Hi, Instead of openid connect, use OAuth2 plugin. Site administration ---> Server ---> OAuth 2 services Here you should enter: Name, Client ID, Client Secret, scopes as: openid profile email, Service base URL as just the url of your gluu-server and save the changes. Please let us know the results.

Considering oidc from more security point of view, May I know what are your oidc settings which are not letting you to perform SSO?

Ganesh Dutt Sharma, Pleaswe find attached our moodle setting and gluu client setting for SSO

Ganesh Dutt Sharma, Pleaswe find attached our moodle setting Provider Name auth_oidc | opname OpenID Connect Default: OpenID Connect This is an end-user-facing label that identifies the type of credentials the user must use to login. This label is used throughout the user-facing portions of this plugin to identify your provider. Client ID auth_oidc | clientid Moodle_test1 Default: Empty Your registered Client ID on the identity provider Client Secret auth_oidc | clientsecret Moodle1 Default: Empty Your registered Client Secret on the identity provider. On some providers, it is also referred to as a key. Authorization Endpoint auth_oidc | authendpoint https://authsso.aiims.edu/oxauth/restv1/authorize Default: https://login.microsoftonline.com/common/oauth2/authorize The URI of the Authorization endpoint from your identity provider to use. Token Endpoint auth_oidc | tokenendpoint https://authsso.aiims.edu/oxauth/restv1/token Default: https://login.microsoftonline.com/common/oauth2/token The URI of the token endpoint from your identity provider to use. Resource auth_oidc | oidcresource Default: https://graph.windows.net The OpenID Connect resource for which to send the request. Redirect URI auth_oidc | redirecturi http://192.168.185.107/moodle/auth/oidc/ This is the URI to register as the "Redirect URI". Your OpenID Connect identity provider should ask for this when registering Moodle as a client. NOTE: You must enter this in your OpenID Connect provider exactly as it appears here. Any difference will prevent logins using OpenID Connect. Auto-Append auth_oidc | autoappend Default: Empty Automatically append this string when logging in users using the "Resource Owner Password Credentials" authentication method. This is useful when your identity provider requires a common domain, but don't want to require users to type it in when logging in. For example, if the full OpenID Connect user is "james@example.com" and you enter "@example.com" here, the user will only have to enter "james" as their username. Note: In the case where conflicting usernames exist - i.e. a Moodle user exists wth the same name, the priority of the authentication plugin is used to determine which user wins out. Domain Hint auth_oidc | domainhint Default: Empty When using the "Authorization Code" authentication method, pass this value as the "domain_hint" parameter. "domain_hint" is used by some OpenID Connect providers to make the login process easier for users. Check with your provider to see whether they support this parameter. Authentication Method auth_oidc | loginflow Authorization Code Flow (recommended) Using this flow, the user clicks the name of the identity provider (See "Provider Name" above) on the Moodle login page and is redirected to the provider to log in. Once successfully logged in, the user is redirected back to Moodle where the Moodle login takes place transparently. This is the most standardized, secure way for the user log in. Resource Owner Password Credentials Grant Using this flow, the user enters their username and password into the Moodle login form like they would with a manual login. This will authorize the user with the identity provider, but will not create a session on the identity provider's site. For example, if using Office 365 with OpenID Connect, the user will be logged in to Moodle but not the Office 365 web applications. Using the authorization request is recommended if you want users to be logged in to both Moodle and the identity provider. Note that not all identity providers support this flow. This option should only be used when other authorization grant types are not available. User Restrictions auth_oidc | userrestrictions Default: Empty Only allow users to log in that meet certain restrictions. How to use user restrictions: Enter a regular expression pattern that matches the usernames of users you want to allow. Enter one pattern per line If you enter multiple patterns a user will be allowed if they match ANY of the patterns. The character "/" should be escaped with "\". If you don't enter any restrictions above, all users that can log in to the OpenID Connect provider will be accepted by Moodle. Any user that does not match any entered pattern(s) will be prevented from logging in using OpenID Connect.

Client Registration setting for moodle in gluu Inum: @!BB17.0EF1.B4AB.CF3A!0001!61D8.EA6E!0008!C3A3.A3A1.8CB1.91F8 Client Name:* Moodle_test1 Client Description: 2nd moodle test client Application Type:* Pre-Authorization:* Persist Client Authorizations:* Logo URI: click to enter a logo for the Client application Client URI: click to enter the home page of the Client Policy URI: click to enter the Policy URI Terms of Service URI: click to enter the TOS URI JWKS URI: click to enter the URL for the Client's JSON Web Key Set JWKS: Sector Identifier URI: click to enter the Sector Identifier URL Subject Type:* JWS alg Algorithm for signing the ID Token: JWE alg Algorithm for encrypting the ID Token: JWE enc Algorithm for encrypting the ID Token: JWS alg Algorithm for signing the UserInfo Responses: JWE alg Algorithm for encrypting the UserInfo Responses: JWE enc Algorithm for encrypting the UserInfo Responses: JWS alg Algorithm for signing Request Objects: JWE alg Algorithm for encrypting Request Objects: JWE enc Algorithm for encrypting Request Objects: Authentication method for the Token Endpoint: JWS alg Algorithm for Authentication method to Token Endpoint: Default Maximum Authentication Age: click to enter the Default Maximum Authentication Age (value in seconds) Require Auth Time: Redirect Login URIs: http://192.168.185.107/moodle/auth/oidc/ Post Logout Redirect URIs: Claim Redirect URIs: Scopes: address clientinfo email mobile_phone openid permission phone Response Types: code Grant Types: authorization_code Contacts: Default requested Authentication Context Class Reference values: Initiate Login URI: click to enter an URI using the https scheme that a third party can use to initiate a login by the RP Request URIs: Authorized JavaScript Origins: Front Channel Logout URI: Logout Session Required:* Include Claims In Id Token:* Refresh Token Lifetime: click to enter refresh token liftime (value in seconds) oxd Id: click to enter a oxd Id for the Client application Disabled:

Hello Sanjeev, Thanks for your patience. Please add these changes as well to your openid client in your Gluu-Server: ``` Scopes: address email openid permission phone profile user_name Response Type: code token id_token Grant Types: authorization_code implicit refresh_token Authentication method for the Token Endpoint: client_secret_post Application Type: Web Pre-Authorization: True ``` After this, please let us know if it works. --- Thanks Ganesh

Thanks ganesh ji, we have entered the value as you mentioned and it is redirecting from moodle to gluu login page. But when we entered the user id and password in gluu which are there in the gluu LDAP, its give the below error "Invalid login: User not found in Moodle. If this site has the "authpreventaccountcreation" setting enabled, this may mean you need an administrator to create an account for you first." As per our understanding the user in the Gluu LDAP should be allowed access to moodle after authentication through gluu, we need not to have user created in Moodle itself. One more thing,how to assign a group of users in gluu to Moodle client (i.e. Moodle test) who can access it after authentication through openid Connect. thanks in advance.

Hello, We know this that Moodle creates respective user once a user successfully authenticates to openID server. Our test environment was: 3.4.1+ (Build: 20180125). So, next it could be inside Moodle. Maybe you can try on latest version of Moodle if you face same error. --- Thanks Ganesh

Thanks Ganesh, We have upgraded to Moodle 3.5.1, but still having the same error. Completely blank about how to assign user in gluu to access Moodle through Open ID connect . Please guide us as we are stuck here for almost 15 days.

Thanks Ganesh, We have upgraded to Moodle 3.5.1, but still having the same error. Completely blank about how to assign user in gluu to access Moodle through Open ID connect . Please guide us as we are stuck here for almost 15 days.

Sanjeev, Ganesh assigned me this task but haven't managed time to allocate some time for community issues. Please bear with me; I'll start testing it as soon as I can manage some time.

Seems like there are some issues with Microsoft moodle plugin which is included in doc. We might need to update to something different. Will try to find something if I can manage some time.