CCLE-Moodle: What to try if users can't login

Moodle users need to authenticate using UCLA’s Shibboleth service. If there is a problem in the authentication chain, users will not be able to login.

Since there is a number of steps in the chain of applications behind the CCLE, the problem could be caused by any one of a number of steps.

When Moodle is up and working but not able to authenticate using Shibboleth properly, users will have a 15-20 second delay and see the following message in a pink error box:

“You seem to be Shibboleth authenticated but Moodle didn’t receive any user attributes. Please check that your Identity Provider releases the necessary attributes (‘HTTP_SHIB_EDUPERSONPPN’, ‘HTTP_SHIB_GIVENNAME’, ‘HTTP_SHIB_CN’ and ‘HTTP_SHIB_UCLAOFFICIALEMAIL’) to the Service Provider Moodle is running on or inform the webmaster of this server.”

There are two Moodle environments:

• PROD (Production http://ccle.ucla.edu)
• DEV (Development http://dev.ccle.ucla.edu)

Below is a test process. The goal is to capture information at each step and send it to the appropriate people.

Test Process
1. Try logging into PROD yourself

• This will tell you if the problem is with the individual user’s account or is more wide-spread

2. Try logging into DEV

• This will tell you if the problem is specific to PROD

3. Try logging into Moodle with a local account, such as an Admin account or the janebruin test account

• This will tell you if Moodle is partially working correctly

4. Try the Shibboleth test applications found near the bottom of this page: http://kb.ucla.edu/articles/shibboleth
(The WhoAmI? and myEvents applications only work if you are on campus or accessing the application over the VPN.)

• This will tell you if Shibboleth service is working correctly.

myEvents: https://myevents.ucla.edu
WhoAmI?: https://whoa.mi.ais.ucla.edu

Who do I send the information to?
Immediately send all the information to both:

1. CCLE System Operations: Ed Sakabu (edsakabu@ucla.edu)
2. AIS Help Desk (helpdesk@ais.ucla.edu ; evening/weekend phone number: x66951)

Ideally, the e-mail will include details of the problem with supporting information such as error messages, date and time, and/or in which system (i.e., CCLE) the error occurred.

Caution: Even after this testing, the results may not be clear. In a recent episode, testers were not able to log into PROD or DEV, yet were able to confirm Shibboleth was working with WhoAmI? (The issue turned out to be a secondary Shibboleth server not acting properly.)

Explanations for this case.