be able to add restriction to auth oidc #2662
Assignees
Labels
Feature - SSO
Issue type - help wanted
General questions on how to use the plugins, e.g. configurations etc.
Plugin - auth_oidc
Status - need more info
Further information requested to triage the issue.
Comments
|
Hi @slewislcm I confirm the User Restrictions settings in the auth_oidc plugin can only work on user identifier, which is UPN for Microsoft accounts. It's impossible to extend it to support groups. You may want to check the Prevent account creation when authenticating (authpreventaccountcreation) setting on the "Manage authentication" configuration page (https://url.to.moodle/admin/settings.php?section=manageauths). When enabled, it will prevent any authentication plugin that authenticates users from external IdPs, including but not limited to auth_oidc, to create new Moodle account on successful authentication. The ideal configuration in your case is likely:
Please give it a try. Regards, |
weilai-irl
added
Issue type - help wanted
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
The plugin is working pretty well for us, just tweaking the process. So the user sync creation works well, with the restriction by an Entra group. And users can access and create a new accounts by logging straight into moodle, but when they do there is no group restriction (unless I'm missing something), so it's open to anyone on our domain.
We've set the auth_oidc/userestriction to our domain, but I think it would be good to restrict by group too. So we can leave the 'account creation' on when authenticating.
thanks,
Simon
The text was updated successfully, but these errors were encountered: