OpenID Authentication

OpenID User Settings

What is OpenID?

OpenID is an emerging standard for providing internet users with a single username, password, user profile, and single-sign-on across a wide variety of services such as Gmail, Yahooo, Facebook, MySpace, WordPress, AOL, etc. Institutions can also setup their own OpenID SSO server and use that to manage users identity in ELIS. Institutions with GoogleApps can also set those as the gateway for their ELIS users, enabling your users to login to ELIS and Moodle simply by clicking a button.

There is more information about the OpenID standard here: OpenID.


Getting Started with OpenID:

OpenID is now on Remote-Learner's approved add-ons list. If you are hosting with us, is included with all ELIS installs, or you can request support install it on your site.

To use OpenID, you will need an OpenID identity provider already setup or to have accounts in an existing OpenID enabled system such as Yahoo or MyOpenID.com. In this documentation we will use GoogleApps as an example of an OpenID identity provider (IDP), the free version of GoogleApps is automatically setup as an OpenID IDP, and both GoogleApps for Education and GoogleApps for Business can be set to be an OpenID IDP.


Getting Started with ELIS OpenID


OpenID is not enabled in ELIS by default, you have to activate it and configure it before you can use it.

To activate your OpenID authentication, go to your Moodle Authentication settings in your Site Administration Folder and click "Manage Authentication".
Manage authentication link

Scroll down the list of authentication plug-ins until you see OpenID.
OpenID authentication
  1. First, setup the settings as discussed below.
  2. Then come back and enable the plug-in (this will prevent your users from seeing the OpenID login box before you have activated any providers).
OpenID settings screen: User Settings.
Open ID settings
  1. If you check this users can convert their current Moodle account to an OpenID account, letting them use their OpenID username and password (for instance their Gmail username) to login to the site.
  2. If you check this users can login with more than one OpenID identity on the same account (see below for more details).
  3. If you check this then the login page will only enable login by OpenID. If you don't then the standard Moodle login will be printed below the OpenID login. If some of your users will use OpenID while others use other authentication types, then leave this unchecked - see the example below to see how the login screen will look if you leave this box unchecked.
OpenID with standard Login on the same login page.
OpenID login screen

Next, we'll set the login URL, and other settings.

OpenID settings
  1. Leave this blank to enable login with any OpenID provider you support (you will choose which ones to enable in the next screen). To enable users to login using Google as the OpenID provider simply by pressing a button, enter auth/openid/custom/google_login.html here. This will print a button as shown in the Google Login example below.
  2. Enter the domain of your GoogleApps site here - if you enter a value here users will only be able to SSO via OpenID if they exist already your GoogleApps domain - this setting lets you use your GoogleApps domain as the primary source of authority for your ELIS/Moodle site.
  3. Check this to require users to respind to a confirmation email before they can convert their account to OpenID.
  4. Check this to send an email notifying users they have switched their account to OpenID.
  5. This will automatically create a new Moodle account when a user (who doesn't have an account yet) logs in via OpenID for the first time.
  6. Here we'll determine which existing user field or fields to use when updating users via OpenID. For example, if a user changes their lastname in their OpenID provider, this would check to see that their email is the same before updating their lastname (if email is entered into this field). If username is entered, then users can have their email, name, etc. updated via OpenID as long as their username stayed the same. The data that can be changed from OpenID is limited by the OpenID IDP's API (for example, Google's API description).
  7. Finally, decide what happens with servers that are not on the approved list (on the next screen) -
    • if "Denied" is selected here, then users can only register and login from OpenID servers you specify.
    • If you set this to "Confirmed" then users will have to confirm their registration themselves.
    • If you set this to "Allowed" then users can login from any OpenID provider (though you can determine how different IDPs are handled in the "Servers" tab which we'll cover below.
  8. Click "Save Changes" to save the changes you made on this page, and go to the "Servers tab to complete the setup.