Implementing Single Sign On with ADFS in Moodle

Overview

This document describes the workflow between client and vendor to successfully implement ADFS in Moodle/Learnbook applications.

This article is intended to be used by Systems Administrators responsible for managing the ADFS platform in their organisation.

Single Sign On vs Same Sign On

Note: This procedure implements Single Sign On. Users authenticating via this method will not be required to enter their organisational username and password if they have already connected to other business systems.

Bulk User Synchronisation

ADFS does not support bulk user synchronisation. User profiles in Moodle are created on the fly as a user logs in.

Unless a user is imported from another service (such as Bulk CSV Upload) they will not appear on incompletion reports, or be enrolled into courses.

Business Rules can be added to Moodle/Learnbook to automatically enrol users on account creation.

Implementation Workflow

• Step 1: The client's System Administrator shall configure their network to support ADFS and be accessible via the public internet.

• Step 2: The client's System Administrator shall provide the ADFS Identity Provider Metadata and a test account.

This information should be publicly hosted and available on a URL similar to: https://adfs.customer.com.au/FederationMetadata/2007-06/FederationMetadata.xml

This file will contain XML data used by the LMS to configure Single Sign On.

• Step 3: eCreators will configure your LMS Platform to support ADFS via the SAML Plugin and provide the ADFS Service Provider Metadata.

This information will be publicly hosted and available on a URL similar to: https://customer.learnbook.com.au/auth/saml2/sp/metadata.php?download=1

This file will contain XML data used by ADFS to securely allow Sign Sign On.

• Step 4: The client's System Administrator shall add the Service Provider Metadata to the SAML whitelist and claims configuration. See Customer Side ADFS Configuration for more information.

• Step 5: eCreators will test Single Sign On using the test account provided by the Vendor.

• Step 7: On successful testing, Single Sign On will be available for users with ADFS credentials.

Optional: Additional Fields

If additional user profile fields (such as Region, Department) are required to be synchronised to the LMS during sign on, the client's System Administrator must enable these fields by configuring additional relay claims.