Integrating Moodle with WSO2 Identity Server

Moodle is one of the world’s most popular learning management systems which is used by a large number of education institutions. A learning management system is one of the many applications used by educational institutions to make the life of students and teachers easier. When the number of applications increase, having to manage different sets of credentials for each of these applications is a nightmare for both consumers (students/teachers) and administrators. That is why education institutions are looking for Single Sign-On(SSO) solutions that allow the users to login and access all such applications using one set of credentials.

WSO2 Identity Server(WSO2 IS) is an open source identity and access management solution used by a large number of education institutions to provide SSO to multiple applications using standard SSO protocols such as SAML, OAuth2/OpenID Connect, WS-Federation, CAS etc.

In this article, I will walk you through the steps to integrate WSO2 IS as an OAuth2/OpenID Connect Identity Provider for Moodle. This allows the users that reside in WSO2 Identity server to log into Moodle using their WSO2 IS credentials, hence the users do not need to remember an additional set of credentials for Moodle. Upon the initial login, a new user account will be created in the Moodle side with the information sent from WSO2 IS after a successful authentication.

Moodle provides support for Ouath2 services by default in the Moodle core. Hence, we do not need any additional plugins to integrate WSO2 IS login support to Moodle. We have to create an Oauth2 service in Moodle administration site, and enable login via the newly created OAuth2 service. We also need to create a Service Provider in WSO2 IS and configure it so that WSO2 IS can act as an Identity Provider for Moodle.

The following are the prerequisites that should be met before proceeding further.

• Access to Moodle installation with admin privileges (You can learn more on Moodle from here)
• Access to WSO2 Identity Server with admin privileges (You can download the latest WSO2 IS release from here)

First, let’s see how to configure WSO2 IS for the above mentioned purpose.

1. Log in to the Management Console of WSO2 IS.
2. On the Main menu, go to Identity >Service Providers > Add and add a new service provider by a preferred name. Optionally you can provide a brief description about the service provider too. Then click Register.

3. Expand the Inbound Authentication Configuration drop-down under the Service Provider configuration and click on Configure under OAuth/OpenID Connect Configuration.

4. In the new application registration page, add the Callback URL corresponding to your Moodle site. This value should be in the form of <Moodle-www-root>/admin/oauth2callback.php. For an example, if your Moodle site is https://example.moodle.com, the callback URL will be https://example.moodle.com/admin/oauth2callback.php.

5. Leave the other configurations as they are. Click on Add. Save the Client ID and Client Secret as we will be needing them when configuring Moodle.

6. Now, let’s configure the user details that needs to be sent to Moodle. For this example, we will be sending the user’s first name, last name, and email as user information. Expand the Claim Configuration drop-down from the Service Provider configuration. Select Use Local Claim Dialect option for the Claim Mapping Dialect. Click on Add Claim URI under Requested Claims. Add the claim as shown below.

7. Click on Update to save the Service Provider configuration. Learn ore about configuring a Service Provider from here.

8. Now let’s create a user and update the first name, last name, and email so that we can test logging to Moodle using the sample user.

Now that we have successfully configured WSO2 IS, let’s see how we can configure Moodle to login with WSO2 IS credentials.

1. Login to Moodle as an administrator. Go to Site Administration. Under Server tab, click on OAuth 2 services. Click on Create new custom service.
2. Provide a suitable name for the configuration under Name (ex: WSO2). Once configured properly, the WSO2 login option will be displayed in the Moodle login page by the name we add here.
3. Add the Client ID and Client Secret we obtained when creating the Service Provider in WSO2 IS.
4. Under Scopes included in a login request and Scopes included in a login request for offline access, provide ‘openid email profile’.
5. Tick Show on login page, so that WSO2 will be listed as a login option to allow users to login with their WSO2 accounts.
6. Optionally, you can provide a link to WSO2 logo, so that it will be displayed in the login page with the WSO2 login option.
7. Click Save Changes to save the configuration.

WSO2 OAuth2 service configuration in Moodle

8. Once saved you will see WSO2 listed as an OAuth 2 service. You will see a set of icons under Edit.

9. Click on the second icon on that set to configure the endpoints. Configure WSO2 IS authorization, user info, and token endpoints by the same endpoint names as shown below by clicking on Create new endpoint for issuer “WSO2”.

authorization_endpoint : https://localhost:9443/oauth2/authorize
token_endpoint : https://localhost:9443/oauth2/token
userinfo_endpoint : https://localhost:9443/oauth2/userinfo

Endpoints configuration for WSO2

(Tip : You may find the URLs for these endpoints in your WSO2 IS setup by navigating to Identity > Identity Providers > Resident > Inbound Authentication Configuration > OAuth2/OpenID Connect Configuration in the WSO2 Management Console’s main menu.)

10. Now click on the third icon under the edit list sown in step 8 to configure user field mappings. This will allow Moodle to update the user profile of using the information we send along with the authentication response. Click on Create new user field mapping for issuer “WSO2” and and the values as shown below.

User claim mappings between WSO2 and Moodle

With this, we have completed configuring an OAuth2 service for WSO2 IS in Moodle. As the last step, we have to enable OAuth 2 as an authentication option. To do that navigate to Site Administration > Plugins > Authentication > Manage Authentication and enable OAuth 2 by clicking in the eye icon under Enable column.

Note : Moodle provides an option to verify users email address before the user can login with OAuth. This applies to newly created user accounts as part of the login process, or when an existing Moodle account is connected to an OAuth login via matching email addresses. However, in Moodle 3.9, this option is not available for custom Oauth service configurations from the UI, and Require email verification is set to true by default. If you want to skip the email verification, you will have to do it manually by updating the database. This value can be set to 0 or 1 in the ‘requireconfirmation’ column in the ‘mdl_oauth2_issuer’ of Moodle database. In this demonstration, I have set it to 0 so that email verification is not required.

Now all the required configurations are complete. We can now try to login to Moodle with the user we created in the WSO2 IS in a previous step of this article. As shown below, you can successfully login to Moodle with your WSO2 account now. In the first login attempt, the user will be directed to the user profile so that the information can be updated. As you can see below, the first name, last name, and email will be automatically filled with the information obtained from WSO2 IS.

Congratulations..! Now you have successfully configured WSO2 IS as a login option for Moodle. Now you do not need to maintain another set of credentials for Moodle 🙂. You can refer WSO2 IS documentation to check out how you can integrate so many other applications with WSO2 Identity Server, and get rid of the hassle of managing multiple sets of credentials for each and every application an organization uses. You can also leverage from many other cool features that WSO2 IS offers to make authentication more secure such as multi-factor authentication, adaptive authentication. Refer the official WSO2 IS documentation from here to learn more.