Forum LAMS for Tech-Heads - General Forum: Integration - Single sign on questions

You may request notification for Integration - Single sign on questions.

1: Integration - Single sign on questions
11/15/05 12:05 PM
[ Reply | Forward ]
Hi all,

Our passwords are hashed so we cannot extract them when bulk creating users with the LAMS web service. Also even if we could, sending user's passwords unecrypted represents a security risk that our customers( schools ) aren't willing to accept.

Ideally we would like to do single sign on in a similar way to the method done with Moodle. This approach would maintain the security of our system and allow LAMS to share the user data exposed by our system.

-- "All URL calls from Moodle to LAMS will supply a ticket (long id number) on the URL call. LAMS will then call a Moodle webservice to check the ticket against the supplied username. Once authenticated, the session and user principal will need to be set up to allow the LAMS tools’ to function. This could probably be implemented using a JAAS module (or similar), except that this makes it difficult to access LAMS directly. " -- from Moodle Integration.doc

Can anyone tell me if this web service that LAMS calls is configurable? Could it be changed if its not? Am I barking up the wrong tree?

Thanks in advance for any suggestions or advice on the best way to do this.


Posted by Scott Bradley

2: Re: Integration - Single sign on questions
In response to 1 11/15/05 12:16 PM
[ Reply | Forward ]
I'm still don't think this I've got this right in my head

This is the process I'm thinking it would be( please correct or make suggestions )

1. Configure LAMS to use our authentication web service
2. Create all the users in LAMS with dummy passwords

Log in
1. A user tries to log in to LAMS.
2. LAMS calls our web service to authenticate teh user/password.
3. Success, create the session & user principal and go from there

This doesn't really take into account the ticket(long id number) on the url call though. Would this be used? How is it generated.

Thinking out loud here.....


Posted by Scott Bradley

3: Re: Re: Integration - Single sign on questions
In response to 2 11/15/05 08:47 PM
[ Reply | Forward ]
Hi Scott,

Thanks for posting this second message, now I think I understand this a bit clearer.

Ok, before I get into this directly, here's a bit more overall info on how the Moodle/Sakai/Blackboard/etc integrations work with Moodle.

For all the integrated packages, you can see that we have created a module *within* the LMS that we trying to integrate. So you have a LAMS Module within Sakai, Moodle and Blackboard that we have developed.

These modules basically do a few things:

1.- Work as liason between the LMS and LAMS
2.- Call the LAMS webservices to get information about sequences and classes
3.- Provide interface for LAMS Monitor and Authoring
4.- Provide the authentication for LAMS (using a hash generated on-the-fly)
5.- Provide an interface for LAMS to get basic information about users (username, first name and last name)
6.- probably some other things that I can't think of now.

The first thing that you do when you want to integration LAMS and Moodle is download the LAMS Moodle Module and add it to your existing (or new) Moodle installation following the instructions.

Also, you need to add the an entry to the LAMS database (on the LAMS side) following these instructions.

So once these two systems have all the info about each other, then the fun begins. For the sake of simplicity let's use a Moodle-LAMS example.

When a Moodle students logs in into Moodle, and wants to access a LAMS sequence, the rendering of the URL to LAMS sequencing is done dynamically. In the URL, LAMS appends a whole lot of information:

The uid is the user_id in Moodle.
The method is the module you are about to acces in LAMS (it is different depending of Monitor, Authoring, etc)
The ts is a date
The sid is the server_key (see the LAMS and Moodle installation instructions).
The hash is what LAMS uses for authenticating the user and verifying that he/she is coming from the right place. (this is the single sign-on mechanism we use
The course_id is the Moodle course_id

When LAMS gets all these parameters, it first checks that the hash is correct. The hash is created adding a bunch of parameters and using the secret key that both parties (LAMS and Moodle) have. If the hash is not correct, then the user will get kicked out as LAMS will understand that the user is not coming for the Moodle instance but elsewhere.

Once the hash is verified, then LAMS does the authentication and basically accepts the user request. But now LAMS has to check whether this user does actually exists on its database. So it quickly searches the uid. If it exists, then let the user go straight to the sequence. If she doesn't, then LAMS queries the LAMS-Moodle module for the basic user info, so it can create a record for her in LAMS. Once it gets the data from Moodle, creates a record and adds the user to the LAMS class (which has a in one-to-one relation to the Moodle course).

I hope that clarifies how the LMS integrations work.


Posted by Ernie Ghiglione

4: Re: Re: Re: Integration - Single sign on questions
In response to 3 11/16/05 04:32 AM
[ Reply | Forward ]
This looks great Enrie thanks,

Apurva and I are still a bit unsure of the hash value and how to create it.

-- "The hash is what LAMS uses for authenticating the user and verifying that he/she is coming from the right place. (this is the single sign-on mechanism we use" --

How do we construct the hash? We've tried generating our own and also looking at the Moodle integration code but its not very clear.

-- from the moodle/lams code
$plaintext = trim($datetime).trim($USER->username).trim

$hash = sha1(strtolower($plaintext));

It appears to be the concatenation of: the datetime, username, author method??(what is this?), the server id and the server key.

Then the result is converted to lowercase and the sha hash function performed on it.

Most of the values appear to be ok, the one that doesn't make sense is the author_method.

Thanks for you quick response,

Posted by Scott Bradley

5: Re: Re: Re: Re: Integration - Single sign on questions
In response to 4 11/16/05 04:35 AM
[ Reply | Forward ]

Do we need to apply for the server key and the server id? In the Moodle configuration file it appears like we have to apply for them. Is this correct?

$string['serverid'] = 'Enter the server ID received from LAMS international.';
$string['serverkey'] = 'Enter the server key received from LAMS international.';


Posted by Scott Bradley

6: Re: Re: Re: Re: Re: Integration - Single sign on questions
In response to 5 11/16/05 07:06 PM
[ Reply | Forward ]
That must be a mistake from when the module was being tested, you don't need LI to give you an ID/key - feel free to use whatever suits you. It just needs to match the ID/key stored in LAMS' external server table.

Also, the author_method in the hash is referring to whether that particular hash is for author/monitor/learner, in this case author. Maybe someone else could shed some light on why this is.

Posted by Jun-Dir Liew

7: Re: Re: Re: Re: Integration - Single sign on questions
In response to 4 11/17/05 01:32 AM
[ Reply | Forward ]
> author method??(what is this?)

As Jun-Dir mentions, it is actually a string containing "author" "monitor" or "learner" according to the module you are about to access in LAMS.

Posted by Ernie Ghiglione

Reply to first post on this page
Back to LAMS for Tech-Heads - General Forum