Single sign-on

[marcobruining]

Create single sign-on on the ElimuPi so that users are automatically known and profiled in all systems.

Decide how to handle the following actions

• user management
• role management
• password reset

[DEANpeterV]

SSO based on LDAP seems to provide the widest support as this can be used for OS and WEB. Note that user admin needs to be managed from the ElimuPi Web Admin GUI. It is important that If we use the SSO for multiple systems a local alternative on each system also needs to function as a backup/backdoor.

[pieterD7]

SSO works now with LDAP and Moodle (branch openldap).

[Tr4nnel]

Our group has shortly looked at this. We discussed the requirements with Peter and wanted to look at using a lightweight Identity Provider in conjunction with an OIDC plugin for Kolibri. Below, we'll discuss our conclusions:

Ory OAuth2 Identity provider
Ory is lightweight and we think it could be installed on a Raspberry Pi. It is maintained well and we think it could work standalone in a local network.

Kolibri oidc plugin
For this to work, it was essential that the available Kolibri oidc plugin would work: https://github.com/learningequality/kolibri-oidc-client-plugin. It didn't.

On two separate systems, we got the following error while trying to enable the plugin:

Kolibri plugin apply kolibri_oidc_client_plugin INFO: No C extensions are available for this platform INFO Enabling plugin 'kolibri_oidc_client_plugin' ERROR Plugin 'kolibri_oidc_client_plugin' exists but does not have an importable kolibri_plugin module Error: An error occurred applying the plugin configuration

We're not sure yet if this oidc plugin is usable in any form, but we think it would be viable to investigate the further.

Moodle
We haven't investigated Moodle yet, but it looks like there is a Moodle OIDC plugin that provides single-sign-on functionality using configurable identity providers.