Skip to main content
OpenEduCat logo
Authentication

Moodle SSO

When a student has accounts in both OpenEduCat and Moodle, the last thing they need is two passwords to remember, two login sessions to manage, and the friction of switching between systems. Single sign-on removes that friction: one login, both systems.

SSO is separate from user sync. User sync (handled by Student Roster Sync) creates and maintains Moodle accounts from OEC student records. SSO handles how those accounts are authenticated, replacing separate password management with a shared credential. Both should be running together.

See It in ActionBack to Moodle Hub

Three SSO Approaches

Choose based on which system was deployed first and what directory infrastructure you have.

OEC as SAML 2.0 Identity Provider

Recommended

OpenEduCat acts as the IdP. Moodle is configured as a Service Provider (SP) using Moodle's built-in SAML/Shibboleth auth plugin or the moodle-auth-saml2 plugin.

Authentication flow

  1. 1Student opens browser, navigates to Moodle
  2. 2Moodle detects unauthenticated session, redirects to OEC IdP
  3. 3Student logs into OEC with institutional credentials
  4. 4OEC issues SAML assertion, redirects back to Moodle
  5. 5Moodle validates assertion, creates session
  6. 6Student lands in their Moodle dashboard, no second login

Configuration steps

  • OEC SAML module: install and configure with entity ID, ACS URL, certificate
  • Moodle: Site Admin → Plugins → Authentication → SAML2 (or Shibboleth)
  • Set IdP metadata URL or upload OEC's metadata XML
  • Map SAML attribute email or username to Moodle user matching field

Best for

Greenfield deployments where OEC is the primary system.

Shared LDAP / Active Directory

Most common

Both OEC and Moodle authenticate against a shared LDAP directory (Active Directory, OpenLDAP, FreeIPA). Neither system acts as IdP, the directory is the authority.

Authentication flow

  1. 1Both OEC and Moodle bind to the same LDAP/AD server
  2. 2Student uses institutional Windows/email credentials in both systems
  3. 3Password resets happen once in AD, both systems update automatically
  4. 4Account deprovisioning in AD locks access to both systems simultaneously

Configuration steps

  • OEC: Settings → Technical → Outgoing Mail → configure LDAP auth module
  • Moodle: Site Admin → Plugins → Authentication → LDAP server
  • Sync both systems to use uid/sAMAccountName as the matching key
  • Ensure OEC user sync populates the email field consistently

Best for

Institutions already running Active Directory or FreeIPA for all staff/student accounts.

Moodle as SAML 2.0 Identity Provider

Less common

Moodle acts as the IdP using SimpleSAMLphp or the mdl-saml plugin. OEC is configured as an SP. Useful when Moodle was deployed first and already has the institutional IdP infrastructure.

Authentication flow

  1. 1Student logs into Moodle with existing credentials
  2. 2Student navigates to an OEC-linked page or OEC portal
  3. 3OEC redirects to Moodle's IdP endpoint
  4. 4Moodle validates existing session, issues SAML assertion
  5. 5OEC validates assertion, grants access

Configuration steps

  • Moodle: install SimpleSAMLphp or equivalent IdP software alongside Moodle
  • OEC: install SAML SP module, configure with Moodle's IdP metadata
  • Attribute mapping: Moodle attribute → OEC user field (typically email)

Best for

Institutions where Moodle was deployed first and already runs SAML infrastructure.

SSO and User Sync: How They Work Together

These are complementary features, not alternatives. User sync handles account lifecycle: creating accounts when students enroll, suspending them when they graduate. SSO handles authentication: how those accounts are verified at login time.

User Sync handles

  • Creating Moodle accounts for new students
  • Updating name and email when changed in OEC
  • Suspending accounts on graduation/withdrawal
  • Enrolling students in the right Moodle courses

SSO handles

  • Authentication, verifying who the user is
  • Unified password (one to set, one to remember)
  • Session sharing across OEC and Moodle
  • Single logout (SLO) when configured

Important: order of setup

If you are connecting OEC to an existing Moodle instance, run the Initial Import Wizard first to reconcile existing Moodle accounts with OEC student records. Then enable SSO. If you enable SSO's JIT (Just-in-Time) provisioning before running the wizard, it may create duplicate Moodle accounts on first login that conflict with the accounts the user sync would create.

Multi-factor authentication

MFA is controlled by the identity provider. If OEC is acting as SAML IdP, MFA support depends on the Odoo SAML module configuration. If you are using shared LDAP with an MFA-capable proxy (FreeIPA, Microsoft Entra ID, Okta, Duo), MFA is enforced at the directory level and both OEC and Moodle benefit automatically, no per-application MFA configuration required.

Moodle SSO, Frequently Asked Questions

How unified authentication works across OEC and Moodle.

Three approaches: (1) OEC as SAML 2.0 Identity Provider, with Moodle configured as a Service Provider and students authenticating once in OEC to access both systems; (2) shared LDAP/Active Directory, where both OEC and Moodle authenticate against the same LDAP directory so credentials are unified without either system acting as IdP; (3) Moodle as IdP, less common but useful if Moodle was already configured as an SAML IdP before OEC was deployed.

Related:

SSO / LDAP integration →Student roster sync →Moodle integration hub →

Ready to Transform Your Moodle SSO?

See how OpenEduCat frees up time so every student gets the attention they deserve.

See How It WorksTalk to an Advisor

Try it free for 15 days. No credit card required.