Passing credentials between sites

Question

I am running two different sites on two different servers with two different domains. One site is running Joomla, the other Moodle. I have configured the Moodle server to base its authentication on the users table on the Joomla site, so we have an authoritative source of user information.

What I'd like to do is this: after someone signs in to the Joomla site, provide a link to the Moodle site which will silently log them in, kind of faking a single-sign-on solution. The passwords in Joomla are MD5'd and each has its own secret salt.

The first thought at how to tackle this was to tell Moodle that the passwords were being stored in plain text, then via a hidden form input, send the encrypted password when they click the link. Aside from the obvious security issues with that, it also meant that should they try to log in via the Moodle interface, they'd need to enter a giant MD5 string, since that's what Moodle thinks their password is.

I've been considering changing the authentication module in Moodle so that if the submitted password matches certain criteria (eg: it's 32 hex characters), then don't MD5 it before comparing to the Joomla version - the problem with that is that anyone could (upon discovering the encrypted password) then use that to log in. What I need is some special way to send the encrypted password from Joomla to Moodle and to signal to Moodle to treat that login request differently.

Any thoughts?

Answer 1

You can do the following for a Secure single-sign-one solution :

• Generate a random (with PRNG) token based for Joomla user (store this )
• Send this token internally (via a web service etc., -keep it over HTTPS-, or local data source) to Moodle
• While sending this token also you should inform Moodle about the userid which token is belong to (therefore send token + userid)
• Store this token + userid in the Moodle
• Create a link with this token in Joomla with this token (you can use querystring as soon as you expire the token after first usage but POST is a better idea)
• When you see this token in Moodle, log the associated user in and expire the token (so it'll be safe against replying attacks etc.)

Answer 2

If you're using Joomla! 1.5, don't forget user plugins. Take a look at plugins/user/example.php. You can capture the password during the onLoginUser event which may help you bridge the systems.

Answer 3

Could you use Pro Moodle (http://www.promoodle.com/) or JFusion (http://www.jfusion.org/) both of which proport to create a single sign on system for Joomla / Moodle system.

There is also a guide located here: http://myjoomlaextensions.com/images/fbfiles/files/MoodleBridge.pdf to "bridge between Moodle and Joomla.

There is a guide to modifying the Moodle code to create a single sign on system here: http://moodle.org/mod/forum/discuss.php?d=45126#211486 (use with caution!).

Your milage may vary trying to use these solutions across different domains.