Accounts and roles: Authentication/new registration

Authentication

Authentication via external servers

By default, a user of your ILIAS installation is authenticated when logging in using the personal data in the ILIAS database, i.e. their log-in is checked for validity. However, there may be scenarios in which it is of interest to manage user IDs in a central location outside of ILIAS. External servers, e.g. so-called LDAP servers, are used for this purpose.

1. Click on Administration in the main menu.
2. ILIAS opens a context menu. Select the Accounts and roles entry.
3. ILIAS opens a submenu. Select the Authentication/new login entry here. 
4. Click on the Authentication tab.
5. Here you can choose between the standard ILIAS database and an external server, e.g. an LDAP server, and configure it in the "LDAP" tab (see chapter Specifying the basic details of an LDAP interface).
6. Click on Save.

Note: Please note: For all authentication methods that are not carried out via the ILIAS database, the login name and password can no longer be changed!

In addition to LDAP, there are also other authentication concepts that are supported by ILIAS, namely Shibboleth (see also http://shibboleth.internet2.edu/), CAS (Central Authentication Service, see also http://www.ja-sig.org/wiki/display/CAS/Home). These technologies sometimes offer higher security or additional functionality that LDAP does not have. However, the basic purpose of the application is the same.

For information on the options for authentication via the Apache server itself, see chapter Setting up certificate-based single sign-on.

Authentication via external servers: Sequence

Instead of fundamentally changing the authentication, you also have two more differentiated options:

For roles that you make available to self-registrants for selection, you can specify that an external authentication mode is to be applied to the assigned ILIAS accounts.users who select the corresponding role during self-registration are then automatically logged in after registration if they actually exist on the external server.

1. Call up the Authentication tab in the Authentication/new login dialog.
2. In the lower section of the view you will find Available global roles on the registration form. Select the desired authentication mode for the role(s) in question.

The authentication mode used can also be set (or changed again) in individual ILIAS accounts:

If you offer several authentication modes in parallel, you must decide how the mode to be used is determined for a specific login process. There are two alternatives:

• By the user himself: In this case, a selection option appears on the login page for the user to choose which mode should be used for authentication 
• In a fixed order: In this case, ILIAS queries the authentication sources provided one after the other.

Design login page

The login page of your ILIAS installation can be enhanced with information about login and registration processes. An editor is available for this purpose, which you can use to display text, media objects and other page elements on the login page; since several languages may be available on your ILIAS installation, a separate version can be created for each language for the information on the login page; the language that the (anonymous) user selects on the login page is displayed.

Note: Please note, however, that separate, editable fields are available for all installed languages when calling up the URL of your installation; the language that the (anonymous) user selects on the login page is displayed. The login page does not appear first if you have enabled a public area (see the Anonymous and public area section).

To provide information for the login page, proceed as follows:

1. Click on Administration in the main header and select the Authentication and new login option.
2. Use the submenu to switch to the Login information view.
3. ILIAS displays a list of the installed languages (see also chapter Activating and managing language versions of the user interface<ilEmph/>). For each language, ILIAS shows whether the editor has already been activated for it.
4. For the language for which you want to provide information, click on Edit in the "Actions" column.
5. ILIAS displays a page that you can edit with the ILIAS editor.
6. As soon as you have finished, you can return to the language version overview via "Back" at the left end of the tab bar.
7. Now select the language you have just edited in the checkbox next to its title and click on the Activate editor for selected language button on the left above or below the table. Only then will the entered content be visible on the respective language version of the login page.

Instead of the ILIAS editor, a rich text editor can also be used to design the login page (as in previous versions of ILIAS). To use it, click on Use rich text editor above the table, and you can also return to using the ILIAS editor; any content you have previously entered will be retained in any case.

LDAP

Specify the basic details of an LDAP interface

In the LDAP tab, you have the option of entering an LDAP server with all the necessary details as the authentication source for your users.

The following minimum information is required to be able to use the functionality at all:

• An (arbitrary) name of the LDAP configuration must be entered; this is used to manage the specific connection from the LDAP server to this ILIAS installation.
• The complete URL for the connection to the LDAP server, e.g. "ldap://ldap.ilias.de:389", must be specified. Multiple servers can be specified separated by commas. The servers are then requested using the round-robin method, which refers to a scheduling method, i.e. it allocates limited resources to several competing processes. The round-robin method grants all processes access to the required resources one after the other for a short period of time - a so-called time slot; this is also known as arbitration.
• Under BaseDN, a directory level of the LDAP server must be specified on which the relevant ILIAS accounts are to be searched for.
• In the Authentication settings section, the attribute name of the login accounts must be specified, i.e. the variable under which the login names are listed on the LDAP server.

Further possibilities of the LDAP interface

With these minimum settings, ILIAS can check on the LDAP server whether the entered login name exists and whether the correct password has been entered, but once it has been successfully activated, the LDAP interface offers many more options, e.g:

• Automatic assignment and updating of ILIAS accounts from the LDAP directory:
  1. To do this, switch to the Assignment of profile data view via the submenu.
  2. Enter the corresponding column title of the LDAP attribute in the input field of a data field to be assigned.
  3. This will transfer the content of the field to ILIAS the first time the person logs in.
  4. If you want any subsequent changes in the LDAP directory to be automatically synchronized in ILIAS, also check the Automatically update option.
  5. Save Note: It is also possible to use an LDAP server only as a data source, i.e. to have the authentication run via another external authentication instance (see paragraph above), but to have data fields in ILIAS automatically matched with the corresponding entries on an LDAP server. To do this, select the Use as data source option when configuring the connection to the LDAP server.
• Automatic assignment of roles based on data from the LDAP directory
  1. To do this, switch to the Role assignment view via the submenu.
  2. Create one or more rules for the assignment there, which will then be executed automatically the first time the person logs in:
     • Assignment of global or local role: A selection menu is available for the global roles of the ILIAS installation, whereas the name must be entered manually for local roles; automatically created roles such as in courses or groups can be entered here with their identifier, e.g. il_crs_member_1234.
     • Automatic updating of the role assignment even for subsequent logins: If the rule has already been changed at this point, you can add missing roles or remove roles that can no longer be assigned ("unauthorized").
  3. To finish, click on Create new rule.ILIAS displays the new rule in the table below the form, where it can also be deleted or edited.
• Automatic assignment of LDAP groups based on ILIAS roles:
  1. To do this, use the submenu to switch to the ILIAS roles assignment " LDAP groups view.
  2. Under Connection type, enter the name of an LDAP account that has write access to the groups to be updated.
  3. Enter the complete DN of the LDAP group under Group DN.
  4. Under Attribute name of group members, enter the attribute name to which the group members are assigned. Select 'Attribute value is DN' if the member names are created as DN.
  5. Enter the name of the ILIAS role that is to be used to control LDAP group membership.
  6. Save.

OpenID

Use decentralized external authentication: OpenID basics

Since version 4.1, ILIAS also offers the option of decentralized external authentication via OpenID:
 
"OpenID [...] is a decentralized authentication system for websites and other web-based services. It allows a user who has logged in to his so-called OpenID provider once with a login name and password to log in to all websites and services supporting the system using only the so-called OpenID (a URL) without a login name and password.[...]. An OpenID identity is required to log in with OpenID. Such an identity is provided by an OpenID provider. Due to the decentralized architecture of OpenID, there are many different OpenID providers. [...] The software, which is provided almost exclusively under open source licenses, can be installed on your own server. This means that anyone can become an OpenID provider with relatively little effort. [...]An OpenID identity has the form of a URL. The login name is usually a subdomain of the OpenID provider: loginname.example.com. Some providers also use the login name as the path in the URL: example.com/loginname."(from: http://de.wikipedia.org/wiki/OpenID, Stand: 26.10.2010)
Note: Basic information on OpenID can be found at http://openid.net/. A list of OpenID providers can be found at http://en.wikipedia.org/wiki/OpenID_providers.

Click on Administration in the main header bar and select the option Authentication/new login To enable such decentralized external authentication via OpenID providers, proceed as follows:

1. Switch to the OpenID tab.
2. Activate OpenID support and save.

This means that you have already enabled the basic functionality, as the provider "MyOpenID" is already entered in ILIAS as a standard option:Users will now also find an additional login option "Log in to ILIAS using OpenID" on the login page below the usual login screen, where the OpenID login name and the provider used by the user are requested; the "MyOpenID" service is available for the latter.

OpenID: Further options

The OpenID interface offers the following expansion options:

• Instead of a selection list of accepted providers, you can also allow the address of a provider freely chosen by the person registering to be entered. To do this, select the Free provider selection option.
• You can activate other OpenID providers accepted by your ILIAS installation. Proceed as follows:
  1. Switch to Provider selection via the submenu of the OpenID tab.
  2. Click on Create new provider above or below the table.
  3. Assign a (freely selectable) title to the provider and enter its OpenID URL. Instead of the individual login name, you can use the placeholder "%s", e.g. http://%s.myopenid.com.
• Finally, you have the option of specifying how ILIAS reacts if no ILIAS account exists for the login name used when logging in under OpenID authentication. Two cases are conceivable here:
  • There is no ILIAS account yet. In this case, you can allow one to be created automatically when you log in if authentication was successful. Proceed as follows:
    1. Select the Automatic synchronization option.
    2. Specify which global role should be automatically assigned to such an ILIAS account.
  • There is already an ILIAS account, but its name does not match the name component of the OpenID URL, in which case you can allow existing ILIAS accounts to be converted to OpenID authentication. After successful authentication, people can then choose whether a new ILIAS account should actually be created according to their OpenID URL or whether an existing account should be linked to the OpenID URL (in the latter case, the login name and password must be entered again for the existing account). To do this, also select the Account migration option.
  • In any case, save at the end.

Apache

Set up certificate-based single sign-on: Basics

In ILIAS, Apache authentication can be used for external authentication. There are currently two options:

• Direct assignmentA field from the so-called "server array" can be specified here, which contains the login name after successful authentication. This field is read if the criteria "Indicator field" and "Indicator value" apply A certificate-based single sign-on enables users to log in to ILIAS with a software token (client certificate installed in the browser) or hardware token (e.g. a smartcard). An additional function is the automatic generation of new ILIAS accounts. A special feature of this variant of external authentication is that users can access content via a direct link without being redirected to the login page.
  • This method uses X509v3 client certificates. An external PKI is required to manage the certificates. The certificate is checked during the initialization of an SSL connection. For this reason, certificate-based SSO requires proper configuration of the Apache web server with mod_ssl and client authentication enabled.the Apache web server is configured to require a client certificate for a specific directory (<ILIAS>/sso). If a valid certificate is sent, the "SSL_CLIENT_VERIFY" field in the server array (see option 1 above) is set to "SUCCESS". Apache uses the information from the certificate in another field. Together with the setting "Assign usernames by custom function", a login name can now be determined from these values, making it clear that ILIAS does not carry out the actual authentication. This is carried out by the Apache web server or, more generally, externally.
• Assignment by own functionThis is similar to variant 1, but offers the option of determining the login name yourself. You will find an empty function for this under Services/AuthApache/classes/custom_username_func.php, which you can program accordingly. Finally, this method must return a valid login name. If necessary, this function must also ensure that "Indicator field" and "Indicator value" are set accordingly if this is not done automatically. a link is generated from an external system that contains the login name, a validity timestamp and a signature. The signature can be used to ensure that the link was created by the system and not changed (e.g. the login name cannot be changed even though it is in plain text in the link; if it were changed, this would be detected by the signature check and the login process would be aborted).
  • As the authentication is not performed by the Apache web server, no field is set in the server array. This is done manually in the "custom_username_func.php". Therefore, the server administrator can also freely select the two indicator fields (name and value), but must ensure that these are set by the programmer.

In the following, we assume that you are using the "Direct assignment" variant.

Set up certificate-based single sign-on: Procedure

The OpenID interface offers the following expansion options:

1. Switch to the Apache tab.
2. Activate the Apache authentication.
3. Now enter the indicator field (field from the server array that is compared with the indicator value to determine successful authentication) and indicator value.
4. Finally, select the Direct assignment option under Configuration for login names.

If a login name is determined that is not yet known in the system, a new ILIAS account with the determined name can be created automatically. To do this, also select the option Activate automatic account creation and define the role that is assigned to an automatically created ILIAS account.
There are two ways to force an alternative behavior when calling the ILIAS installation (this is recommended because the persons do not log in themselves, because the certificate-based SSO takes place in the background):

• Overwrite default login page:
  If activated, a separate entry page without login fields can be specified via URL; instead of the ILIAS login page, you will be redirected to the specified URL.
• Automatic authentication attempt when entering the login page:
  If activated, authentication is started automatically as soon as you enter the login page; after an ILIAS account has been created automatically and the person has accepted the user agreement, he or she is first redirected to the profile. Once the profile fields have been completed and saved, the person is automatically redirected to the page originally requested.

ILIAS-Auth / Self-registration

Independent login to ILIAS

ILIAS offers various self-registration options to reduce the amount of work involved in managing ILIAS accounts.
These can be set depending on the objective, in particular taking into account security aspects.

Allow independent registration without restriction

By selecting the corresponding option Allow direct registration in the Registration type area, you give people the opportunity to register independently as users if they are interested in the content of your installation.

Users can now create their own access to the learning platform. To do this, you must click on the link Register a new ILIAS account:

An input form appears in which users can enter their data.

Enable independent new registration by manual confirmation

The validity of an independent new registration can also be linked to the release by an administrator of the ILIAS installation, i.e. an account already exists, but it is not yet possible to use the ILIAS installation.

To do this, select the New login with verification option and enter the login names of the users defined as authorized users in the Notifications field. These people will be notified of the new registration via an internal ILIAS e-mail and can then open the ILIAS account and activate the account (see also the section on setting up a new ILIAS account manually).

Save at the end.

The users entered here can also be notified of the new registration when they register directly. Alternatively, since version 4.0, an e-mail confirmation can also be added as an intermediate step for independent new registrations. With this registration method, the new user first receives a confirmation link by e-mail. If this is confirmed, the ILIAS account is automatically activated.

Enable independent new registration by e-mail confirmation

The validity of an independent new registration can also be linked to the release by an administrator of the ILIAS installation, i.e. an ILIAS account is then already available, but it is not yet possible to use the ILIAS installation.

To do this, select the New login with verification option and enter the login name of the person authorized to release the account in the Notifications field. These people will be notified of the new registration via an internal ILIAS e-mail and can then open the ILIAS account and activate the account (see also the section on setting up a new ILIAS account manually).

Save at the end.

The login names entered here can also be referred to the new registration in the case of direct new registrations. In this case, however, it is not necessary to specify this.

Alternatively, an e-mail confirmation can also be added as an intermediate step for independent new registrations. With this registration method, the person first receives a confirmation link by e-mail. If this is confirmed, the ILIAS account is automatically activated.

Restrict independent login with access code

It is possible in ILIAS to make a registration subject to the condition that a specific individual and only once usable access code is entered. In this case, no ILIAS account can be created without a (still) valid code.
 
In addition, the use of codes can also automatically assign certain roles.<br>

To set a login via codes, proceed as follows:

1. To do this, select the option Register with codes and save.
2. Switch to the Registration codes view via the submenu of the New registrations tab.
3. Click on the Generate codes button.
4. Specify the role with which the self-enrolment users who use these codes are to be created in ILIAS.
5. Enter the number of codes to be generated.
6. Click on the Create button.

You return to the Registration codes view, where the desired number of codes is now listed and for each code you can see when it was created or (if and) when it was used.

The codes must now be made available to potential usersIf you have a large number of codes, this should be done automatically; for this purpose, you can use a button of the same name to "Export codes" (in .txt format) for further processing with a mail merge program, for example.

Restrict independent login with access code: Application examples

Registration with a code can be used as an alternative to the combinationDirect registration (see chapter Allow independent registration without restriction) + Automatic role assignment (see chapter Configure automatic role assignment for new registration):You can then control who is created with which role in the system in a more differentiated way by sending the corresponding code.

Another variant is to use the login with codes only for comparatively powerful roles, but otherwise to allow free role selection. To use this additional function, select Direct registration as the registration type, but activate the additional option Allow codes.

Registration with a code can also be used as an alternative to:

• Independent new registration with manual activation
• Independent new registration with e-mail confirmation

(for both options, see also the section entitled "Enabling independent new registration by manual confirmation" or the section entitled "E-mail confirmation")Persons who have a (still) valid code can then enter it when registering to avoid the delay caused by manual confirmation or the detour via e-mail confirmation and to access the system immediately after registration.
 
To use this additional function, select New registration with verification or Register with e-mail confirmation as the registration type, but activate the additional option Allow codes.

An application example for the second case would be people who do not have (their own) e-mail address or are not allowed to enter it or who work in a security software that treats the automatically generated e-mails from ILIAS as spam.

Activate automatic password generation

Password generation can be automated in order to prevent users from entering passwords that are too simple when logging in for the first time (and also later), thereby creating security risks.

You can also activate automatic password generation under Authentication/New user login, which sends the new user their password by e-mail after the first login.

To activate automatic password generation, proceed as follows:

1. Click on Administration in the main header bar and select the Authentication/new login option.
2. To activate automatic password generation, select the Password generation option and save.

Configure automatic role assignment for new logins

Users can be automatically assigned a role when they log in independently.

If required, this can also be done in accordance with the e-mail address provided. This means that, for example, in organizations with their own email domain, employees can be assigned different rights to external users from the outset.

In the section Automatic role assignment ...

• Prevent independent role selection by self-registrants by activating automatic role assignment.
• Change the automatically assigned role.
• diversify the role assignment according to the e-mail addresses specified by self-subscribers.

To activate the automatic assignment of roles, select the Automatic role assignment option in the Role assignment section.

Note: In the registration form for self-registrants, role selection is no longer available (see also section Creating a new global role); instead, each self-registrant is assigned the selected role by default.

Note: As an alternative to the procedure described here, please also note the combinationAllow direct login + codes. you can then control who is created with which role in the system in a more differentiated way by sending the corresponding code.

Configure automatic role assignment for new logins

To automatically assign a specific role according to the e-mail domain, proceed as follows:

1. Also click on the Edit button in the Automatic role assignment section.
2. In the table that is then displayed, initially only the Standard assignment is available, which is used independently of the e-mail domain (see previous page).
3. To create further assignments, use the New assignment button at the bottom right. Another line is then inserted under "Domain (e.g. '@your_domain.de')".
4. You now have the option of entering a specific e-mail domain and selecting from the available global roles (except Administrator and Anonymous).
5. Save.

By selecting and deleting one of the lines in the adjacent checkbox, the assignment is canceled.

Automatic role assignment: Change assignment

To automatically assign a role other than "User", proceed as follows:

1. Click on the Edit button in the Automatic role assignment section.
2. In the table that is then displayed, you have the option of selecting from the available global roles (except Administrator and Anonymous) in the "Default" line:
3. Save.

Determine automatic acquisition time limit

Roles that are released for self-registered persons of the ILIAS installation can be provided with an automatically enforced time limit on their validity, e.g. the duration of a specific course in which they participate.

Proceed as follows:

1. Select the Activate time-limited access checkbox in the Time-limited access section.
2. The roles that are released for self-registered persons of the ILIAS installation and can be used accordingly are then listed.
3. The roles that are released for self-registered persons of the ILIAS installation and can be used accordingly are then listed.
4. These roles can now be selected for temporary validity via the Edit button that has also appeared.
5. You can choose between ...
   • temporary access with a fixed expiration date: The ILIAS account will then be valid until the beginning (0.00 a.m.) of the specified date. limited access period from the registration date:
   • The ILIAS account will then remain valid for the specified number of days, months and/or years; the time interval begins from the time the registration form is submitted.

Restrict independent registration via e-mail domain

In ILIAS, it is possible to restrict independent login to users who specify a specific e-mail domain, e.g. all those who specify an address ending in "@schneewittchen.de".

To set up such a registration, proceed as follows:

1. In the Allowed email address domains field, enter all the email domains that you want to accept. If you want to enter several domains, separate them with ";".
2. Save.

You can use the placeholder "*" to switch off a restriction by e-mail domain: In this case, all domains are accepted.

The option described here can be used as a supplement to all the procedures listed under Registration type. However, it makes most sense to use it in combination with Register with e-mail confirmation, as in this case sending the confirmation link to the specified address ensures that the new user has actually entered their own address.