Tuesday, April 7, 2015

Office 365 Moodle Integration Project - New and Improved

Since we released the O365 integration plug-ins back in January, there has been a lot of community pick-up and feedback. We have responded with a number of improvements. This article will focus on the most noticeable surrounding the O365 single-sign-on and account connection.

The original release of the O365 plug-ins required users who wanted to use the O365 OneDrive and Outlook Calendar Moodle integrations to change their Moodle account authentication scheme to the OpenID Connect using Office 365’s AAD system. Any new Moodle account had to be created and managed from the Office 365 AAD system as well. To login, a user had to use the separate “OpenID Connect” login button on the Moodle login page.

This system worked well for new Moodle installations, where the user management system had not been established, and was therefore easy to select the OpenID Connect/AAD authentication system for their user system. But for established Moodle sites, where other user management and authentication systems were well established, this proved to be a barrier to using the O365 integrations.

Further, some Moodle sites that did want to use the OpenID Connect/AAD system for Moodle authentication, didn’t want their users to look for a separate login button on the Moodle login page, but to continue to use the standard Moodle login form.

I’ll deal with the second problem first.

As originally released, to login via O365, you had to use a separate button on the login page, like below:

However, Moodle is built such that authentication plug-ins can use the standard login form, if they choose to do so. For this case, we built in the ability for Moodle to pass the entered username and password to the OpenID Connect provider, and log the user in to both O365/AAD and Moodle at the same time, in the background. In order to facilitate this, we provided an extra configuration option:

As shown, the second radio button turns off the need to use the separate OpenID Connect login button, and allows the standard Moodle login form to function with OpenID Connect. If you select the first radio button, the login will work as it did before, and require the user to login using the external provider.

One other addition we added was the ability to select an icon for use on the login button, or upload a custom icon for the same use. This allows the OpenID Connect login button to have an icon more suited to the organization, if they choose not to show the Microsoft Office icon.

For the account connection problem, we approached it in a unique way. As the account connection mechanism existed, sites that wanted their users to take advantage of the O365 integrations required that the Moodle logins be managed from O365/AAD as well. The plug-ins provided an easy mechanism to connect existing Moodle accounts to existing O365 accounts, and then switch those users to the O365/AAD login, but that was a permanent change. And sites with many users, already have well-established user management and login systems that they use with Moodle.

To solve that problem, we provided a mechanism that allows users to either switch to using the O365 login (as before), or connect their current Moodle account to an O365 account and continue to login to Moodle as they did before. This mechanism is contained in the user profile plug-ins accessed from a user's Moodle profile page, as so:

In this shot, you can see two Office365 links: 
  • Office365 Connection: You are not connected to Office 365. Connect to Office 365
  • Office365: You are not using Office365 to log in. Start using Office365 to log in.
Either of these links takes you to the new O365 management page, which provides links to each function as so:

The first function on this page, "Start using Office365 to log into Moodle", works the same as the first release. If you click that link, you will be redirected to your Office365 login page to login to O365/AAD. If you login with a valid AAD account that has not already been connected to a Moodle account, your Moodle account will then be reconfigured to use AAD as the authentication scheme. Once that has been done, you will always need to login to Moodle using the AAD account information.

The second function in this page, "Connect to Office365", is the new function. If you click that link, you will be likewise redirected to your Office365 login page. If you login with a valid AAD account that has not already been connected to a Moodle account, your Moodle account will be configured to be connected to that O365 account. What that means, is that you will continue to login to Moodle in the same way you always have, but when you access any of the O365 Moodle integrations, your O365 account will automatically be used. You won't need to login twice once the connection has been made.

This second feature was one that was most asked for. This feature allows Moodle sites that cannot change their Moodle authentication schemes to still take advantage of the full O365 integrations.

One feature that has also remained is the automatic account creation. If a user that does not exist yet in Moodle, logs into a Moodle site that has the OpenID Connect O365/AAD authentication plug-in enabled, and the account information they use is a valid AAD account, they will be logged in and a new Moodle account created for them.

We have a number of other improvements and new features coming in future releases. Look to future blog posts describing these.