Operating_Environment Solaris].<br />
* Check your own OS and '''vendor specific instructions''' for optimization steps.<br />
** For Linux look at the [http://linuxperf.sourceforge.net/ Linux Performance Team] site. <br />
** For Linux investigate the hdparm command, e.g. hdparm -m16 -d1 can be used to enable read/write on multiple sectors and DMA. Mount disks with the [https://moodle.org/mod/forum/discuss.php?d=310501#p1242382 "async" and "noatime"] options.<br />
** For Windows set the sever to be optimized for network applications (Control Panel, Network Connections, LAN connection, Properties, File & Printer Sharing for Microsoft Networks, Properties, Optimization). You can also search the [http://technet.microsoft.com/ Microsoft TechNet site] for optimization documents.<br />
<br />
==Web server performance==<br />
<br />
Installing [http://www.mozilla.com/en-US/ Firefox] and the [https://addons.mozilla.org/en-US/firefox/addon/1843 firebug] extension will allow you to watch the time it takes for each page component to load. Also, the [https://addons.mozilla.org/en-US/firefox/addon/5369 Yslow] extension will evaluate your page against Yahoo's [http://www.skrenta.com/2007/05/14_rules_for_fast_web_pages_by_1.html 14 rules], full text [http://developer.yahoo.com/performance/rules.html Best Practices for Speeding Up Your Web Site], <strike>([http://video.yahoo.com/video/play?vid=1040890 video])</strike> for fast loading websites.<br />
<br />
===PHP performance===<br />
* PHP contains a built-in accelerator. Make sure it is enabled. <br />
* Improvements in read/write performance can be improved by putting the cached PHP pages on a [[TMPFS]] filesystem - but remember that you'll lose the cache contents when there is a power failure or the server is rebooted.<br />
* Performance of PHP is better when installed as an '''Apache/IIS6 ISAPI module''' (rather than a CGI). IIS 7.0/7.5 (Windows Server 2008/R2) users should choose a FastCGI installation for best performance.<br />
* Also check the '''memory_limit''' in php.ini. The default value for the memory_limit directive is 128M. On some sites, it may need to be larger - especially for some backup operations. <br />
* Also see [[PHP_settings_by_Moodle_version]]<br />
* Use [http://blog.bitnami.com/2014/06/performance-enhacements-for-apache-and.html PHP-FPM] (with apache).<br />
<br />
===Install HowTo===<br />
==== APC ====<br />
* [http://2bits.com/articles/installing-php-apc-gnulinux-centos-5.html APC on CentOS 5.x (linux)]<br />
* [http://fplanque.com/dev/linux/install-apc-php-cache-debian-lenny APC on Debian (linux)]<br />
==== eAccelerator ====<br />
* [http://noveckg.blogspot.com/2010/02/installing-eaccelerator-cache-for-php.html Installing eAccelerator on CentOS 5.x (linux)]<br />
* [https://docs.moodle.org/en/Installing_eAccelerator_In_Ubuntu_Server/ Installing eAccelerator on Ubuntu Server (linux)]<br />
==== MemCached ====<br />
Memcached server (daemon)<br />
* [https://www.tecmint.com/install-memcached-on-centos-7/ Installing Memcached on CentOS 7.x (linux)] (as of php 7.x, only memcached is available)<br />
* [https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-memcached-on-centos-7 How To Install and Secure Memcached on CentOS 7]<br />
* [https://wiki.zimbra.com/wiki/Blocking_Memcached_Attack#Iptables_rules_for_Redhat_based_servers Iptables rules for Redhat based servers]<br />
Memcached PHP 7.1 extension <br />
* [https://dl.iuscommunity.org/pub/ius/stable/CentOS/7/x86_64/repoview/php71u-pecl-memcached.html php71u-pecl-memcached] from IUS CentOS 7.x repository.<br />
<br />
===Apache performance===<br />
* If you are using Apache on a Windows server, use the build from [http://www.apachelounge.com Apache Lounge] which is reported to have [http://moodle.org/mod/forum/discuss.php?d=93358 performance and stability improvements] compared to the official Apache download. Note that this is an unofficial build, so may not keep up with official releases.<br />
* Set the '''MaxRequestWorkers''' directive correctly ('''MaxClients''' before Apache 2.4). Use this formula to help (which uses 80% of available memory to leave room for spare):<br />
MaxRequestWorkers = Total available memory * 80% / Max memory usage of apache process<br />
:Memory usage of apache process is usually 10MB but Moodle can easily use up to 100MB per process, so a general rule of thumb is to divide your available memory in megabytes by 100 to get a conservative setting for MaxClients. You are quite likely to find yourself lowering the MaxRequestWorkers from its default of 150 on a Moodle server. To get a more accurate estimate read the value from the shell command:<br />
#ps -ylC httpd --sort:rss<br />
<br />
:If you need to increase the value of '''MaxRequestWorkers''' beyond 256, you will also need to set the '''ServerLimit''' directive. <br />
<br />
:'''Warning''': Do not be tempted to set the value of MaxRequestWorkers higher than your available memory as your server will consume more RAM than available and start to swap to disk. <br />
* Consider reducing the '''number of modules''' that Apache loads in the httpd.conf file to the minumum necessary to reduce the memory needed. <br />
* Use the '''latest version of Apache''' - Apache 2 has an improved memory model which reduces memory usage further.<br />
* For Unix/Linux systems, consider lowering '''MaxConnectionsPerChild''' ('''MaxRequestsPerChild''' before Apache 2.4) in httpd.conf to as low as 20-30 (if you set it any lower the overhead of forking begins to outweigh the benefits). <br />
* For a heavily loaded server, consider setting '''KeepAlive Off''' (do this only if your Moodle pages do not contain links to resources or uploaded images) or lowering the '''KeepAliveTimeout''' to between 2 and 5. The default is 15 (seconds) - the higher the value the more server processes will be kept waiting for possibly idle connections. A more accurate value for KeepAliveTimeout is obtained by observing how long it takes your users to download a page. After altering any of the KeepAlive variables, monitor your CPU utilization as there may be an additional overhead in initiating more worker processes/threads.<br />
* As an alternative to using KeepAlive Off, consider setting-up a '''Reverse Proxy server''' infront of the Moodle server to cache HTML files with images. You can then return Apache to using keep-alives on the Moodle server.<br />
* If you do not use a .htaccess file, set the '''AllowOverride''' variable to AllowOverride None to prevent .htaccess lookups.<br />
* Set '''DirectoryIndex''' correctly so as to avoid content-negotiation. Here's an example from a production server:<br />
DirectoryIndex index.php index.html index.htm<br />
* Unless you are doing development work on the server, set '''ExtendedStatus Off''' and disable mod_info as well as mod_status.<br />
* Leave '''HostnameLookups Off''' (as default) to reduce DNS latency.<br />
* Consider reducing the value of '''TimeOut''' to between 30 to 60 (seconds). <br />
* For the '''Options directive''', avoid Options Multiviews as this performs a directory scan. To reduce disk I/O further use<br />
Options -Indexes FollowSymLinks<br />
<br />
* Compression reduces response times by reducing the size of the HTTP response<br />
# Install and enable mod_deflate - refer to documentation or man pages<br />
# Add this code to the virtual server config file within the <directory> section for the root directory (or within the .htaccess file if AllowOverrides is On):<br />
<ifModule mod_deflate.c><br />
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/x-js text/javascript text/css application/javascript<br />
</ifmodule><br />
* Use Apache [http://blog.bitnami.com/2014/06/performance-enhacements-for-apache-and.html event] [http://httpd.apache.org/docs/current/mpm.html MPM] (and not the default Prefork or Worker)<br />
<br />
===IIS performance===<br />
All alter this location in the registry:<br />
HKLM\SYSTEM\CurrentControlSet\Services\Inetinfo\Parameters\<br />
* The equivalent to KeepAliveTimeout is '''ListenBackLog''' (IIS - registry location is HKLM\ SYSTEM\ CurrentControlSet\ Services\ Inetinfo\ Parameters). Set this to between 2 to 5.<br />
*Change the '''MemCacheSize''' value to adjust the amount of memory (Mb) that IIS will use for its file cache (50% of available memory by default).<br />
*Change the '''MaxCachedFileSize''' to adjust the maximum size of a file cached in the file cache in bytes. Default is 262,144 (256K).<br />
*Create a new DWORD called '''ObjectCacheTTL''' to change the length of time (in milliseconds) that objects in the cache are held in memory. Default is 30,000 milliseconds (30 seconds).<br />
<br />
===Lighttpd, NginX and Cherokee performance===<br />
You can increase server performance by using a '''light-weight''' webserver like [http://www.lighttpd.net/ lighttpd], [http://nginx.net/ nginx] or [http://www.cherokee-project.com/ cherokee] in combination with PHP in FastCGI-mode. Lighttpd was originally created as a proof-of-concept[http://www.lighttpd.net/story] to address the [http://www.kegel.com/c10k.html C10k problem] and while primarily recommended for memory-limited servers, its design origins and asynchronous-IO model make it a suitable and proven[http://blog.lighttpd.net/articles/2006/12/28/lighttpd-powers-5-alexa-top-250-sites] alternative HTTP server for high-load websites and web apps, including Moodle. See the [[lighttpd | MoodleDocs Lighttpd page]] for additional information, configuration example and links.<br />
<br />
Alternatively, both [http://www.lighttpd.net/ lighttpd] and [http://nginx.net/ nginx] are capable of performing as a load-balancer and/or reverse-proxy to alleviate load on back-end servers[http://www.linuxjournal.com/article/10108], providing benefit without requiring an actual software change on existing servers.<br />
<br />
Do note that these are likely to be the least tested server environments of all particularly if you are using advanced features such as web services and/or Moodle Networking. They are probably best considered for heavily used Moodle sites with relatively simple configurations.<br />
<br />
===X-Sendfile===<br />
<br />
X-Sendfile modules improve performance when sending large files from Moodle. It is recommended to configure your web server and Moodle to use this feature if available.<br />
<br />
Configure web server:<br />
* Apache - https://tn123.org/mod_xsendfile/<br />
* Lighttpd - http://redmine.lighttpd.net/projects/lighttpd/wiki/X-LIGHTTPD-send-file<br />
* Nginx - http://wiki.nginx.org/XSendfile<br />
<br />
Enable support in config.php (see config-dist.php):<br />
<code php><br />
// $CFG->xsendfile = 'X-Sendfile'; // Apache {@see https://tn123.org/mod_xsendfile/}<br />
// $CFG->xsendfile = 'X-LIGHTTPD-send-file'; // Lighttpd {@see http://redmine.lighttpd.net/projects/lighttpd/wiki/X-LIGHTTPD-send-file}<br />
// $CFG->xsendfile = 'X-Accel-Redirect'; // Nginx {@see http://wiki.nginx.org/XSendfile}<br />
</code><br />
<br />
Configure file location prefixes if your server implementation requires it:<br />
<code php><br />
// $CFG->xsendfilealiases = array(<br />
// '/dataroot/' => $CFG->dataroot,<br />
// '/cachedir/' => '/var/www/moodle/cache', // for custom $CFG->cachedir locations<br />
// '/localcachedir/' => '/var/local/cache', // for custom $CFG->localcachedir locations<br />
// '/tempdir/' => '/var/www/moodle/temp', // for custom $CFG->tempdir locations<br />
// '/filedir' => '/var/www/moodle/filedir', // for custom $CFG->filedir locations<br />
// );<br />
</code><br />
<br />
== Cron performance ==<br />
<br />
Cron is a very important part of the overall performance of moodle as many asynchronous processes are offloaded to cron, so it needs to be running and have enough through put to handle the work being given to it by the front ends.<br />
<br />
See [[Cron_with_Unix_or_Linux#High_performance_cron_tasks]]<br />
<br />
==Database performance==<br />
<br />
===MySQL performance===<br />
<br />
The '''number one thing''' you can do to improve MySQL performance is to read, understand and implement the recommendations in the [https://dev.mysql.com/doc/refman/5.7/en/innodb-buffer-pool.html Innodb Buffer Pool] article.<br />
<br />
The [https://dev.mysql.com/doc/refman/5.7/en/innodb-buffer-pool-resize.html buffer pool size] can safely be changed while your server is running, as long as your server has enough memory (RAM) to accommodate the value you set. On a machine that is dedicated to MySQL, you can safely set this value to 80% of available memory.<br />
<br />
Consider setting [https://dev.mysql.com/doc/refman/5.7/en/innodb-parameters.html#sysvar_innodb_buffer_pool_instances innodb_buffer_pool_instances] to the number of cores, vCPUs, or chips you have available. Adjust this value in accordance with the recommendations in the [https://dev.mysql.com/doc/refman/5.7/en/innodb-buffer-pool-resize.html MySQL documentation].<br />
<br />
The following are MySQL specific settings which can be adjusted for better performance in your my.cnf (my.ini in Windows). The file contains a list of settings and their values. To see the current values use these commands<br />
SHOW STATUS;<br />
SHOW VARIABLES; <br />
'''Important''': You must make backups of your database before attempting to change any MySQL server configuration. After any change to the my.cnf, restart mysqld.<br />
<br />
If you are able, the [http://mysqltuner.pl/ MySQLTuner] tool can be run against your MySQL server and will calculate appropriate configuration values for most of the following settings based on your current load, status and variables automatically.<br />
<br />
* Enable the '''query cache''' with <br />
query_cache_type = 1. <br />
For most Moodle installs, set the following:<br />
query_cache_size = 36M <br />
query_cache_min_res_unit = 2K. <br />
The query cache will improve performance if you are doing few updates on the database. <br />
* Set the '''table cache''' correctly. For Moodle 1.6 set <br />
table_cache = 256 #(table_open_cache in MySQL > 5.1.2)<br />
(min), and for Moodle 1.7 set <br />
table_cache = 512 #(table_open_cache in MySQL > 5.1.2)<br />
(min). The table cache is used by all threads (connections), so monitor the value of opened_tables to further adjust - if opened_tables > 3 * table_cache(table_open_cache in MySQL > 5.1.2) then increase table_cache upto your OS limit. Note also that the figure for table_cache will also change depending on the number of modules and plugins you have installed. Find the number for your server by executing the mysql statement below. Look at the number returned and set table_cache to this value.<br />
mysql>SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema='yourmoodledbname';<br />
* Set the '''thread cache''' correctly. Adjust the value so that your thread cache utilization is as close to 100% as possible by this formula:<br />
thread cache utilization (%) = (threads_created / connections) * 100<br />
* The '''key buffer''' can improve the access speed to Moodle's SELECT queries. The correct size depends on the size of the index files (.myi) and in Moodle 1.6 or later (without any additional modules and plugins), the recommendation for this value is key_buffer_size = 32M. Ideally you want the database to be reading once from the disk for every 100 requests so monitor that the value is suitable for your install by adjusting the value of key_buffer_size so that the following formulas are true:<br />
key_read / key_read_requests < 0.01<br />
key_write / key_write_requests <= 1.0<br />
* Set the '''maximum number of connections''' so that your users will not see a "Too many connections" message. Be careful that this may have an impact on the total memory used. MySQL connections usually last for milliseconds, so it is unusual even for a heavily loaded server for this value to be over 200.<br />
* Manage '''high burst activity'''. If your Moodle install uses a lot of quizzes and you are experiencing performance problems (check by monitoring the value of threads_connected - it should not be rising) consider increasing the value of back_log.<br />
* '''Optimize your tables weekly and after upgrading Moodle'''. It is good practice to also optimize your tables after performing a large data deletion exercise, e.g. at the end of your semester or academic year. This will ensure that index files are up to date. Backup your database first and then use:<br />
mysql>CHECK TABLE mdl_tablename;<br />
mysql>OPTIMIZE TABLE mdl_tablename;<br />
:The common tables in Moodle to check are mdl_course_sections, mdl_forum_posts, mdl_log and mdl_sessions (if using dbsessions). Any errors need to be corrected using REPAIR TABLE (see the [http://dev.mysql.com/doc/refman/5.0/en/repair-table.html MySQL manual] and this [http://moodle.org/mod/forum/discuss.php?d=58208#p279638 forum script]).<br />
* '''Maintain the key distribution'''. Every month or so it is a good idea to stop the mysql server and run these myisamchk commands.<br />
#myisamchk -a -S /pathtomysql/data/moodledir/*.MYI<br />
:'''Warning''': You must stop the mysql database process (mysqld) before running any myisamchk command. If you do not, you risk data loss.<br />
* Reduce the number of '''temporary tables saved to disk'''. Check this with the created_tmp_disk_tables value. If this is relatively large (>5%) increase tmp_table_size until you see a reduction. Note that this will have an impact on RAM usage.<br />
<br />
===PostgreSQL performance===<br />
<br />
There are some good papers around on tuning PostgreSQL (like [http://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server this one]), and Moodle's case does not seem to be different to the general case.<br />
<br />
The first thing to recognise is that if you really need to worry about tuning you should be using a separate machine for the database server. If you are not using a separate machine then the answers to many performance questions are substantially muddied by the memory requirements of the rest of the application.<br />
<br />
You should probably '''enable autovacuum''', unless you know what you are doing. Many e-learning sites have predictable periods of low use, so disabling autovacuum and running a specific vacuum at those times can be a good option. Or perhaps leave autovacuum running but do a full vacuum weekly in a quiet period.<br />
<br />
Set '''shared_buffers''' to something reasonable. For versions up to 8.1 my testing has shown that peak performance is almost always obtained with buffers < 10000, so if you are using such a version, and have more than 512M of RAM just set shared_buffers to 10,000 (8MB).<br />
<br />
The buffer management had a big overhaul in 8.2 and "reasonable" is now a much larger number. I have not conducted performance tests with 8.2, but the recommendations from others are generally that you should now scale shared_buffers much more with memory and may continue to reap benefits even up to values like 100,000 (80MB). Consider using 1-2% of system RAM.<br />
<br />
PostgreSQL will also assume that the operating system is caching its files, so setting '''effective_cache_size''' to a reasonable value is also a good idea. A reasonable value will usually be (total RAM - RAM in use by programs). If you are running Linux and leave the system running for a day or two you can look at 'free' and under the 'cached' column you will see what it currently is. Consider taking that number (which is kB) and dividing it by 10 (i.e. allow 20% for other programs cache needs and then divide by 8 to get pages). If you are not using a dedicated database server you will need to decrease that value to account for usage by other programs.<br />
<br />
Some other useful parameters that can have positive effects, and the values I would typically set them to on a machine with 4G RAM, are:<br />
<br />
work_mem = 10240<br />
<br />
That's 10M of RAM to use instead of on-disk sorting and so forth. That can give a big speed increase, but it is per connection and 200 connections * 10M is 2G, so it can theoretically chew up a lot of RAM.<br />
<br />
maintenance_work_mem = 163840<br />
<br />
That's 160M of RAM which will be used by (e.g.) VACUUM, index rebuild, cluster and so forth. This should only be used periodically and should be freed when those processes exit, so I believe it is well worth while.<br />
<br />
wal_buffers = 64<br />
<br />
These buffers are used for the write-ahead log, and there have been a number of reports on the PostgreSQL mailing lists of improvement from this level of increase.<br />
<br />
This is a little out of date now (version 8.0) but still worth a read: http://www.powerpostgresql.com/Docs<br />
<br />
And there is lots of good stuff here as well: http://www.varlena.com/GeneralBits/Tidbits/index.php<br />
<br />
''Based on Andrew McMillan's post at [http://moodle.org/mod/forum/discuss.php?d=68558 Tuning PostgreSQL] forum thread.''<br />
<br />
* Splitting '''mdl_log''' to several tables and using a VIEW with UNION to read them as one. (See Tim Hunt [https://moodle.org/mod/forum/discuss.php?d=243531#p1104165 explanation] on the Moodle forums)<br />
<br />
=== Read replicas ===<br />
<br />
Since Moodle 3.9 you can configure read replica's to be used where possible. For very large systems as much as 80-90% of the DB load can be moved away from the primary. For configuration see config-dist:<br />
<br />
https://github.com/moodle/moodle/blob/master/config-dist.php#L84-L117<br />
<br />
===Other database performance links===<br />
* Consider using a '''distributed cacheing system''' like [http://en.wikipedia.org/wiki/Memcached memcached] but note that memcached does not have any security features so it should be used behind a firewall.<br />
* Consider using PostgreSQL. See [http://moodle.org/mod/forum/discuss.php?d=49195 how to migrate from MySQL to PostgreSQL] (forum discussion).<br />
* [http://dev.mysql.com/doc/refman/5.0/en/server-parameters.html General advice on tuning MySQL parameters] (advice from the MySQL manual)<br />
* [http://www.mysqlperformanceblog.com/2007/11/01/innodb-performance-optimization-basics/ InnoDB performance optimization] taken from the [http://www.mysqlperformanceblog.com/ MySQL performance blog] site.<br />
<br />
==Performance of different Moodle modules==<br />
<br />
Moodle's activity modules, filters, and other plugins can be activated/deactivated. If necessary, you may wish to deactivate some features (such as chat) if not required - but this isn't necessary. Some notes on the performance of certain modules:<br />
<br />
* The '''Chat''' module is [http://moodle.org/mod/forum/discuss.php?d=37979&parent=175079 said] to be a hog in terms of frequent HTTP requests to the main server. This can be reduced by setting the module to use ''Streamed'' updates, or, if you're using a Unix-based webserver, by running the chat in daemon mode. When using the Chat module use the configuration settings to tune for your expected load. Pay particular attention to the ''chat_old_ping'' and ''chat_refresh'' parameters as these can have greatest impact on server load.<br />
* The Moodle '''Cron''' task is triggered by calling the script ''cron.php''. If this is called over HTTP (e.g. using wget or curl) it can take a large amount of memory on large installations. If it is called by directly invoking the php command (e.g. ''php -f /path/to/moodle/directory/admin/cli/cron.php'') efficiency can be much improved.<br />
* The '''Recent activities''' block is consuming too many resources if you have huge number of records <code>mdl_log</code>. This is being tested to optimize the SQL query.<br />
* The '''Quiz''' module is known to stretch database performance. However, it has been getting better in recent versions, and we don't know of any good, up-to-date performance measurements. (Here is a [http://moodle.org/mod/forum/discuss.php?d=68579 case study from 2007 with 300 quiz users].). The following suggestions were described by [https://moodle.org/user/view.php?id=94615&course=5 Al Rachels] in [https://moodle.org/mod/forum/discuss.php?d=347126 this forum thread]:<br />
** make sure both Moodle, and the operating system, are installed on a [https://en.wikipedia.org/wiki/Solid-state_drive solid state drive]<br />
** upgrade to and use [https://docs.moodle.org/dev/Moodle_and_PHP7 PHP 7]<br />
** run MySQLTuner and implement its recommendations<br />
<br />
See [[Performance settings]] for more information on performance-related Moodle settings.<br />
<br />
==See also==<br />
<br />
*Using Moodle: [http://moodle.org/mod/forum/view.php?f=94 Hardware and Performance] forum<br />
*[http://opensourceelearning.blogspot.be/2012/10/why-your-moodle-site-is-slow-five.html Why Your Moodle Site is Slow: Five Simple Settings] blog post from Jonathan Moore <br />
*I teach with Moodle perfomance testing: http://www.iteachwithmoodle.com/2012/11/17/moodle-2-4-beta-performance-test-comparison-with-moodle-2-3/<br />
*[http://jfilip.ca/2013/08/20/moodle-2-4-5-vs-2-5-1-performance-and-muc-apc-cache-store/ Moodle 2.4.5 vs 2.5.2 performance and MUC APC cahe store]<br />
*[http://jfilip.ca/2013/09/25/moodle-performance-testing-2-4-6-vs-2-5-2-vs-2-6dev/ Moodle performance testing 2.4.6 vs 2.5.2 vs 2.6dev]<br />
*[http://jfilip.ca/2013/09/24/moodle-performance-analysis-revisted-now-with-mariadb/ Moodle performance analysis revisited (now with MariaDB)]<br />
*[http://tjhunt.blogspot.ca/2013/05/performance-testing-moodle.html Tim Hunt's blog (May 2, 2013) on performance testing Moodle]<br />
*[http://newrelic.com/ New Relic, Application Performance Monitoring]<br />
*[http://blog.bitnami.com/2014/06/performance-enhacements-for-apache-and.html Performance enhacements for Apache and PHP (Apache Event MPM and PHP-FPM)]<br />
*[https://scholarlms.net/performance-recommendations/ Performance recommendations]<br />
*[https://enovation.ie/moodle-performance-investigation-using-performance-info/ Moodle performance investigation – using performance info ]<br />
<br />
There have been a lot of discussions on moodle.org about performance, here are some of the more interesting and (potentially) useful ones:<br />
<br />
* [http://moodle.org/mod/forum/discuss.php?d=83057 Performance woes!]<br />
* [http://moodle.org/mod/forum/discuss.php?d=57028 Performance perspectives - a little script]<br />
* [http://moodle.org/mod/forum/discuss.php?d=88927 Comments on planned server hardware]<br />
* [http://moodle.org/mod/forum/discuss.php?d=102978#p461624 Moodle performance in a pil by Martin Langhoff]<br />
* [https://moodle.org/mod/forum/discuss.php?d=240391#unread Advice on optimising php/db code in moodle2+]<br />
* [https://moodle.org/mod/forum/discuss.php?d=243531 Moodle 2.5 performance testing at the OU]<br />
* [https://moodle.org/mod/forum/discuss.php?d=273602 100 active users limit with 4vCPU]<br />
* [https://moodle.org/mod/forum/discuss.php?d=336603#p1356423 Performance Tip ... shared...]<br />
<br />
[[es:Recomendaciones sobre desempeño]]<br />
[[fr:Recommandations_de_performance]]<br />
[[ja:パフォーマンス]]<br />
[[de:Geschwindigkeitsempfehlungen]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Performance_recommendations&diff=140723Performance recommendations2021-07-03T07:08:00Z<p>Ratna: </p>
<hr />
<div>{{Performance}}<br />
Moodle can be made to perform very well, at small usage levels or scaling up to many thousands of users. The factors involved in performance are basically the same as for any PHP-based database-driven system. When trying to optimize your server, try to focus on the factor which will make the most difference to the user. For example, if you have relatively more users browsing than accessing the database, look to improve the webserver performance.<br />
<br />
<br />
==Obtain a baseline benchmark==<br />
<br />
Before attempting any optimization, you should obtain a baseline benchmark of the component of the system you are trying to improve. For Linux try [http://lbs.sourceforge.net/ LBS] and for Windows use the Performance Monitor. Once you have quantitative data about how your system is performing currently, you'll be able to determine if the change you have made has had any real impact.<br />
<br />
The overall aim of adjustments to improve performance is to use RAM (cacheing) and to reduce disk-based activity. It is especially important to try to eliminate swap file usage as much as you can. If your system starts swapping, this is a sign that you need more RAM. <br />
<br />
The '''optimization order preference''' is usually: primary storage (more RAM), secondary storage (faster hard disks/improved hard disk configuration), processor (more and faster).<br />
<br />
It can be interesting to install and use the [https://moodle.org/plugins/report_benchmark Benchmark plugin] in order to find the bottlenecks of your system that specifically affect Moodle or do a load test / stress test with tool like JMeter. See [https://docs.moodle.org/dev/JMeter moodledev JMeter documentation]<br />
<br />
==Scalability==<br />
<br />
Moodle's design (with clear separation of application layers) allows for strongly scalable setups. (Please check the list of [[Large installations|large Moodle installations]].)<br />
<br />
Large sites usually separate the web server and database onto separate servers, although for smaller installations this is typically not necessary.<br />
<br />
It is possible to load-balance a Moodle installation, for example by using more than one webserver. The separate webservers should query the same database and refer to the same filestore and cache areas (see [[Caching]]), but otherwise the separation of the application layers is complete enough to make this kind of clustering feasible. Similarly, the database could be a cluster of servers (e.g. a MySQL cluster), but this is not an easy task and you should seek expert support, e.g. from a Moodle Partner.<br />
<br />
On very large, load-balanced, systems the performance of the shared components become critical. It's important that your shared file areas are properly tuned and that you use an effective cache (Redis is highly recommended). A good understanding of these areas of system administration should be considered a minimum requirement. <br />
<br />
===Server cluster===<br />
<br />
Using Moodle forum discussions:<br />
<br />
*[http://moodle.org/mod/forum/discuss.php?d=57202 Moodle clustering]<br />
*[http://moodle.org/mod/forum/discuss.php?d=44470 Software load balancing]<br />
*[http://moodle.org/mod/forum/discuss.php?d=49986 TCP load balancing]<br />
*[http://moodle.org/mod/forum/discuss.php?d=88214 Installation for 3000 simultaneous users]<br />
<br />
==Hardware configuration==<br />
'''Note''': The fastest and most effective change that you can make to improve performance is to '''increase the amount of RAM on your web server''' - get as much as possible (e.g. 4GB or more). Increasing primary memory will reduce the need for processes to swap to disk and will enable your server to handle more users.<br />
* Better performance is gained by obtaining the best '''processor capability''' you can, i.e. dual or dual core processors. A modern BIOS should allow you to enable hyperthreading, but check if this makes a difference to the overall performance of the processors by using a [http://en.wikipedia.org/wiki/Super_PI CPU benchmarking tool].<br />
* If you can afford them, use '''SCSI hard disks''' instead of SATA drives. SATA drives will increase your system's CPU utilization, whereas SCSI drives have their own integrated processors and come into their own when you have multiple drives. If you must have SATA drives, check that your motherboard and the drives themselves support NCQ (Native Command Queuing).<br />
* Purchase hard disks with a '''low seek time'''. This will improve the overall speed of your system, especially when accessing Moodle's reports.<br />
* Size your '''swap file''' correctly. The general advice is to set it to 4 x physical RAM.<br />
* Use a '''RAID disk system'''. Although there are many different RAID configurations you can create, the following generally works best:<br />
** install a hardware RAID controller (if you can)<br />
** the operating system and swap drive on one set of disks configured as RAID-1.<br />
** Moodle, Web server and Database server on another set of disks configured as RAID-5.<br />
* If your 'moodledata' area is going to be on relatively slow storage (e.g. NFS mount on to a NAS device) you will have performance issues with the default cache configuration (which writes to this storage). See the page on [[Caching]] and choose an alternative. Redis is recommended. Using [https://en.wikipedia.org/wiki/GlusterFS GlusterFS] / [https://en.wikipedia.org/wiki/OCFS2 OCFS2] / [https://en.wikipedia.org/wiki/GFS2 GFS2] on a [https://en.wikipedia.org/wiki/Storage_Area_Network SAN] device and [https://en.wikipedia.org/wiki/Fibre_Channel Fiber Channel] could improve performance (See more info on the Moodle [https://moodle.org/mod/forum/discuss.php?d=214680#p1123124 forum thread], [https://moodle.org/mod/forum/discuss.php?d=310501#p1242382 NFS performance tuing] )<br />
* Use '''gigabit ethernet''' for improved latency and throughput. This is especially important when you have your webserver and database server separated out on different hosts.<br />
* Check the settings on your '''network card'''. You may get an improvement in performance by increasing the use of buffers and transmit/receive descriptors (balance this with processor and memory overheads) and off-loading TCP checksum calculation onto the card instead of the OS.<br />
* Read this [http://moodle.org/mod/forum/discuss.php?d=68579 Case Study] on a server stress test with 300 users. <br />
* See this [http://elearning.sgu.ac.jp/doc/PT/ accompanying report] on network traffic and server loads.<br />
* Also see this SFSU presentation at Educause (using VMWare): [http://www.educause.edu/Resources/AnOpenSourceLMSforaMissionCrit/162843]<br />
<br />
==Operating System==<br />
* You can use [http://en.wikipedia.org/wiki/Linux Linux](recommended), Unix-based, Windows or Mac OS X for the server '''operating system'''. *nix operating systems generally require less memory than Mac OS X or Windows servers for doing the same task as the server is configured with just a shell interface. Additionally Linux does not have licensing fees attached, but can have a big learning curve if you're used to another operating system. If you have a large number of processors running SMP, you may also want to consider using a highly tuned OS such as [http://en.wikipedia.org/wiki/Solaris_Operating_Environment Solaris].<br />
* Check your own OS and '''vendor specific instructions''' for optimization steps.<br />
** For Linux look at the [http://linuxperf.sourceforge.net/ Linux Performance Team] site. <br />
** For Linux investigate the hdparm command, e.g. hdparm -m16 -d1 can be used to enable read/write on multiple sectors and DMA. Mount disks with the [https://moodle.org/mod/forum/discuss.php?d=310501#p1242382 "async" and "noatime"] options.<br />
** For Windows set the sever to be optimized for network applications (Control Panel, Network Connections, LAN connection, Properties, File & Printer Sharing for Microsoft Networks, Properties, Optimization). You can also search the [http://technet.microsoft.com/ Microsoft TechNet site] for optimization documents.<br />
<br />
==Web server performance==<br />
<br />
Installing [http://www.mozilla.com/en-US/ Firefox] and the [https://addons.mozilla.org/en-US/firefox/addon/1843 firebug] extension will allow you to watch the time it takes for each page component to load. Also, the [https://addons.mozilla.org/en-US/firefox/addon/5369 Yslow] extension will evaluate your page against Yahoo's [http://www.skrenta.com/2007/05/14_rules_for_fast_web_pages_by_1.html 14 rules], full text [http://developer.yahoo.com/performance/rules.html Best Practices for Speeding Up Your Web Site], <strike>([http://video.yahoo.com/video/play?vid=1040890 video])</strike> for fast loading websites.<br />
<br />
===PHP performance===<br />
* PHP contains a built-in accelerator. Make sure it is enabled. <br />
* Improvements in read/write performance can be improved by putting the cached PHP pages on a [[TMPFS]] filesystem - but remember that you'll lose the cache contents when there is a power failure or the server is rebooted.<br />
* Performance of PHP is better when installed as an '''Apache/IIS6 ISAPI module''' (rather than a CGI). IIS 7.0/7.5 (Windows Server 2008/R2) users should choose a FastCGI installation for best performance.<br />
* Also check the '''memory_limit''' in php.ini. The default value for the memory_limit directive is 128M. On some sites, it may need to be larger - especially for some backup operations. <br />
* Also see [[PHP_settings_by_Moodle_version]]<br />
* Use [http://blog.bitnami.com/2014/06/performance-enhacements-for-apache-and.html PHP-FPM] (with apache).<br />
<br />
===Install HowTo===<br />
==== APC ====<br />
* [http://2bits.com/articles/installing-php-apc-gnulinux-centos-5.html APC on CentOS 5.x (linux)]<br />
* [http://fplanque.com/dev/linux/install-apc-php-cache-debian-lenny APC on Debian (linux)]<br />
==== eAccelerator ====<br />
* [http://noveckg.blogspot.com/2010/02/installing-eaccelerator-cache-for-php.html Installing eAccelerator on CentOS 5.x (linux)]<br />
* [https://docs.moodle.org/en/Installing_eAccelerator_In_Ubuntu_Server/ Installing eAccelerator on Ubuntu Server (linux)]<br />
==== MemCached ====<br />
Memcached server (daemon)<br />
* [https://www.tecmint.com/install-memcached-on-centos-7/ Installing Memcached on CentOS 7.x (linux)] (as of php 7.x, only memcached is available)<br />
* [https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-memcached-on-centos-7 How To Install and Secure Memcached on CentOS 7]<br />
* [https://wiki.zimbra.com/wiki/Blocking_Memcached_Attack#Iptables_rules_for_Redhat_based_servers Iptables rules for Redhat based servers]<br />
Memcached PHP 7.1 extension <br />
* [https://dl.iuscommunity.org/pub/ius/stable/CentOS/7/x86_64/repoview/php71u-pecl-memcached.html php71u-pecl-memcached] from IUS CentOS 7.x repository.<br />
<br />
===Apache performance===<br />
* If you are using Apache on a Windows server, use the build from [http://www.apachelounge.com Apache Lounge] which is reported to have [http://moodle.org/mod/forum/discuss.php?d=93358 performance and stability improvements] compared to the official Apache download. Note that this is an unofficial build, so may not keep up with official releases.<br />
* Set the '''MaxRequestWorkers''' directive correctly ('''MaxClients''' before Apache 2.4). Use this formula to help (which uses 80% of available memory to leave room for spare):<br />
MaxRequestWorkers = Total available memory * 80% / Max memory usage of apache process<br />
:Memory usage of apache process is usually 10MB but Moodle can easily use up to 100MB per process, so a general rule of thumb is to divide your available memory in megabytes by 100 to get a conservative setting for MaxClients. You are quite likely to find yourself lowering the MaxRequestWorkers from its default of 150 on a Moodle server. To get a more accurate estimate read the value from the shell command:<br />
#ps -ylC httpd --sort:rss<br />
<br />
:If you need to increase the value of '''MaxRequestWorkers''' beyond 256, you will also need to set the '''ServerLimit''' directive. <br />
<br />
:'''Warning''': Do not be tempted to set the value of MaxRequestWorkers higher than your available memory as your server will consume more RAM than available and start to swap to disk. <br />
* Consider reducing the '''number of modules''' that Apache loads in the httpd.conf file to the minumum necessary to reduce the memory needed. <br />
* Use the '''latest version of Apache''' - Apache 2 has an improved memory model which reduces memory usage further.<br />
* For Unix/Linux systems, consider lowering '''MaxConnectionsPerChild''' ('''MaxRequestsPerChild''' before Apache 2.4) in httpd.conf to as low as 20-30 (if you set it any lower the overhead of forking begins to outweigh the benefits). <br />
* For a heavily loaded server, consider setting '''KeepAlive Off''' (do this only if your Moodle pages do not contain links to resources or uploaded images) or lowering the '''KeepAliveTimeout''' to between 2 and 5. The default is 15 (seconds) - the higher the value the more server processes will be kept waiting for possibly idle connections. A more accurate value for KeepAliveTimeout is obtained by observing how long it takes your users to download a page. After altering any of the KeepAlive variables, monitor your CPU utilization as there may be an additional overhead in initiating more worker processes/threads.<br />
* As an alternative to using KeepAlive Off, consider setting-up a '''Reverse Proxy server''' infront of the Moodle server to cache HTML files with images. You can then return Apache to using keep-alives on the Moodle server.<br />
* If you do not use a .htaccess file, set the '''AllowOverride''' variable to AllowOverride None to prevent .htaccess lookups.<br />
* Set '''DirectoryIndex''' correctly so as to avoid content-negotiation. Here's an example from a production server:<br />
DirectoryIndex index.php index.html index.htm<br />
* Unless you are doing development work on the server, set '''ExtendedStatus Off''' and disable mod_info as well as mod_status.<br />
* Leave '''HostnameLookups Off''' (as default) to reduce DNS latency.<br />
* Consider reducing the value of '''TimeOut''' to between 30 to 60 (seconds). <br />
* For the '''Options directive''', avoid Options Multiviews as this performs a directory scan. To reduce disk I/O further use<br />
Options -Indexes FollowSymLinks<br />
<br />
* Compression reduces response times by reducing the size of the HTTP response<br />
# Install and enable mod_deflate - refer to documentation or man pages<br />
# Add this code to the virtual server config file within the <directory> section for the root directory (or within the .htaccess file if AllowOverrides is On):<br />
<ifModule mod_deflate.c><br />
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/x-js text/javascript text/css application/javascript<br />
</ifmodule><br />
* Use Apache [http://blog.bitnami.com/2014/06/performance-enhacements-for-apache-and.html event] [http://httpd.apache.org/docs/current/mpm.html MPM] (and not the default Prefork or Worker)<br />
<br />
===IIS performance===<br />
All alter this location in the registry:<br />
HKLM\SYSTEM\CurrentControlSet\Services\Inetinfo\Parameters\<br />
* The equivalent to KeepAliveTimeout is '''ListenBackLog''' (IIS - registry location is HKLM\ SYSTEM\ CurrentControlSet\ Services\ Inetinfo\ Parameters). Set this to between 2 to 5.<br />
*Change the '''MemCacheSize''' value to adjust the amount of memory (Mb) that IIS will use for its file cache (50% of available memory by default).<br />
*Change the '''MaxCachedFileSize''' to adjust the maximum size of a file cached in the file cache in bytes. Default is 262,144 (256K).<br />
*Create a new DWORD called '''ObjectCacheTTL''' to change the length of time (in milliseconds) that objects in the cache are held in memory. Default is 30,000 milliseconds (30 seconds).<br />
<br />
===Lighttpd, NginX and Cherokee performance===<br />
You can increase server performance by using a '''light-weight''' webserver like [http://www.lighttpd.net/ lighttpd], [http://nginx.net/ nginx] or [http://www.cherokee-project.com/ cherokee] in combination with PHP in FastCGI-mode. Lighttpd was originally created as a proof-of-concept[http://www.lighttpd.net/story] to address the [http://www.kegel.com/c10k.html C10k problem] and while primarily recommended for memory-limited servers, its design origins and asynchronous-IO model make it a suitable and proven[http://blog.lighttpd.net/articles/2006/12/28/lighttpd-powers-5-alexa-top-250-sites] alternative HTTP server for high-load websites and web apps, including Moodle. See the [[lighttpd | MoodleDocs Lighttpd page]] for additional information, configuration example and links.<br />
<br />
Alternatively, both [http://www.lighttpd.net/ lighttpd] and [http://nginx.net/ nginx] are capable of performing as a load-balancer and/or reverse-proxy to alleviate load on back-end servers[http://www.linuxjournal.com/article/10108], providing benefit without requiring an actual software change on existing servers.<br />
<br />
Do note that these are likely to be the least tested server environments of all particularly if you are using advanced features such as web services and/or Moodle Networking. They are probably best considered for heavily used Moodle sites with relatively simple configurations.<br />
<br />
===X-Sendfile===<br />
<br />
X-Sendfile modules improve performance when sending large files from Moodle. It is recommended to configure your web server and Moodle to use this feature if available.<br />
<br />
Configure web server:<br />
* Apache - https://tn123.org/mod_xsendfile/<br />
* Lighttpd - http://redmine.lighttpd.net/projects/lighttpd/wiki/X-LIGHTTPD-send-file<br />
* Nginx - http://wiki.nginx.org/XSendfile<br />
<br />
Enable support in config.php (see config-dist.php):<br />
<code php><br />
// $CFG->xsendfile = 'X-Sendfile'; // Apache {@see https://tn123.org/mod_xsendfile/}<br />
// $CFG->xsendfile = 'X-LIGHTTPD-send-file'; // Lighttpd {@see http://redmine.lighttpd.net/projects/lighttpd/wiki/X-LIGHTTPD-send-file}<br />
// $CFG->xsendfile = 'X-Accel-Redirect'; // Nginx {@see http://wiki.nginx.org/XSendfile}<br />
</code><br />
<br />
Configure file location prefixes if your server implementation requires it:<br />
<code php><br />
// $CFG->xsendfilealiases = array(<br />
// '/dataroot/' => $CFG->dataroot,<br />
// '/cachedir/' => '/var/www/moodle/cache', // for custom $CFG->cachedir locations<br />
// '/localcachedir/' => '/var/local/cache', // for custom $CFG->localcachedir locations<br />
// '/tempdir/' => '/var/www/moodle/temp', // for custom $CFG->tempdir locations<br />
// '/filedir' => '/var/www/moodle/filedir', // for custom $CFG->filedir locations<br />
// );<br />
</code><br />
<br />
== Cron performance ==<br />
<br />
Cron is a very important part of the overall performance of moodle as many asynchronous processes are offloaded to cron, so it needs to be running and have enough through put to handle the work being given to it by the front ends.<br />
<br />
See [[Cron_with_Unix_or_Linux#High_performance_cron_tasks]]<br />
<br />
==Database performance==<br />
<br />
===MySQL performance===<br />
<br />
The '''number one thing''' you can do to improve MySQL performance is to read, understand and implement the recommendations in the [https://dev.mysql.com/doc/refman/5.7/en/innodb-buffer-pool.html Innodb Buffer Pool] article.<br />
<br />
The [https://dev.mysql.com/doc/refman/5.7/en/innodb-buffer-pool-resize.html buffer pool size] can safely be changed while your server is running, as long as your server has enough memory (RAM) to accommodate the value you set. On a machine that is dedicated to MySQL, you can safely set this value to 80% of available memory.<br />
<br />
Consider setting [https://dev.mysql.com/doc/refman/5.7/en/innodb-parameters.html#sysvar_innodb_buffer_pool_instances innodb_buffer_pool_instances] to the number of cores, vCPUs, or chips you have available. Adjust this value in accordance with the recommendations in the [https://dev.mysql.com/doc/refman/5.7/en/innodb-buffer-pool-resize.html MySQL documentation].<br />
<br />
The following are MySQL specific settings which can be adjusted for better performance in your my.cnf (my.ini in Windows). The file contains a list of settings and their values. To see the current values use these commands<br />
SHOW STATUS;<br />
SHOW VARIABLES; <br />
'''Important''': You must make backups of your database before attempting to change any MySQL server configuration. After any change to the my.cnf, restart mysqld.<br />
<br />
If you are able, the [http://mysqltuner.pl/ MySQLTuner] tool can be run against your MySQL server and will calculate appropriate configuration values for most of the following settings based on your current load, status and variables automatically.<br />
<br />
* Enable the '''query cache''' with <br />
query_cache_type = 1. <br />
For most Moodle installs, set the following:<br />
query_cache_size = 36M <br />
query_cache_min_res_unit = 2K. <br />
The query cache will improve performance if you are doing few updates on the database. <br />
* Set the '''table cache''' correctly. For Moodle 1.6 set <br />
table_cache = 256 #(table_open_cache in MySQL > 5.1.2)<br />
(min), and for Moodle 1.7 set <br />
table_cache = 512 #(table_open_cache in MySQL > 5.1.2)<br />
(min). The table cache is used by all threads (connections), so monitor the value of opened_tables to further adjust - if opened_tables > 3 * table_cache(table_open_cache in MySQL > 5.1.2) then increase table_cache upto your OS limit. Note also that the figure for table_cache will also change depending on the number of modules and plugins you have installed. Find the number for your server by executing the mysql statement below. Look at the number returned and set table_cache to this value.<br />
mysql>SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema='yourmoodledbname';<br />
* Set the '''thread cache''' correctly. Adjust the value so that your thread cache utilization is as close to 100% as possible by this formula:<br />
thread cache utilization (%) = (threads_created / connections) * 100<br />
* The '''key buffer''' can improve the access speed to Moodle's SELECT queries. The correct size depends on the size of the index files (.myi) and in Moodle 1.6 or later (without any additional modules and plugins), the recommendation for this value is key_buffer_size = 32M. Ideally you want the database to be reading once from the disk for every 100 requests so monitor that the value is suitable for your install by adjusting the value of key_buffer_size so that the following formulas are true:<br />
key_read / key_read_requests < 0.01<br />
key_write / key_write_requests <= 1.0<br />
* Set the '''maximum number of connections''' so that your users will not see a "Too many connections" message. Be careful that this may have an impact on the total memory used. MySQL connections usually last for milliseconds, so it is unusual even for a heavily loaded server for this value to be over 200.<br />
* Manage '''high burst activity'''. If your Moodle install uses a lot of quizzes and you are experiencing performance problems (check by monitoring the value of threads_connected - it should not be rising) consider increasing the value of back_log.<br />
* '''Optimize your tables weekly and after upgrading Moodle'''. It is good practice to also optimize your tables after performing a large data deletion exercise, e.g. at the end of your semester or academic year. This will ensure that index files are up to date. Backup your database first and then use:<br />
mysql>CHECK TABLE mdl_tablename;<br />
mysql>OPTIMIZE TABLE mdl_tablename;<br />
:The common tables in Moodle to check are mdl_course_sections, mdl_forum_posts, mdl_log and mdl_sessions (if using dbsessions). Any errors need to be corrected using REPAIR TABLE (see the [http://dev.mysql.com/doc/refman/5.0/en/repair-table.html MySQL manual] and this [http://moodle.org/mod/forum/discuss.php?d=58208#p279638 forum script]).<br />
* '''Maintain the key distribution'''. Every month or so it is a good idea to stop the mysql server and run these myisamchk commands.<br />
#myisamchk -a -S /pathtomysql/data/moodledir/*.MYI<br />
:'''Warning''': You must stop the mysql database process (mysqld) before running any myisamchk command. If you do not, you risk data loss.<br />
* Reduce the number of '''temporary tables saved to disk'''. Check this with the created_tmp_disk_tables value. If this is relatively large (>5%) increase tmp_table_size until you see a reduction. Note that this will have an impact on RAM usage.<br />
<br />
===PostgreSQL performance===<br />
<br />
There are some good papers around on tuning PostgreSQL (like [http://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server this one]), and Moodle's case does not seem to be different to the general case.<br />
<br />
The first thing to recognise is that if you really need to worry about tuning you should be using a separate machine for the database server. If you are not using a separate machine then the answers to many performance questions are substantially muddied by the memory requirements of the rest of the application.<br />
<br />
You should probably '''enable autovacuum''', unless you know what you are doing. Many e-learning sites have predictable periods of low use, so disabling autovacuum and running a specific vacuum at those times can be a good option. Or perhaps leave autovacuum running but do a full vacuum weekly in a quiet period.<br />
<br />
Set '''shared_buffers''' to something reasonable. For versions up to 8.1 my testing has shown that peak performance is almost always obtained with buffers < 10000, so if you are using such a version, and have more than 512M of RAM just set shared_buffers to 10,000 (8MB).<br />
<br />
The buffer management had a big overhaul in 8.2 and "reasonable" is now a much larger number. I have not conducted performance tests with 8.2, but the recommendations from others are generally that you should now scale shared_buffers much more with memory and may continue to reap benefits even up to values like 100,000 (80MB). Consider using 1-2% of system RAM.<br />
<br />
PostgreSQL will also assume that the operating system is caching its files, so setting '''effective_cache_size''' to a reasonable value is also a good idea. A reasonable value will usually be (total RAM - RAM in use by programs). If you are running Linux and leave the system running for a day or two you can look at 'free' and under the 'cached' column you will see what it currently is. Consider taking that number (which is kB) and dividing it by 10 (i.e. allow 20% for other programs cache needs and then divide by 8 to get pages). If you are not using a dedicated database server you will need to decrease that value to account for usage by other programs.<br />
<br />
Some other useful parameters that can have positive effects, and the values I would typically set them to on a machine with 4G RAM, are:<br />
<br />
work_mem = 10240<br />
<br />
That's 10M of RAM to use instead of on-disk sorting and so forth. That can give a big speed increase, but it is per connection and 200 connections * 10M is 2G, so it can theoretically chew up a lot of RAM.<br />
<br />
maintenance_work_mem = 163840<br />
<br />
That's 160M of RAM which will be used by (e.g.) VACUUM, index rebuild, cluster and so forth. This should only be used periodically and should be freed when those processes exit, so I believe it is well worth while.<br />
<br />
wal_buffers = 64<br />
<br />
These buffers are used for the write-ahead log, and there have been a number of reports on the PostgreSQL mailing lists of improvement from this level of increase.<br />
<br />
This is a little out of date now (version 8.0) but still worth a read: http://www.powerpostgresql.com/Docs<br />
<br />
And there is lots of good stuff here as well: http://www.varlena.com/GeneralBits/Tidbits/index.php<br />
<br />
''Based on Andrew McMillan's post at [http://moodle.org/mod/forum/discuss.php?d=68558 Tuning PostgreSQL] forum thread.''<br />
<br />
* Splitting '''mdl_log''' to several tables and using a VIEW with UNION to read them as one. (See Tim Hunt [https://moodle.org/mod/forum/discuss.php?d=243531#p1104165 explanation] on the Moodle forums)<br />
<br />
=== Read replicas ===<br />
<br />
Since Moodle 3.9 you can configure read replica's to be used where possible. For very large systems as much as 80-90% of the DB load can be moved away from the primary. For configuration see config-dist:<br />
<br />
https://github.com/moodle/moodle/blob/master/config-dist.php#L84-L117<br />
<br />
===Other database performance links===<br />
* Consider using a '''distributed cacheing system''' like [http://en.wikipedia.org/wiki/Memcached memcached] but note that memcached does not have any security features so it should be used behind a firewall.<br />
* Consider using PostgreSQL. See [http://moodle.org/mod/forum/discuss.php?d=49195 how to migrate from MySQL to PostgreSQL] (forum discussion).<br />
* [http://dev.mysql.com/doc/refman/5.0/en/server-parameters.html General advice on tuning MySQL parameters] (advice from the MySQL manual)<br />
* [http://www.mysqlperformanceblog.com/2007/11/01/innodb-performance-optimization-basics/ InnoDB performance optimization] taken from the [http://www.mysqlperformanceblog.com/ MySQL performance blog] site.<br />
<br />
==Performance of different Moodle modules==<br />
<br />
Moodle's activity modules, filters, and other plugins can be activated/deactivated. If necessary, you may wish to deactivate some features (such as chat) if not required - but this isn't necessary. Some notes on the performance of certain modules:<br />
<br />
* The '''Chat''' module is [http://moodle.org/mod/forum/discuss.php?d=37979&parent=175079 said] to be a hog in terms of frequent HTTP requests to the main server. This can be reduced by setting the module to use ''Streamed'' updates, or, if you're using a Unix-based webserver, by running the chat in daemon mode. When using the Chat module use the configuration settings to tune for your expected load. Pay particular attention to the ''chat_old_ping'' and ''chat_refresh'' parameters as these can have greatest impact on server load.<br />
* The Moodle '''Cron''' task is triggered by calling the script ''cron.php''. If this is called over HTTP (e.g. using wget or curl) it can take a large amount of memory on large installations. If it is called by directly invoking the php command (e.g. ''php -f /path/to/moodle/directory/admin/cli/cron.php'') efficiency can be much improved.<br />
* The '''Recent activities''' block is consuming too many resources if you have huge number of records <code>mdl_log</code>. This is being tested to optimize the SQL query.<br />
* The '''Quiz''' module is known to stretch database performance. However, it has been getting better in recent versions, and we don't know of any good, up-to-date performance measurements. (Here is a [http://moodle.org/mod/forum/discuss.php?d=68579 case study from 2007 with 300 quiz users].). The following suggestions were described by [https://moodle.org/user/view.php?id=94615&course=5 Al Rachels] in [https://moodle.org/mod/forum/discuss.php?d=347126 this forum thread]:<br />
** make sure both Moodle, and the operating system, are installed on a [https://en.wikipedia.org/wiki/Solid-state_drive solid state drive]<br />
** upgrade to and use [https://docs.moodle.org/dev/Moodle_and_PHP7 PHP 7]<br />
** run MySQLTuner and implement its recommendations<br />
<br />
See [[Performance settings]] for more information on performance-related Moodle settings.<br />
<br />
==See also==<br />
<br />
*Using Moodle: [http://moodle.org/mod/forum/view.php?f=94 Hardware and Performance] forum<br />
*[http://opensourceelearning.blogspot.be/2012/10/why-your-moodle-site-is-slow-five.html Why Your Moodle Site is Slow: Five Simple Settings] blog post from Jonathan Moore <br />
*I teach with Moodle perfomance testing: http://www.iteachwithmoodle.com/2012/11/17/moodle-2-4-beta-performance-test-comparison-with-moodle-2-3/<br />
*[http://jfilip.ca/2013/08/20/moodle-2-4-5-vs-2-5-1-performance-and-muc-apc-cache-store/ Moodle 2.4.5 vs 2.5.2 performance and MUC APC cahe store]<br />
*[http://jfilip.ca/2013/09/25/moodle-performance-testing-2-4-6-vs-2-5-2-vs-2-6dev/ Moodle performance testing 2.4.6 vs 2.5.2 vs 2.6dev]<br />
*[http://jfilip.ca/2013/09/24/moodle-performance-analysis-revisted-now-with-mariadb/ Moodle performance analysis revisited (now with MariaDB)]<br />
*[http://tjhunt.blogspot.ca/2013/05/performance-testing-moodle.html Tim Hunt's blog (May 2, 2013) on performance testing Moodle]<br />
*[http://newrelic.com/ New Relic, Application Performance Monitoring]<br />
*[http://blog.bitnami.com/2014/06/performance-enhacements-for-apache-and.html Performance enhacements for Apache and PHP (Apache Event MPM and PHP-FPM)]<br />
*[https://scholarlms.net/performance-recommendations/ Performance recommendations]<br />
*[https://enovation.ie/moodle-performance-investigation-using-performance-info/ Moodle performance investigation – using performance info ]<br />
<br />
There have been a lot of discussions on moodle.org about performance, here are some of the more interesting and (potentially) useful ones:<br />
<br />
* [http://moodle.org/mod/forum/discuss.php?d=83057 Performance woes!]<br />
* [http://moodle.org/mod/forum/discuss.php?d=57028 Performance perspectives - a little script]<br />
* [http://moodle.org/mod/forum/discuss.php?d=88927 Comments on planned server hardware]<br />
* [http://moodle.org/mod/forum/discuss.php?d=102978#p461624 Moodle performance in a pil by Martin Langhoff]<br />
* [https://moodle.org/mod/forum/discuss.php?d=240391#unread Advice on optimising php/db code in moodle2+]<br />
* [https://moodle.org/mod/forum/discuss.php?d=243531 Moodle 2.5 performance testing at the OU]<br />
* [https://moodle.org/mod/forum/discuss.php?d=273602 100 active users limit with 4vCPU]<br />
* [https://moodle.org/mod/forum/discuss.php?d=336603#p1356423 Performance Tip ... shared...]<br />
<br />
[[es:Recomendaciones sobre desempeño]]<br />
[[fr:Recommandations_de_performance]]<br />
[[ja:パフォーマンス]]<br />
[[de:Geschwindigkeitsempfehlungen]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=User:Visvanath_Ratnaweera&diff=103796User:Visvanath Ratnaweera2013-03-31T20:53:06Z<p>Ratna: Deleted</p>
<hr />
<div>Deleted [[User:Visvanath Ratnaweera|Visvanath Ratnaweera]] 04:53, 1 April 2013 (WST)</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Talk:Step-by-step_Installation_Guide_for_Ubuntu&diff=103795Talk:Step-by-step Installation Guide for Ubuntu2013-03-31T20:44:13Z<p>Ratna: chmod 777 ???</p>
<hr />
<div>Are you sure you going to leave the permissions at these:<br />
<pre>sudo chmod 777 /var/moodledata<br />
sudo chmod 777 /var/www/moodle</pre><br />
???<br />
[[User:Visvanath Ratnaweera|Visvanath Ratnaweera]] 04:44, 1 April 2013 (WST)</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Installing_Moodle_on_Debian_based_distributions&diff=103737Installing Moodle on Debian based distributions2013-03-24T19:46:45Z<p>Ratna: Moved to my blog at www.syndrega.ch</p>
<hr />
<div>Moved to http://www.syndrega.ch/?p=38.<br />
<br />
<!--- Categories --><br />
[[Category:Installation]]<br />
[[Category:Installation]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=File:webbench-in-vb.png&diff=97014File:webbench-in-vb.png2012-04-17T14:12:22Z<p>Ratna: uploaded a new version of &quot;File:webbench-in-vb.png&quot;</p>
<hr />
<div></div>Ratnahttps://docs.moodle.org/405/en/index.php?title=File:webbench-in-vb.png&diff=97013File:webbench-in-vb.png2012-04-17T14:10:49Z<p>Ratna: </p>
<hr />
<div></div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Talk:Cron_with_Unix_or_Linux&diff=96748Talk:Cron with Unix or Linux2012-03-31T22:00:55Z<p>Ratna: /* Linux _is_ Unix, Mac OS too */ new section</p>
<hr />
<div>== Since wget is being used to run the cron.php script anyway, you can really run this ANYWHERE ==<br />
:Brought this comment from 2.0 Cron comment page. It was unsigned/undated --[[User:chris collman|chris collman]] 20:09, 22 November 2011 (WST)<br />
It is important to note that since the cron.php script is not run internally by Moodle, but by an outside interaction, you can really run a cron job on ANY server that runs the cron.php on your Moodle installation.<br />
<br />
So, for example, if you have a Moodle install at an ISP that does not let you run cron jobs, but you have, say, a DSLline at home, you can use any of your Linux computers at home to run cron. (you do use Linux at home, right? :)<br />
<br />
And the beauty of it is, the crontab line is *exactly* the same as listed in the main article. It just points to an outside URL.<br />
<br />
Now, I mention this because at one point I had configured a server to run Moodle but, in the interest of security, I did not have wget available on the server. (cron was available, but not wget).<br />
<br />
Well, the easiest thing to do was to just run a cron job somewhere else.<br />
<br />
Alrighty, seeyalater!<br />
<br />
== Update and clarify ==<br />
:Brought this comment from 2.0 Cron comment page. It was unsigned/undated --[[User:chris collman|chris collman]] 20:09, 22 November 2011 (WST)<br />
<br />
* The whole cronclionly vs. shell invocation vs. "using wget" is completely misleading.<br />
** while you can call cron.php using a web browser or a command line web "browser" like wget, curl, lynx from outside or inside the server. The latter commands can be scripted, e.g. to be called by cron.<br />
** the "cronclionly" checkbox restricts the call to cron.php to calling it from inside the server and only using "bin/php". This can be scripted to be called by cron, as well.<br />
* It should be said somewhere that using e.g. the "www-data" user in e.g. /etc/cron.d/moodle is far better than using /etc/crontab which is executed by root. AFAICS this is nowhere mentioned.<br />
<br />
== Linux _is_ Unix, Mac OS too ==<br />
<br />
Why does it say "Unix or Linux"? Linux _is_ Unix!<br />
<br />
One could say "Unix (and Linux)". But then Mac OS X is Unix too.<br />
<br />
The best is to continue with the original article [Cron] and maintain the section "Unix" (it will be valid for Linux and Mac OS X).<br />
[[User:Visvanath Ratnaweera|Visvanath Ratnaweera]] 06:00, 1 April 2012 (WST)</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=User:Visvanath_Ratnaweera&diff=96120User:Visvanath Ratnaweera2012-02-27T19:55:40Z<p>Ratna: </p>
<hr />
<div>{{Note|<br />
<em>note a priori:</em> Morbi ac quam risus, ultricies faucibus odio. Fusce eu ultricies velit. Cras lobortis dolor ut leo rhoncus vulputate. Donec eget felis tellus. Duis ac odio vitae eros egestas ornare vel ut leo. Curabitur bibendum, purus sit amet ultrices tincidunt, risus sapien dignissim libero, ac semper erat nunc et nisl. Quisque aliquam ornare blandit.<br />
}}<br />
<br />
<blockquote>Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit,</blockquote><br />
<br />
<br />
<h2>Section One</h2><br />
<p>Qua soi <abbr>abbr</abbr> Aliquam leo augue, posuere eget facilisis eu, euismod sit amet quam. Sed ultrices est vitae arcu tristique malesuada mattis nibh feugiat. Aliquam libero justo, condimentum ut consectetur facilisis, imperdiet tempus velit. Sed consequat lacinia lacus a eleifend. Cras sed magna sem</p><br />
<br />
<h3>Subsection One.one</h3><br />
<br />
<h4>Subsubsection One.one.one</h4> <br />
<br />
<h2>Section Two</h2><br />
<p>Morbi gravida nisi ac metus pulvinar varius. Curabitur cursus libero metus, eu tempus lorem. Ut dictum scelerisque nisl, sit amet adipiscing velit commodo vitae. Donec a turpis enim, quis adipiscing elit. Mauris consequat euismod ligula eu eleifend. Integer nec elit risus. Donec eros nisi, laoreet eget interdum ultricies, elementum at tellus.</p><br />
<br />
<h3>Subsection Two.one</h3><br />
<p>Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?</p><br />
<br />
<h4>Subsection Two.two</h4> <br />
<p>Sed quia consequuntur magni dolores eos qui ratione voluptatem<ref>Asd adf ilkaa la asdf adf adfa aaa.</ref> sequi nesciunt. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?</p><br />
<br />
$ <b>quo <var>vadis</var></b><br />
<var>apoko</var> pts/4 A.D. 2012-02-11 13:14 (:0.0)<br />
; son qommone de mal<br />
ghande><br />
<br />
<p>Curabitur mattis nisi eu nunc porttitor mattis. Praesent condimentum purus non libero blandit et viverra purus malesuada. Aliquam eget nulla vitae nunc tincidunt faucibus. Vestibulum tempus dui id quam elementum lobortis. Aliquam erat volutpat. Quisque sollicitudin lacinia orci et fringilla. Curabitur risus sem, volutpat non lobortis quis, suscipit a erat. In ac magna leo.</p><br />
<br />
<h2>Reference list</h2><br />
<references /><br />
<br />
<h2>External links</h2><br />
[http://www.example.com/ http://www.example.com/] - lot of goodies<br />
<br />
<!--- Categories ---><br />
[[:Category:Nonsense:]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=User:Visvanath_Ratnaweera&diff=96095User:Visvanath Ratnaweera2012-02-25T14:40:44Z<p>Ratna: </p>
<hr />
<div>{{Note|<br />
<em>note a priori:</em> Morbi ac quam risus, ultricies faucibus odio. Fusce eu ultricies velit. Cras lobortis dolor ut leo rhoncus vulputate. Donec eget felis tellus. Duis ac odio vitae eros egestas ornare vel ut leo. Curabitur bibendum, purus sit amet ultrices tincidunt, risus sapien dignissim libero, ac semper erat nunc et nisl. Quisque aliquam ornare blandit.<br />
}}<br />
<br />
<blockquote>Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit,</blockquote><br />
<br />
<br />
<h2>Section One</h2><br />
<p>Qua soi <abbr>abbr</abbr> Aliquam leo augue, posuere eget facilisis eu, euismod sit amet quam. Sed ultrices est vitae arcu tristique malesuada mattis nibh feugiat. Aliquam libero justo, condimentum ut consectetur facilisis, imperdiet tempus velit. Sed consequat lacinia lacus a eleifend. Cras sed magna sem</p><br />
<br />
<h3>Subsection One.one</h3><br />
<br />
<h4>Subsubsection One.one.one</h4> <br />
<br />
<h2>Section Two</h2><br />
<p>Morbi gravida nisi ac metus pulvinar varius. Curabitur cursus libero metus, eu tempus lorem. Ut dictum scelerisque nisl, sit amet adipiscing velit commodo vitae. Donec a turpis enim, quis adipiscing elit. Mauris consequat euismod ligula eu eleifend. Integer nec elit risus. Donec eros nisi, laoreet eget interdum ultricies, elementum at tellus.</p><br />
<br />
<h3>Subsection Two.one</h3><br />
<p>Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?</p><br />
<br />
<h4>Subsection Two.two</h4> <br />
<p>Sed quia consequuntur magni dolores eos qui ratione voluptatem<ref>Asd adf ilkaa la asdf adf adfa aaa.</ref> sequi nesciunt. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?</p><br />
<br />
$ <b>quo <var>vadis</var></b><br />
<var>apoko</var> pts/4 A.D. 2012-02-11 13:14 (:0.0)<br />
; son qommone de mal<br />
ghande><br />
<br />
<p>Curabitur mattis nisi eu nunc porttitor mattis. Praesent condimentum purus non libero blandit et viverra purus malesuada. Aliquam eget nulla vitae nunc tincidunt faucibus. Vestibulum tempus dui id quam elementum lobortis. Aliquam erat volutpat. Quisque sollicitudin lacinia orci et fringilla. Curabitur risus sem, volutpat non lobortis quis, suscipit a erat. In ac magna leo.</p><br />
<br />
<h2>Reference list</h2><br />
{{Reflist}}<br />
<br />
<h2>External links</h2><br />
[http://www.example.com/ http://www.example.com/] - lot of goodies<br />
<br />
<!--- Categories ---><br />
[[:Category:Nonsense:]]</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=User:Visvanath_Ratnaweera&diff=96033User:Visvanath Ratnaweera2012-02-21T15:20:31Z<p>Ratna: </p>
<hr />
<div>{{Note|<br />
<em>note a priori:</em> Morbi ac quam risus, ultricies faucibus odio. Fusce eu ultricies velit. Cras lobortis dolor ut leo rhoncus vulputate. Donec eget felis tellus. Duis ac odio vitae eros egestas ornare vel ut leo. Curabitur bibendum, purus sit amet ultrices tincidunt, risus sapien dignissim libero, ac semper erat nunc et nisl. Quisque aliquam ornare blandit.<br />
}}<br />
<br />
<blockquote>Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit,</blockquote><br />
<br />
<br />
<h2>Section One</h2><br />
<p>Qua soi <abbr>abbr</abbr> Aliquam leo augue, posuere eget facilisis eu, euismod sit amet quam. Sed ultrices est vitae arcu tristique malesuada mattis nibh feugiat. Aliquam libero justo, condimentum ut consectetur facilisis, imperdiet tempus velit. Sed consequat lacinia lacus a eleifend. Cras sed magna sem</p><br />
<br />
<h3>Subsection One.one</h3><br />
<br />
<h4>Subsubsection One.one.one</h4> <br />
<br />
<h2>Section Two</h2><br />
<p>Morbi gravida nisi ac metus pulvinar varius. Curabitur cursus libero metus, eu tempus lorem. Ut dictum scelerisque nisl, sit amet adipiscing velit commodo vitae. Donec a turpis enim, quis adipiscing elit. Mauris consequat euismod ligula eu eleifend. Integer nec elit risus. Donec eros nisi, laoreet eget interdum ultricies, elementum at tellus.</p><br />
<br />
<h3>Subsection Two.one</h3><br />
<p>Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?</p><br />
<br />
<h4>Subsection Two.two</h4> <br />
<p>Sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?</p><br />
<br />
$ <b>who <var>is there</var></b><br />
dodo pts/4 2012-02-11 13:14 (:0.0)<br />
# comment or super user<br />
mysql><br />
<br />
<p>Curabitur mattis nisi eu nunc porttitor mattis. Praesent condimentum purus non libero blandit et viverra purus malesuada. Aliquam eget nulla vitae nunc tincidunt faucibus. Vestibulum tempus dui id quam elementum lobortis. Aliquam erat volutpat. Quisque sollicitudin lacinia orci et fringilla. Curabitur risus sem, volutpat non lobortis quis, suscipit a erat. In ac magna leo. ></p></div>Ratnahttps://docs.moodle.org/405/en/index.php?title=User:Visvanath_Ratnaweera&diff=96032User:Visvanath Ratnaweera2012-02-21T15:17:15Z<p>Ratna: V1 for doc forum</p>
<hr />
<div>{{Note|<br />
<em>note a priori:</em> Morbi ac quam risus, ultricies faucibus odio. Fusce eu ultricies velit. Cras lobortis dolor ut leo rhoncus vulputate. Donec eget felis tellus. Duis ac odio vitae eros egestas ornare vel ut leo. Curabitur bibendum, purus sit amet ultrices tincidunt, risus sapien dignissim libero, ac semper erat nunc et nisl. Quisque aliquam ornare blandit.ppear on a yellow background.<br />
}}<br />
<br />
<blockquote>Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit,</blockquote><br />
<br />
<br />
<h2>Section One</h2><br />
<p>Qua soi <abbr>abbr</abbr> Aliquam leo augue, posuere eget facilisis eu, euismod sit amet quam. Sed ultrices est vitae arcu tristique malesuada mattis nibh feugiat. Aliquam libero justo, condimentum ut consectetur facilisis, imperdiet tempus velit. Sed consequat lacinia lacus a eleifend. Cras sed magna sem</p><br />
<br />
<h3>Subsection One.one</h3><br />
<br />
<h4>Subsubsection One.one.one</h4> <br />
<br />
<h2>Section Two</h2><br />
<p>Morbi gravida nisi ac metus pulvinar varius. Curabitur cursus libero metus, eu tempus lorem. Ut dictum scelerisque nisl, sit amet adipiscing velit commodo vitae. Donec a turpis enim, quis adipiscing elit. Mauris consequat euismod ligula eu eleifend. Integer nec elit risus. Donec eros nisi, laoreet eget interdum ultricies, elementum at tellus.</p><br />
<br />
<h3>Subsection Two.one</h3><br />
<p>Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?</p><br />
<br />
<h4>Subsection Two.two</h4> <br />
<p>Sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?</p><br />
<br />
$ <b>who <var>is there</var></b><br />
dodo pts/4 2012-02-11 13:14 (:0.0)<br />
# comment or super user<br />
mysql><br />
<br />
<p>Curabitur mattis nisi eu nunc porttitor mattis. Praesent condimentum purus non libero blandit et viverra purus malesuada. Aliquam eget nulla vitae nunc tincidunt faucibus. Vestibulum tempus dui id quam elementum lobortis. Aliquam erat volutpat. Quisque sollicitudin lacinia orci et fringilla. Curabitur risus sem, volutpat non lobortis quis, suscipit a erat. In ac magna leo. ></p></div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Talk:Installing_Moodle_on_Debian_based_distributions&diff=95914Talk:Installing Moodle on Debian based distributions2012-02-16T17:46:25Z<p>Ratna: /* PHP modules and phpinfo() */ new section</p>
<hr />
<div>TODO <br />
Suggest that the mysql secure utility is used. I refer to it in my Amazon EC2 install page. Copy & paste from there.<br />
Mention the various extra that need to be installed php-pear etc.<br />
Test php by using a phpinfo page<br />
<br />
== "Secure MySQL server" ==<br />
<br />
Debian (and Ubuntu) MySQL server installation prompts the user to set a password for MySQL root. You can see the corr. dialog in the section MySQL, commented as (set the mysql-root password). So "mysqladmin -u root password 'new-password'" thing is obsolete.<br />
[[User:Visvanath Ratnaweera|Visvanath Ratnaweera]] 01:40, 17 February 2012 (WST)<br />
<br />
== PHP modules and phpinfo() ==<br />
<br />
Yes, the list of the necessary PHP modules is incomplete.<br />
<br />
I want to count them seperately for each Moodle version. The list for 1.9 is there, the others will come as I do a test installation for each version.<br />
<br />
Yes, I should add the story of "phpinfo();" single liner. Will do.<br />
<br />
Thanks for the feedback.<br />
[[User:Visvanath Ratnaweera|Visvanath Ratnaweera]] 01:46, 17 February 2012 (WST)</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=Talk:Installing_Moodle_on_Debian_based_distributions&diff=95913Talk:Installing Moodle on Debian based distributions2012-02-16T17:40:02Z<p>Ratna: /* "Secure MySQL server" */ new section</p>
<hr />
<div>TODO <br />
Suggest that the mysql secure utility is used. I refer to it in my Amazon EC2 install page. Copy & paste from there.<br />
Mention the various extra that need to be installed php-pear etc.<br />
Test php by using a phpinfo page<br />
<br />
== "Secure MySQL server" ==<br />
<br />
Debian (and Ubuntu) MySQL server installation prompts the user to set a password for MySQL root. You can see the corr. dialog in the section MySQL, commented as (set the mysql-root password). So "mysqladmin -u root password 'new-password'" thing is obsolete.<br />
[[User:Visvanath Ratnaweera|Visvanath Ratnaweera]] 01:40, 17 February 2012 (WST)</div>Ratnahttps://docs.moodle.org/405/en/index.php?title=User:Visvanath_Ratnaweera&diff=95745User:Visvanath Ratnaweera2012-02-11T12:21:41Z<p>Ratna: </p>
<hr />
<div><p><blockquote>Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit,</blockquote></p><br />
<br />
<p><blockquote>sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?</blockquote></p><br />
<br />
<p><blockquote><cite>Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam,</cite></blockquote></p><br />
<br />
<p><blockquote><ul><br />
<li><dfn>dsdf</dfn>dsdfsd</li><br />
<li>dsdf</li><br />
</ul></blockquote></p><br />
<br />
<p><blockquote><dl><br />
<dt>dsdf</dt><br />
<dd>sdfsdfsdfsd</dd><br />
<dt>dsdf</dt><br />
<dd>sdfsdfsdfsd</dd><br />
</dl></blockquote></p><br />
<br />
<br />
<h2>First Section</h2><br />
<p>Ha ha <abbr>abbr</abbr> for a <big>biiig</big> hug.</p><br />
<br />
<h3>Subsection</h3><br />
<br />
<h4>Subsubsection</h4> <br />
<br />
<h2>Second Section</h2><br />
<br />
<h3>Subsection</h3><br />
<p>sdfds sdfsd sdfsd fdsf sdf</p><br />
<br />
<h4>Subsubsection</h4> <br />
<p>Sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?</p><br />
<br />
<p><code>$ <b>who <var>is there</var></b><br /><br />
rtn pts/4 2012-02-11 13:14 (:0.0)<br /><br />
# comment or super user<br /><br />
mysql></code></p><br />
<br />
<p>Sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?</p><br />
<br />
<p><pre>$ <b>who <var>is there</var></b><br />
rtn pts/4 2012-02-11 13:14 (:0.0)<br />
# comment or super user<br />
mysql></pre></p><br />
<br />
<p>Sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?</p></div>Ratnahttps://docs.moodle.org/405/en/index.php?title=User:Visvanath_Ratnaweera&diff=95744User:Visvanath Ratnaweera2012-02-11T12:17:18Z<p>Ratna: code or pre?</p>
<hr />
<div><p><blockquote>Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit,</blockquote></p><br />
<br />
<p><blockquote>sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?</blockquote></p><br />
<br />
<p><blockquote><cite>Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam,</cite></blockquote></p><br />
<br />
<p><blockquote><ul><br />
<li><dfn>dsdf</dfn>dsdfsd</li><br />
<li>dsdf</li><br />
</ul></blockquote></p><br />
<br />
<p><blockquote><dl><br />
<dt>dsdf</dt><br />
<dd>sdfsdfsdfsd</dd><br />
<dt>dsdf</dt><br />
<dd>sdfsdfsdfsd</dd><br />
</dl></blockquote></p><br />
<br />
<br />
<h2>First Section</h2><br />
<p>Ha ha <abbr>abbr</abbr> for a <big>biiig</big> hug.</p><br />
<br />
<h3>Subsection</h3><br />
<br />
<h4>Subsubsection</h4> <br />
<br />
<h2>Second Section</h2><br />
<br />
<h3>Subsection</h3><br />
<p>sdfds sdfsd sdfsd fdsf sdf</p><br />
<br />
<h4>Subsubsection</h4> <br />
<p>Sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?</p><br />
<br />
<p><code>$ <b>who <var>is there</var></b><br /><br />
rtn pts/4 2012-02-11 13:14 (:0.0)<br /><br />
mysql></code></p><br />
<br />
<p>Sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?</p><br />
<br />
<p><pre>$ <b>who <var>is there</var></b><br /><br />
rtn pts/4 2012-02-11 13:14 (:0.0)<br /><br />
mysql></pre></p><br />
<br />
<p>Sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?</p></div>Ratnahttps://docs.moodle.org/405/en/index.php?title=User:Visvanath_Ratnaweera&diff=95700User:Visvanath Ratnaweera2012-02-07T16:47:23Z<p>Ratna: </p>
<hr />
<div><p><blockquote>Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit,</blockquote></p><br />
<br />
<p><blockquote>sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?</blockquote></p><br />
<br />
<p><blockquote><cite>Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam,</cite></blockquote></p><br />
<br />
<p><blockquote><ul><br />
<li><dfn>dsdf</dfn>dsdfsd</li><br />
<li>dsdf</li><br />
</ul></blockquote></p><br />
<br />
<p><blockquote><dl><br />
<dt>dsdf</dt><br />
<dd>sdfsdfsdfsd</dd><br />
<dt>dsdf</dt><br />
<dd>sdfsdfsdfsd</dd><br />
</dl></blockquote></p><br />
<br />
<br />
<h2>First Section</h2><br />
<p>Ha ha <abbr>abbr</abbr> for a <big>biiig</big> hug.</p><br />
<br />
<h3>Subsection</h3><br />
<br />
<h4>Subsubsection</h4> <br />
<br />
<h2>Second Section</h2><br />
<br />
<h3>Subsection</h3><br />
<p>sdfds sdfsd sdfsd fdsf sdf</p><br />
<br />
<h4>Subsubsection</h4> <br />
<code>$ <b>who <var>is there</var></b><br />
mysql></code></div>Ratnahttps://docs.moodle.org/405/en/index.php?title=User:Visvanath_Ratnaweera&diff=95699User:Visvanath Ratnaweera2012-02-07T16:37:24Z<p>Ratna: </p>
<hr />
<div><p><blockquote>Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit,</blockquote></p><br />
<br />
<p><blockquote>sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?</blockquote></p><br />
<br />
<p><blockquote><cite>Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam,</cite></blockquote></p><br />
<br />
<p><blockquote><ul><br />
<li><dfn>dsdf</dfn>dsdfsd</li><br />
<li>dsdf</li><br />
</ul></blockquote></p><br />
<br />
<p><blockquote><dl><br />
<dt>dsdf</dt><br />
<dd>sdfsdfsdfsd</dd><br />
<dt>dsdf</dt><br />
<dd>sdfsdfsdfsd</dd><br />
</dl></blockquote></p><br />
<br />
<br />
<h2>First Section</h2><br />
<p>Ha ha <abbr>abbr</abbr> for a <big>biiig</big> hug.</p><br />
<br />
<h3>Subsection</h3><br />
<br />
<h4>Subsubsection</h4> <br />
<br />
<h2>Second Section</h2><br />
<br />
<h3>Subsection</h3><br />
<p>sdfds sdfsd sdfsd fdsf sdf</p><br />
<br />
<h4>Subsubsection</h4> <br />
<code>$ <b>who <var>is there</var></b><br />
mysql></code></div>Ratnahttps://docs.moodle.org/405/en/index.php?title=User:Visvanath_Ratnaweera&diff=95686User:Visvanath Ratnaweera2012-02-05T15:16:57Z<p>Ratna: </p>
<hr />
<div><p><blockquote>Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit,</blockquote></p><br />
<br />
<p><blockquote>sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?</blockquote></p><br />
<br />
<p><blockquote><cite>Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam,</cite></blockquote></p><br />
<br />
<p><blockquote><ul><br />
<li><dfn>dsdf</dfn>dsdfsd</li><br />
<li>dsdf</li><br />
</ul></blockquote></p><br />
<br />
<p><blockquote><dl><br />
<dt>dsdf</dt><br />
<dd>sdfsdfsdfsd</dd><br />
<dt>dsdf</dt><br />
<dd>sdfsdfsdfsd</dd><br />
</dl></blockquote></p><br />
<br />
<br />
<h2>Operating System</h2><br />
<p>Ha ha <abbr>abbr</abbr> for a <big>biiig</big> hug.</p><br />
<br />
<h3>Subsection</h3><br />
<br />
<h4>Small subsection</h4> <br />
<br />
<br />
<h2>Web server</h2><br />
<br />
<h3>Subsection</h3><br />
<p>sdfds sdfsd sdfsd fdsf sdf</p><br />
<br />
<h4>Small subsection</h4> <br />
<code>$ <b>who <var>is there</var></b><br />
mysql></code></div>Ratnahttps://docs.moodle.org/405/en/index.php?title=User:Visvanath_Ratnaweera&diff=95685User:Visvanath Ratnaweera2012-02-05T15:13:17Z<p>Ratna: </p>
<hr />
<div><h1>Top Header</h1><br />
<br />
<p><blockquote>Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit,</blockquote></p><br />
<br />
<p><blockquote>sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?</blockquote></p><br />
<br />
<p><blockquote><cite>Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam,</cite></blockquote></p><br />
<br />
<p><blockquote><ul><br />
<li><dfn>dsdf</dfn>dsdfsd</li><br />
<li>dsdf</li><br />
</ul></blockquote></p><br />
<br />
<p><blockquote><dl><br />
<dt>dsdf</dt><br />
<dd>sdfsdfsdfsd</dd><br />
<dt>dsdf</dt><br />
<dd>sdfsdfsdfsd</dd><br />
</dl></blockquote></p><br />
<br />
<br />
<h2>Operating System</h2><br />
<p>Ha ha <abbr>abbr</abbr> for a <big>biiig</big> hug.</p><br />
<br />
<h2>Subsection</h2><br />
<br />
<h3>Small subsection</h3> <br />
<br />
<h4>Smaller subsection</h4><br />
<br />
<h2>Web server</h2><br />
<br />
<h2>Subsection</h2><br />
<br />
<h3>Small subsection</h3> <br />
<code>$ <b>who <var>is there</var></b><br />
mysql></code><br />
<br />
<br />
<br />
<h4>Smaller subsection</h4></div>Ratnahttps://docs.moodle.org/405/en/index.php?title=User:Visvanath_Ratnaweera&diff=95684User:Visvanath Ratnaweera2012-02-05T11:22:28Z<p>Ratna: Starting to test MediaWiki HTML compatibility</p>
<hr />
<div><blockquote>Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit,</blockquote><br />
<blockquote>sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?<br /><br /><br />
<ul><br />
<li>dsdf</li></ul><br />
<cite>Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam,</cite></blockquote><br />
<br />
<br />
<h1>Operating System</h1><br />
<p>Ha ha <abbr>abbr</abbr> for a <big>biiig</big> hug.</p><br />
<br />
<h2>Subsection</h2><br />
<br />
<h3>Small subsection</h3> <br />
<br />
<h4>Smaller subsection</h4><br />
<br />
<h1>Web server</h1><br />
<br />
<h2>Subsection</h2><br />
<br />
<h3>Small subsection</h3> <br />
<code>$ <b>who <var>is there</var></b><br />
mysql></code><br />
<br />
<br />
<br />
<h4>Smaller subsection</h4></div>Ratna