Moodle Single Sign-on Mod

As I modify Moodle to provide environment variable single-sign on for the third time, I thought I would actually document my work this time. Make these modifications at your own risk — they work for one Moodle 1.6/Win2k3/PHP5/mySQL5 environment but may not work for yours.

File login/index.php, lines 78 onward: fool Moodle into thinking that the user has submitted login form data. Substitue the DAF user environment variable for the login.

if ((!empty($SESSION->wantsurl) and strstr($SESSION->wantsurl,'username=guest')) or $loginguest) {
/// Log in as guest automatically (idea from Zbigniew Fiedorowicz)
$frm->username = 'guest';
$frm->password = 'guest';
} else if (!empty($SESSION->wantsurl) && file_exists($CFG->dirroot.'/login/weblinkauth.php')) {
// Handles the case of another Moodle site linking into a page on this site
include($CFG->dirroot.'/login/weblinkauth.php');
if (function_exists(weblink_auth)) {
$user = weblink_auth($SESSION->wantsurl);
}
if ($user) {
$frm->username = $user->username;
} else {
$frm = data_submitted($loginurl);
}
} else {
// patch for UHS active directory (kassissieh)
$lowername = strtolower($_SERVER[HTTP_DAFLOGIN]);
$lastpart = stristr($lowername, '\\');
if (!$lastpart) {$lastpart = strtolower($_SERVER[HTTP_DAFLOGIN]);}
$frm->username = $lastpart;
//$frm = data_submitted($loginurl);
}

/// Check if the user has actually submitted login data to us

//if (empty($CFG->usesid) and $testcookies and (get_moodle_cookie() == '')) { // Login without cookie when test requested

// $errormsg = get_string("cookiesnotenabled");

//} else if ($frm) { // Login WITH cookies

if ($frm) { // Login WITH cookies

File auth/none/lib.php: Return a true authentication result no matter what.

//if ($user = get_record('user', 'username', $username)) {
// return validate_internal_user_password($user, $password);
//}

return true;
//}

user/edit.php, line 357 (just before “include edit.html”): pre-fill some user information from Active Directory entry (so we may lock those fields)

// (get user information from active directory - kassissieh)
echo "";
print_simple_box(('Welcome, new user!
Please review your user profile then select Update Profile (below).'), "center", "50%");

// pre-fill user information
$user->email = $user->username;
if (!strpos($user->email, '@')) {$user->email .= '@sfuhs.org';}
$query = " SELECT
EA7RECORDS.FIRSTNAME, EA7RECORDS.NICKNAME, EA7RECORDS.LASTNAME
FROM
EA7RECORDS,
ADDRESSLINKS,
PHONELINKS,
ADDRESSLINKPHONES,
EA7ADDRESSOPTIONS
WHERE
NUM LIKE '" . $user->email . "' AND
ADDRESSLINKPHONES.PHONESID=PHONELINKS.PHONESID AND
PHONELINKS.ADDRESSLINKSID=ADDRESSLINKS.ADDRESSLINKSID AND
ADDRESSLINKS.PARENTRECORDID=EA7RECORDS.EA7RECORDSID AND
EA7ADDRESSOPTIONS.ADDRESSLINKSID=ADDRESSLINKS.ADDRESSLINKSID AND
EA7ADDRESSOPTIONS.PRIMARYADDRESS='-1'";

mssql_connect ( "sqlsrv", $dbuser, $dbpass );
$result = mssql_query ( $query );
$row=mssql_fetch_array($result);
if ($row['NICKNAME']) {$row['FIRSTNAME']=$row['NICKNAME'];}
mssql_close();
if ($row['FIRSTNAME']) {$user->firstname = $row['FIRSTNAME'];}
if ($row['LASTNAME']) {$user->lastname = $row['LASTNAME'];}

// end kassissieh mod

user/edit.html: Replace input fields for firstname, lastname, email, and change password with hidden data fields. This is because we don’t want AD users to change their basic user information.

For example, replace


<input type="text" name="firstname" size="30" alt="<?php print_string("firstname") ?>" maxlength="100" value="<?php p($user->firstname) ?>" />

with

<?php p($user->firstname) ?><input type="hidden" name="email" value="<?php p($user->firstname) ?>" />

8 comments

  1. Priyanka Nahata says:

    I have problem in email authentication in moodle.Is there is any changes made in my coding.let me know.

  2. rkassissieh says:

    I would recommend asking your question in the Moodle.org "free support" forums. I haven’t myself used email authentication in Moodle.

  3. Steve Fraser says:

    I have been trying to find a way to use the moodle login to log users into a non-moodle section of my site. The reason for this is that we plan to move away from moodle but we want to keep the same user name & password database.

    So, basically, I have a page and I want to check to see if the user is logged into moodle before displaying any contents.

    I know this isn’t exactly what you are doing but this page is the closest thing I could find anywhere, do you have any tips?

  4. rkassissieh says:

    Hi, Steve. Actually, we have since abandoned the single sign-on hack and instead begun to do exactly what you recommend. We have developed two scripts, one for PHP and one for Perl, that allow a custom script to use Moodle authentication. Email me for details.

    Richard

  5. jeff patterson says:

    I’m with a stundet email provider for k12, Gaggle.net.

    We are looking into providing a SSO from Gaggle to the students’ Moodle accounts. ie when logged into Gaggle the students click a button that takes them to their moodle account.

    Does Moodle have any provision for logging in this way? I assume there is a post URL with parameters that would work, but this is clunky.

  6. Richard says:

    Jeff,

    I don’t know the answer to your question. I can say that Moodle has a robust authentication plug-in scheme and supports OpenID. I imagine that you should be able to make this work.

    Richard

  7. David Rain says:

    Do you know of any tutorials on writing an authorization plugin? We have an identity server that doles out SAML tokens and I want to write a plugin to work with that. Thank you

  8. Remigio Oscar Iglesias says:

    Hi Richard, this means that if i make the changes that you post here i can finally get the single sign on on Moodle using AD(Active Directory) accounts, that’s correct?

    I’ll appreciate your comments,

    Regards,
    Oscar.