Print bookPrint book

OpenID Authentication

Open ID auth and registration plug-in.

Site: Remote-Learner.net
Course: Remote-Learner.net
Book: OpenID Authentication
Printed by:
Date: Thursday, 19 October 2017, 1:17 AM

OpenID User Settings

What is OpenID?

OpenID is an emerging standard for providing internet users with a single username, password, user profile, and single-sign-on across a wide variety of services such as Gmail, Yahooo, Facebook, MySpace, WordPress, AOL, etc. Institutions can also setup their own OpenID SSO server and use that to manage users identity in ELIS. Institutions with GoogleApps can also set those as the gateway for their ELIS users, enabling your users to login to ELIS and Moodle simply by clicking a button.

There is more information about the OpenID standard here: OpenID.


Getting Started with OpenID:

OpenID is now on Remote-Learner's approved add-ons list. If you are hosting with us, is included with all ELIS installs, or you can request support install it on your site.

To use OpenID, you will need an OpenID identity provider already setup or to have accounts in an existing OpenID enabled system such as Yahoo or MyOpenID.com. In this documentation we will use GoogleApps as an example of an OpenID identity provider (IDP), the free version of GoogleApps is automatically setup as an OpenID IDP, and both GoogleApps for Education and GoogleApps for Business can be set to be an OpenID IDP.


Getting Started with ELIS OpenID


OpenID is not enabled in ELIS by default, you have to activate it and configure it before you can use it.

To activate your OpenID authentication, go to your Moodle Authentication settings in your Site Administration Folder and click "Manage Authentication".
Manage authentication link

Scroll down the list of authentication plug-ins until you see OpenID.
OpenID authentication
  1. First, setup the settings as discussed below.
  2. Then come back and enable the plug-in (this will prevent your users from seeing the OpenID login box before you have activated any providers).
OpenID settings screen: User Settings.
Open ID settings
  1. If you check this users can convert their current Moodle account to an OpenID account, letting them use their OpenID username and password (for instance their Gmail username) to login to the site.
  2. If you check this users can login with more than one OpenID identity on the same account (see below for more details).
  3. If you check this then the login page will only enable login by OpenID. If you don't then the standard Moodle login will be printed below the OpenID login. If some of your users will use OpenID while others use other authentication types, then leave this unchecked - see the example below to see how the login screen will look if you leave this box unchecked.
OpenID with standard Login on the same login page.
OpenID login screen

Next, we'll set the login URL, and other settings.

OpenID settings
  1. Leave this blank to enable login with any OpenID provider you support (you will choose which ones to enable in the next screen). To enable users to login using Google as the OpenID provider simply by pressing a button, enter auth/openid/custom/google_login.html here. This will print a button as shown in the Google Login example below.
  2. Enter the domain of your GoogleApps site here - if you enter a value here users will only be able to SSO via OpenID if they exist already your GoogleApps domain - this setting lets you use your GoogleApps domain as the primary source of authority for your ELIS/Moodle site.
  3. Check this to require users to respind to a confirmation email before they can convert their account to OpenID.
  4. Check this to send an email notifying users they have switched their account to OpenID.
  5. This will automatically create a new Moodle account when a user (who doesn't have an account yet) logs in via OpenID for the first time.
  6. Here we'll determine which existing user field or fields to use when updating users via OpenID. For example, if a user changes their lastname in their OpenID provider, this would check to see that their email is the same before updating their lastname (if email is entered into this field). If username is entered, then users can have their email, name, etc. updated via OpenID as long as their username stayed the same. The data that can be changed from OpenID is limited by the OpenID IDP's API (for example, Google's API description).
  7. Finally, decide what happens with servers that are not on the approved list (on the next screen) -
    • if "Denied" is selected here, then users can only register and login from OpenID servers you specify.
    • If you set this to "Confirmed" then users will have to confirm their registration themselves.
    • If you set this to "Allowed" then users can login from any OpenID provider (though you can determine how different IDPs are handled in the "Servers" tab which we'll cover below.
  8. Click "Save Changes" to save the changes you made on this page, and go to the "Servers tab to complete the setup.

Open ID Server Settings

On the Servers tab of the OpenID settings you can set which servers to allow or deny OpenID integration with.


Servers tab in OpenID settings
  1. Click the Servers tab to create or edit the list of OpenID servers.
  2. Enter the URL for a server here to add it to the list. If your setting from the Users screen is "Non-whitelisted servers shall be: Denied" (the recommended setting), then users will only be able to login from servers in the list on this screen.
  3. You can also deny servers (this only makes sense if your setting for non-whitelisted servers is set to Allow or Confirm) - users will not be able to login using credentials from servers set to Deny.
    • On the current screen, users can login using Google OpenID credentials or Yahoo, but not MyOpenID or other OpenID provider (assuming that the "Non-whitelisted servers shall be" setting is set to "Denied".
    • Note that you can use wildcards, as above for the Yahoo login - Yahoo's OpenID server has a long, complex URL, but all you need to enter here is *yahooapis.com* surrounded by the wildcard character *.
  4. Click "Save changes" to save the changes you have made here.

Now, if your settings are all ready for you to use, go back to the first screen and enable the OpenID authentication plug-in.


Logging in via Open ID

On the default login page, users can put in OpenID credentials to login. If the credentials match those of a provider that the site has been set to work with (see previous) then the user will be re-directed to their OpenID provider to validate their login.

OpenID login

Users enter their OpenID credentials and click Login (for example: (me@gmail.com or me@yahoo.com).

Yahoo login

In this example, a user has entered their Yahoo email, and is re-directed to Yahoo to login. Note that Yahoo prints the ELIS URL on the login screen.

OpenID-Yahoo agreement

The first time a user logs in to ELIS their Open ID from Yahoo, Yahoo will check with them to makes sure they agree with using their OpenID on the server. Google does this also, other OpenID providers may or may not depending on the IDP settings/configuration.

Confirmation message

After logging in to their OpenID provider, the user is sent right back to the ELIS site, where they are presented with a confirmation screen.

Email confirmation

The user must go to their mailbox and select the link in the confirmation email. Once selecting the link the registration is confirmed.

Registration confirmation


Open ID Login with a Google Account


To login with a Google account we must go through the same steps.

Login using OpenID with Google email

The user enters their email address in the OpenID login section then selects the Login button.

Google confirmation request

As with Yahoo, Google tells you about the request from the ELIS site. Select the Allow button to continue.

Confirmation message from ELIS site

The user is sent back to the ELIS site, where they are presented with a confirmation screen.

Google confirmation email

The user must go to their mailbox and select the link in the confirmation email. Once selecting the link the registration is confirmed.

Registration confirmation

Using the OpenID block to manage IDs

The OpenID block is an optional block that you can enable to let your users manage their OpenIDs (if you've checked the box in the settings on the previous page that lets users register more than one account).

If the site admin makes the OpenID block visible and the setting above is set, then users can enter another OpenID, validate it with their provider, and then login with any of their OpenIDs (all logins will point to the same Moodle/ELIS user).

Manage OpenID block

For example, if I login with my Yahoo account, and then register my Gmail account, I can login with either my Yahoo, or my Gmail account (this is managed by the settings we saw previously to map the user based on username, etc.).

I can click the "Manage your OpenID's" link to see the IDs I am currently using on the site.

Manage OpenID block

  1. Here I can see my current IDs and also add another ID.

Some OpenID URLs

  • Google - use the Google accounts button for GoogleApps accounts
  • Gmail - for me@gmail.com, use either the Google accounts button or just login with me@gmail.com
  • Yahoo! has me@yahoo.com 
  • MySpace myspace.com/username 
  • WordPress username.wordpress.com
  • MyOpenID username.myopenid.com

More: OpenID