TI3 - 2021/22 - Must Do - AAD & MFA (+Teams for Education)
| Size | Large |
|---|---|
| Budget Epic Name | CTP Maintenance (tbc - there was a Teams implementation budget this might come out of instead) |
| Jira Epic | Error rendering macro 'jira' : Unable to locate Jira server for this macro. It may be due to Application Link configuration. |
| Feature Lead | Nikola Bozhkov |
| Feature Team | TBC |
AAD & MFA
There is pressure for Moodle to adopt AAD auth in order to get MFA protection as a significant UCL service in light of current situation.
There is much involved in this as ldap sync (AD) allows user creation & profile field syncing - Moodle Integration Manager (MIM) - SITS/CMIS integration and some of these will need discussion with UCC team about enabling syncing of fields from AD to AAD so that we can continue making use of them.
We have a couple of options:
1) Using the full Microsoft O365 plugin suite (auth_oidc)
2) Using auth_saml2 to authenticate against AAD - https://github.com/catalyst/moodle-auth_saml2 / https://moodle.org/plugins/auth_saml2
This had a nice improvement from the OU to improve the experience if already logged in to O365 which would be worth having - https://github.com/catalyst/moodle-auth_saml2/pull/426 - if we don't go with this plugin, it would still be nice to have this kind of behaviour through the selected method.
We should also consider theme impact as login boxes will need to be replaced with a login via AAD button; but we also have guest (no auth) access that will need to continue being supported.
The route we take would depend upon what our Teams for Education plan/desires are. There are a number of plugins out there which might actually get somewhere to offering the BB Collaborate / Zoom replacement experience & other added functionality (e.g. creating/syncing Team membership from Moodle course enrolment).
- https://moodle.org/plugins/mod_msteams
- https://moodle.org/plugins/atto_teamsmeeting
- https://moodle.org/plugins/index.php?q=teams
- https://github.com/Microsoft/o365-moodle/
- https://moodle.org/plugins/local_o365
Some stories were logged into - https://ucldata.atlassian.net/browse/LNA-737
39.preview is configured for auth against AAD dev (or test, not sure, but wasn't prod) will need to re-enable the o365 plugins here - https://git.automation.ucl.ac.uk/moodle/moodle-1819/-/blob/PLUGINS_39_PREVIEW/build.sh#L160-162 - but also need to move towards testing against Moodle 3.11 as we will have upgraded. That was setup with Plamen & Duncan Cooper a while back.
While there's been debate about what the Education Domain wants from Teams, this feature should go and have a look at what's available through a bottom-up approach and demo it to stakeholders who can give a steer rather than wait for anything to come from top-down. If we can get a steer on which plugins this means we want to implement, then we can know which authentication method we can go with. If further development / improvement of any of these plugins is required, that is fine, we will find development capacity / funding for that.
The priority here is to implement AAD rather than the Teams component but these things are intertwined. Likely Teams would be a TI4 thing if AAD can be completed in TI3 (would be very impressive if we did)
P.S. It may be feasible to have both auth plugins running in parallel - ldap auth (e.g to continue sync) & AAD (for users to log in) - but that's not really a long term solution to this.
Out of scope
Acceptance Criteria to include
Outcome / Output that can be measured, and how it will be measured
Supporting documentation linked to page
Depending on the Feature supporting documentation could include user journey maps, interviews with stakeholders, architecture diagrams, UX designs etc. Anything that is additional detail to describe this feature, which will be used by the team as they develop it.
This information is provided by Digital Education
( https://www.ucl.ac.uk/isd/digital-education-team-information ) and licensed under a Creative Commons Attribution-ShareAlike 4.0 International License
