Does OLAT support IdP-initiated single Sign ON

60 views

Skip to first unread message

Graham Conway

unread,

Nov 1, 2019, 5:45:50 AM11/1/19

to OpenOlat

We have managed to enable Shibboleth / SAML single sign on for OLAT where the sign-on is initiated on the Service Provider (olat server side)

We did so mostly by making changes to the olat.local.properties file and then a lot of configuration with Shibboleth httpd and tomcat, and configuration of our SAML identity provider.

Has anyone been able to set up OLAT with IdP-initiated Single Sign ON?

Thanks,

Graham

Florian Gnägi

unread,

Nov 4, 2019, 11:07:30 AM11/4/19

to open...@googlegroups.com

Hi Graham

I can’t help you with that, but I think this is more a question about how to configure Apache?

Cheers

Florian

--
--
Sie erhalten diese Nachricht, weil Sie Mitglied sind von Google
Groups-Gruppe "OpenOlat".
Für das Erstellen von Beiträgen in dieser Gruppe senden Sie eine E-Mail
an open...@googlegroups.com
Um sich von dieser Gruppe abzumelden, senden Sie eine E-Mail an
openolat+u...@googlegroups.com
Weitere Optionen finden Sie in dieser Gruppe unter
http://groups.google.com/group/openolat?hl=de
-------------------------------------------------------------------------------------------------------------------
OpenOlat - infinite learning - http://www.openolat.org
---
You received this message because you are subscribed to the Google Groups "OpenOlat" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openolat+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/openolat/833692f7-0551-484c-94d9-bdef388f18b8%40googlegroups.com.

--------------------------------------------------------------------

professional services for the e-learning system OpenOLAT

hosting - operating - support - development - mobile - consulting

--------------------------------------------------------------------

www.frentix.com | www.openolat.com

frentix GmbH

Florian Gnägi, Geschäftsführer

Okenstrasse 6

CH-8037 Zürich, Switzerland

tel://+41-43-544-9000

dir://+41-43-544-9001

fax://+41-43-544-9009

Find me on wire skype twitter xing linkedin

--------------------------------------------------------------------

Graham Conway

unread,

Nov 4, 2019, 3:09:32 PM11/4/19

to open...@googlegroups.com

HI Florian.

Thanks for the reply.

We have apache / shibboleth / and Olat configured so we can do a SAML signon, using the

"Shibboleth login" button.

This is service provider initiated in that the user navigates to the server where olat is installed. and requests a shibboleth login by pressing

the Shibboleth login button. if the user has already an established session, they are taken straight into their OLAT home page.

My question is, is there an olat url we could use that would have the same effect as the user pressing the "Shibboleth login" button?"

(We'd like to have a login button on our Identity Provider Portal that would navigate the user to this url. )

Thanks,

Graham Conway

You received this message because you are subscribed to a topic in the Google Groups "OpenOlat" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/openolat/vurA3nLV97g/unsubscribe.
To unsubscribe from this group and all its topics, send an email to openolat+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/openolat/AAA78C09-7974-431C-94E1-E1E0195FEF11%40frentix.com.

Stephan Clemenz

unread,

Nov 6, 2019, 5:57:33 AM11/6/19

to open...@googlegroups.com

Hi Graham,

for our environment links behind that magic login button like the following would work:

https://olat.vcrp.de/Shibboleth.sso/Login?SAMLDS=1&target=https%3A%2F%2Folat.vcrp.de%2Fshib%2F&entityID=https%3A%2F%2Fidp.uni-kl.de%2Fidp%2Fshibboleth

Cheers, Stephan

Am 04.11.19 um 17:07 schrieb Florian Gnägi:

To view this discussion on the web visit https://groups.google.com/d/msgid/openolat/AAA78C09-7974-431C-94E1-E1E0195FEF11%40frentix.com.

Graham Conway

unread,

Nov 6, 2019, 9:18:54 AM11/6/19

to OpenOlat

Thanks, Stephan,

I appreciate the help.

we will give it a try.

Graham

On Wednesday, 6 November 2019 11:57:33 UTC+1, Stephan Clemenz wrote:

Hi Graham,

for our environment links behind that magic login button like the following would work:

https://olat.vcrp.de/Shibboleth.sso/Login?SAMLDS=1&target=https%3A%2F%2Folat.vcrp.de%2Fshib%2F&entityID=https%3A%2F%2Fidp.uni-kl.de%2Fidp%2Fshibboleth

Cheers, Stephan

Am 04.11.19 um 17:07 schrieb Florian Gnägi:

Hi Graham

I can’t help you with that, but I think this is more a question about how to configure Apache?

Cheers

Florian

Am 01.11.2019 um 10:45 schrieb Graham Conway <graham...@gmail.com>:

We have managed to enable Shibboleth / SAML single sign on for OLAT where the sign-on is initiated on the Service Provider (olat server side)

We did so mostly by making changes to the olat.local.properties file and then a lot of configuration with Shibboleth httpd and tomcat, and configuration of our SAML identity provider.

Has anyone been able to set up OLAT with IdP-initiated Single Sign ON?

Thanks,

Graham

--
--
Sie erhalten diese Nachricht, weil Sie Mitglied sind von Google
Groups-Gruppe "OpenOlat".
Für das Erstellen von Beiträgen in dieser Gruppe senden Sie eine E-Mail
an open...@googlegroups.com
Um sich von dieser Gruppe abzumelden, senden Sie eine E-Mail an

open...@googlegroups.com

Weitere Optionen finden Sie in dieser Gruppe unter
http://groups.google.com/group/openolat?hl=de
-------------------------------------------------------------------------------------------------------------------
OpenOlat - infinite learning - http://www.openolat.org
---
You received this message because you are subscribed to the Google Groups "OpenOlat" group.

To unsubscribe from this group and stop receiving emails from it, send an email to open...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/openolat/833692f7-0551-484c-94d9-bdef388f18b8%40googlegroups.com.

--------------------------------------------------------------------

professional services for the e-learning system OpenOLAT

hosting - operating - support - development - mobile - consulting

--------------------------------------------------------------------

www.frentix.com | www.openolat.com

frentix GmbH

Florian Gnägi, Geschäftsführer

Okenstrasse 6

CH-8037 Zürich, Switzerland

tel://+41-43-544-9000

dir://+41-43-544-9001

fax://+41-43-544-9009

Find me on wire skype twitter xing linkedin

--------------------------------------------------------------------

--
--
Sie erhalten diese Nachricht, weil Sie Mitglied sind von Google
Groups-Gruppe "OpenOlat".
Für das Erstellen von Beiträgen in dieser Gruppe senden Sie eine E-Mail
an open...@googlegroups.com
Um sich von dieser Gruppe abzumelden, senden Sie eine E-Mail an

open...@googlegroups.com

Weitere Optionen finden Sie in dieser Gruppe unter
http://groups.google.com/group/openolat?hl=de
-------------------------------------------------------------------------------------------------------------------
OpenOlat - infinite learning - http://www.openolat.org
---
You received this message because you are subscribed to the Google Groups "OpenOlat" group.

To unsubscribe from this group and stop receiving emails from it, send an email to open...@googlegroups.com.

Graham Conway

unread,

Nov 7, 2019, 6:58:54 AM11/7/19

to OpenOlat

That url form worked for us Thanks Stephan!

Essentially what we were missing was the "/shib/" at the end of the url for the RelayState that we had defined in our Identity Provider.

So we changed

https://www.mycompany.com/openolat/

https://www.mycompany.com/openolat/shib/

and this allowed an end user to go straight from the identity provider portal, to their home page within olat.

On Wednesday, 6 November 2019 15:18:54 UTC+1, Graham Conway

wrote:

Phuc Luoi

unread,

Sep 11, 2020, 10:47:18 AM9/11/20

to OpenOlat

@Graham

Maybe can you tell me how to configuration RelayState on Shibboleth?

Graham Conway

unread,

Sep 11, 2020, 12:35:41 PM9/11/20

to open...@googlegroups.com

Hi Phuc

This was a while ago. If my memory serves me well ...

We encountered timing problems when using relayState..

We ended up configuring homeURL in our shibboleth2.xml file like this:

<ApplicationDefaults entityID="https://<OLAT_HOST_MACHINE_URL/shibboleth"

homeURL="https://<OLAT_HOST_MACHINE_URL/openolat/shib/"

good luck!

Graham Conway

openolat+u...@googlegroups.com

Weitere Optionen finden Sie in dieser Gruppe unter
http://groups.google.com/group/openolat?hl=de
-------------------------------------------------------------------------------------------------------------------
OpenOlat - infinite learning - http://www.openolat.org
---

You received this message because you are subscribed to a topic in the Google Groups "OpenOlat" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/openolat/vurA3nLV97g/unsubscribe.
To unsubscribe from this group and all its topics, send an email to openolat+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/openolat/89b5ef97-b103-449f-8b5e-3c8e40499632n%40googlegroups.com.

Reply all

Reply to author

Forward

0 new messages