Олег Давидович: 1 версия импортирована

2024-10-18T06:43:00Z

1 версия импортирована

← Предыдущая версия	Версия от 06:43, 18 октября 2024
(нет различий)

1>Openumlaut: Added line for email login support (3.11.5)

2022-01-20T14:45:29Z

Added line for email login support (3.11.5)

Новая страница

{{Workplace}}
=Overview=

Moodle Workplace supports different authentication configurations for each tenant. Currently, the following authentication plugins support multi-tenancy:
*[[Multi-tenancy authentication#Manual accounts|Manual accounts]]
*[[Multi-tenancy authentication#Email-based self-registration|Email-based self-registration]]
*[[Multi-tenancy authentication#OAuth 2|OAuth 2]]
*[[Multi-tenancy authentication#SAML|SAML]]
[[Managing authentication|Authentication plugins]] are managed by the administrator. The multi-tenancy awareness is indicated via the Multi-tenant label next to each authentication plugin
[[File:Multi-tenancy - Manage authentication.png|border|center|frameless|900x900px|alt=]]

There are various places to configure settings for authentication plugins:
* Site-wide common settings: '''Site administration > Plugins > Authentication > Manage authentication'''. Site-wide common settings apply to all plugins, if applicable, for example, "Allowed email domains". Any common settings that can be overridden at tenant-level can be locked via the '''Force for all tenants settings'''. Or, looking at it the other way round, it also can be used as an indication of which settings are configurable per tenant.[[File:Multi-tenancy - Force common settings.png|border|center|frameless|900x900px|alt=]]
* Site-wide plugin settings: '''Site administration > Plugins > Authentication > Manage authentication > [Plugin] > Settings'''. Most authentication plugins offer a range of site-wide settings.
* [[Multi-tenancy#Tenant Authentication|Tenant-specific common settings]]: '''Site administration > Users > Organisation > Manage tenants > [Select tenant] > Authentication > Common settings'''. Here, you can override the site-wide common settings and adjust them for the tenant at hand.
* [[Multi-tenancy#Tenant Authentication|Tenant-specific plugin settings]]: '''Site administration > Users > Organisation > Manage tenants > [Select tenant] > Authentication > [Plugin] > Settings'''
Any plugin enabled at tenant level that is able to create new accounts will do so in the tenant where it has been configured. Authentication plugins not supporting multi-tenancy will create users in the default tenant. To provide a degree of multi-tenant support for auth plugins not supporting multi-tenancy, a [[Dynamic rules|Dynamic rule]] has to be created to allocate users to different tenants based on some conditions.
= Multi-tenant authentication plugins =
== Manual accounts ==
When configuring manual accounts at the tenant level, you can override the predefined lock values for each data field. When '''Custom''' is selected, you have to choose between the three locking options '''Unlocked''', '''Unlocked if empty''', and '''Locked'''.
[[File:Multi-tenancy - Authentication Manual accounts.png|border|center|frameless|900x900px|alt=]]
== Email-based self-registration ==
When configuring email-based self-registration at the tenant level, you can override the predefined lock values for each data field. When '''Custom''' is selected, you have to choose between the three [[Managing authentication#Profile fields data mapping and locking|locking]] options '''Unlocked''', '''Unlocked if empty''', and '''Locked'''.
== OAuth 2 ==
The standard [[OAuth 2 services|OAuth 2]] plugin has been extended by a Tenant availability feature which can be accessed via '''Site administration > Server > OAuth 2 Services''' or directly from the tenant settings in the Authentication tab.
[[File:Multi-tenancy - OAuth2 Settings.png|border|center|frameless|994x994px|alt=]]

A new icon labelled Tenant availability has been added to the actions list. Once this has been selected, you can choose between the following self-explanatory options:
* This service is available to all tenants (including future ones)
* This service is available only to the following tenants: <select one or many tenants>
* This service is available to all tenants except the following: <select one or many tenants>
[[File:Multi-tenancy - OAuth2 Tenant availability.png|border|center|frameless|900x900px|alt=]]
== SAML ==
Multi-tenancy support for third-party [https://moodle.org/plugins/auth_saml2 SAML authentication plugin] has been added to the Moodle Workplace codebase. That is, you will need to [[Installing plugins|install]] the plugin as usual before the added multi-tenancy options can be configured.

You can limit IDPs to individual tenants and also configure fields locking per tenant. The following multi-tenancy features have been added to the SAML plugin:
* SAML2 appears in the list of available authentication plugins on the tenant page. Individual tenants can enable or disable the plugin and also override fields locking.[[File:lock-user-fields-per-tenant.png|border|center|frameless|900x900px|alt=]]
* Force for all tenant options have been added to the Data mapping section on the SAML2 configuration page ('''Site administration > Plugins > Authentication > SAML2''').
* Identity providers in SAML2 can be limited to individual tenants. To access its selection, go to the SAML2 settings on the Authentication tab of a tenant. Then select '''Manage available Identity Providers (IdPs)''' from the SAML2 section and press the '''Edit tenant availability''' button where you can choose between the following self-explanatory options:
* This service is available to all tenants (including future ones)
* This service is available only to the following tenants: <select one or many tenants>
* This service is available to all tenants except the following: <select one or many tenants>[[File:SAML2-tenant-availability.png|border|center|frameless|900x900px|alt=]]
= Login and signup tenant selector =
Moodle Workplace offers a site selector on the login and signup pages to select the correct tenant on the authentication page. To enable the site selector, go to '''Site administration > Plugins > Authentication > Manage authentication''' and enable the setting '''Show tenant selector on the login page'''.
[[File:Multi-tenancy - Tenant selector admin.png|border|center|frameless|900x900px|alt=]]

Each tenant’s visibility of the selector can be configured in the tenant settings ('''Show this tenant in the login selector'''). Once enabled, the site selector is shown in the bottom-right corner of the login and signup pages a few seconds after the page loads. When selecting the '''Change site''' option, a modal window will be shown where the user can select an alternative tenant.
[[File:Multi-tenancy - Login selector.png|border|center|frameless|900x900px|alt=]]

The authentication buttons on the login page are configured in the [[Multy-tenancy authentication#OAuth 2|OAuth 2 services]] settings. Depending on the tenant availability selection ('''available to all tenants (including future ones)''', '''available only to the following tenants'''…, or '''available to all tenants except the following'''…), different authentication buttons will be shown for different tenant login pages.

Users can login using an email address if their email is not unique across the site, but is unique in the tenant selected in the login screen.

Multi-tenancy authentication - История изменений

Олег Давидович: 1 версия импортирована

1>Openumlaut: Added line for email login support (3.11.5)