Sakai and OAuth2
180 views
Skip to first unread message
James Scoble
Jul 16, 2024, 4:43:04 AM7/16/24
to sakai-user
Hi good people.
At our institution we are looking into the option of integrating our Sakai-based LMS into a Microsoft single-sign-on system bassed on OAuth2.
Anyone have experience with this sort of thing, and advice you could share?
Thanks in advance.
James Scoble
Disclaimer - This e-mail is subject to UWC policies and e-mail disclaimer published on our website at: https://www.uwc.ac.za/disclaimer
Rob Costain
Aug 6, 2024, 9:27:57 AM8/6/24
to Sakai Users Group, James Scoble
Hi all,
I am looking at the same issue. We have SSO to many of our services using a SAML provider, but I would like to move us to OAuth2. Currently we are forced to maintain an LDAP service to integrate Sakai and this service needs to be retired for a variety of reasons I won’t bore you with.
TIA,
Rob
David Eveland
Aug 9, 2024, 12:06:00 PM8/9/24
to Rob Costain, Sakai Users Group, James Scoble
James,
We just recently retired LDAP in favor of SAML exclusively – likely for similar reasons (though we were using both for quite a few years). New accounts are created in step with our on prem SSO services. We do not use OAuth2.
We use Jenzabar (J1) as our ERP, Microsoft365 with MFA, and Sakai 22.3, as well as Library services (Ebsco and the like).
--
You received this message because you are subscribed to the Google Groups "Sakai Users Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
sakai-user+...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/sakai-user/7f583e1d-521e-4630-88bc-2a2a823b3a12n%40apereo.org.
Sam Ottenhoff
Aug 9, 2024, 12:06:05 PM8/9/24
to Rob Costain, Sakai Users Group, James Scoble
SAML is widely used across higher-ed and large organizations and enjoys good support from Microsoft, Google, auth vendors, and learning management systems including Sakai. What are good reasons for choosing something besides SAML if you are operating in higher-ed?
--Sam
Sam Ottenhoff
Aug 9, 2024, 12:06:06 PM8/9/24
to Rob Costain, James Scoble, Sakai Users Group
Ultimately you still need permission from the domain admins with either SAML or OIDC. I imagine OIDC is a bit easier for admins without a lot of experience. I believe I did a proof-of-concept OIDC implementation for a Sakai institution years ago, and I don't remember it being difficult. Our higher-ed clients all use SAML and seem to have no problems sharing SAML metadata back-and-forth.
--Sam
On Tue, Aug 6, 2024 at 10:00 AM Rob Costain <rcos...@learnquebec.ca> wrote:
Our organization is not higher ed. We are a non-profit serving K-11 using Sakai to deliver online courses to about 2K students per year. Our students come from 9+ school districts plus numerous independent, private schools each with its own internet domain.Some use M365 and others Google. To configure SAML we have had to exchange federation metadata with each institution separately, and their IT departments are not always cooperative or responsive owing to competing priorities.We’ve used OAuth2 with Moodle and it’s much easier to set up and manage integration with different school board domains.
If there’s a better way to do it, I’m all ears!
Robert Costain
Learning Technology Manager
LEARN
p: 450.622.2212 x222 m: 514.605.0844
f: 450.622.1460
a: 201-4190 rue Garand, Laval QC H7L 5Z6
Rob Costain
Aug 9, 2024, 12:06:06 PM8/9/24
to Sam Ottenhoff, James Scoble, Sakai Users Group
Thanks for the insightful comments.
--
<br>Robert Costain<br>Learning Technology Manager<br>LEARN<br>p: 450.622.2212 x222 m: 514.605.0844<br>f: 450.622.1460<br>a: 201-4190 rue Garand, Laval QC H7L 5Z6<br>
The SAML setup process itself is very easy and we’ve documented it well for the institutions we work with. Ultimately my team can get it up in running in an hour or two. Our issue is the human element – i.e. getting a tech to assist at the other end of the authentication chain.
In my experience, I can whitelist school district domains in an OAuth2 environment and users in that domain don’t need to do anything to be able to log in to our services other than a one time confirmation by email that Moodle sends when activating a new user. That simplicity is the driver behind the strategy to switch from SAML.
--Sam
To unsubscribe from this group and stop receiving emails from it, send an email to sakai-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/sakai-user/7f583e1d-521e-4630-88bc-2a2a823b3a12n%40apereo.org.
--
<br>Robert Costain<br>Learning Technology Manager<br>LEARN<br>p: 450.622.2212 x222 m: 514.605.0844<br>f: 450.622.1460<br>a: 201-4190 rue Garand, Laval QC H7L 5Z6<br>
Rob Costain
Aug 9, 2024, 12:06:06 PM8/9/24
to Sam Ottenhoff, James Scoble, Sakai Users Group
Our organization is not higher ed. We are a non-profit serving K-11 using Sakai to deliver online courses to about 2K students per year. Our students come from 9+ school districts plus numerous independent, private schools each with its own internet domain.
Some use M365 and others Google. To configure SAML we have had to exchange federation metadata with each institution separately, and their IT departments are not always cooperative or responsive owing to competing priorities.
We’ve used OAuth2 with Moodle and it’s much easier to set up and manage integration with different school board domains.
If there’s a better way to do it, I’m all ears!
Robert Costain
Learning Technology Manager
LEARN
p: 450.622.2212 x222 m: 514.605.0844
f: 450.622.1460
a: 201-4190 rue Garand, Laval QC H7L 5Z6
If there’s a better way to do it, I’m all ears!
Robert Costain
Learning Technology Manager
LEARN
p: 450.622.2212 x222 m: 514.605.0844
f: 450.622.1460
a: 201-4190 rue Garand, Laval QC H7L 5Z6
On Tue, Aug 6, 2024 at 9:51 AM Sam Ottenhoff <otte...@longsight.com> wrote:
Earle Nietzel
Aug 15, 2024, 4:38:08 PM8/15/24
to Rob Costain, Sam Ottenhoff, James Scoble, Sakai Users Group
You should be able to add an XML config similar to the one Sakai uses for SAML (ADFS) and CAS that uses oauth2,
see https://stackoverflow.com/questions/31435288/example-xml-configuration-of-spring-oauth-2
see https://stackoverflow.com/questions/31435288/example-xml-configuration-of-spring-oauth-2
-earle
--Sam
To unsubscribe from this group and stop receiving emails from it, send an email to sakai-user+...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/sakai-user/7f583e1d-521e-4630-88bc-2a2a823b3a12n%40apereo.org.
--
<br>Robert Costain<br>Learning Technology Manager<br>LEARN<br>p: 450.622.2212 x222 m: 514.605.0844<br>f: 450.622.1460<br>a: 201-4190 rue Garand, Laval QC H7L 5Z6<br>
--
You received this message because you are subscribed to the Google Groups "Sakai Users Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sakai-user+...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/sakai-user/CALzwOesJkt69UYjsz_0FW-wwzFWyRJzTwJoLbgVtGsNrcg76Gw%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages