10.6. Institutions

Administration → Institutions

You can use Mahara as multi-tenanted instance. That means that several different institutions can share one Mahara installation. All users from these different institutions can:

  • share portfolio pages with each other
  • give feedback on each other’s pages
  • work collaboratively in groups across institution boundaries

In Administration you can set up as many institutions as you wish. Institution administrators can only administer their users and their institutions but not make any changes to site settings.

You can also set up institutions for different parts of your organisation to use different themes, have different default settings and / or authentication methods.

Note

Even if you use Mahara with one organisation only and do not want to distinguish different departments within your organisation, we recommend you set up at least one institution and not use “No institution”. By setting up at least one institution you will have two more roles available: institution staff and institution administrator.

You can create institution administrator accounts which are less powerful than the site administrator accounts. By having institution administrators, you can allow them to take care of user account creation and group creation etc. without giving them full powers over the site preventing that too many people can make site changes.

10.6.1. Overview

Administration → Institutions → Settings

You see an overview of all institutions that exist on this Mahara installation (site administrator) or that you have access to as institution administrator.

Note

Institution administrators who manage only one institution do not see this page and are taken immediately to the settings for their only institution.

Overview page for institutions

Overview page for institutions

  1. Search: Search for a particular institution by its name and then click the Search button.
  2. Click the Add institution button when you want to create a new institution. This button is only visible to site administrators.
  3. Click the Edit with three dots button to edit institution members, staff and administrators.
  4. Institution: Institutions are listed alphabetically. If you click the institution’s name, you are taken to the contacts page.
  5. Members: Number of registered members in this institution.
  6. Maximum: Maximum allowed members in this institution. If an institution has a maximum set and it is reached, any new members will be rejected. The site administrator and institution administrator receive a notification to take further steps.
  7. Staff: Number of institution members with staff rights.
  8. Administrators: Number of institution members with institution administrator rights.
  9. Click the Manage icon to change institution settings.
  10. Click the Delete icon to delete an institution. You can only delete an institution when there are no members in it.

Note

The institution “No institution” is the default “institution”. It cannot be deleted as it is the standard Mahara site.

10.6.2. Add an institution

Note

Only site administrators can add institutions. However, once an institution exists, institution administrators can change many of the settings.

When you want to add an institution by clicking the Add button on Administration → Institutions → Institutions, you need to provide some basic information for the new institution. You can change all settings later on.

Add a new institution

Add a new institution

  1. Institution name: This field is required. It is the name that all users see throughout the site to identify this institution.

    Note

    An internal ID for the institution is generated automatically. It is displayed on the institution’s settings page once the institution has been saved for the first time.

    institution shortname

  2. Institution expiry date: Tick the Set date checkbox if you want to give this institutuion a specific expiry date. You can then select the year, month and day from the drop-down menus. Institutions do not expire by default.

    • If you specify an expiry date for this institution, once the warning time for institution expiry has been reached, site and institution administrators will receive a otification about this institution’s impending expiry.
    • If the auto-suspend expired institutions option is set, then once the expiry date has been reached, this institution will be suspended automatically, and users of this institution will no longer be able to log in.
    • The warning time for institution expiry and the auto-suspend expired institutions options can be found in the institution settings under Administration → Configure site → Site options.
  3. Registration allowed: Switch to “Yes” when you want to allow self-registration of new users. As institution administrators, you will be asked to confirm that users can join your institution. If you decline, their new account will be associated with “No institution” unless you have the Confirm registration option enabled. When you do not allow registration, nobody can register a new account, ask to join your institution or leave it without your permission.

  4. Confirm registration: Switch to “Yes” if you want to control that no new accounts are created unless the administrator approves the registration. You receive a notification about pending registrations when a new user wants to register.

    Note

    Switching this setting on is recommended for most sites that allow user self-registration to prevent spammers from creating accounts and misusing the site.

  5. Default membership period: You can set how long users will remain associated with this institution per default. Choose an option from the drop-down menu and then specify the number of days, weeks, months or years. After this length of time, the users will be removed from the institution. Users will receive a notification before this time reminding them that they will be removed soon. However, that does not mean that they will lose their account. They will still have that and be associated with “No institution”.

  6. Language: Choose the language from the drop-down menu that you want the users in your institution to use by default.

    Note

    This is a default setting. Users in your institution can choose their own language in their account setting.

  7. Logo: You can upload an image that will be displayed to your institution’s members in place of the standard header logo.

  8. new in Mahara 17.10 Small logo: Upload a square version of your logo that is displayed on small devices.

  9. Theme: Use the drop-down menu to choose the theme that you wish to use for this institution. All pages in that institution will receive that theme. When users from other institutions view portfolio pages that were created in this institution, they will see this institution’s theme on these pages. If Site default is selected, when a site administrator changes the site default theme, the theme for the users of this institution will change, too. You can install more themes in the theme folder on the server. Check out the community-contributed themes. If users are allowed to have page themes, these pages are not affected by theme changes. Mahara also has a configurable theme which allows you to create a theme on the fly.

  10. Page skins: Switch to “Yes” if you want your institution members to use page skins.

    Note

    This feature is only available when the server administrator enabled skins for the site.

  11. Comment sort order: Decide on the sort order of comments on artefacts when they are displayed on a page. You can choose between the following:

    • Earliest: Sort your comments in chronological order showing the oldest comments first and the newest last.
    • Latest: Sort your comments in reverse chronological order showing the newest comments first and the oldest last.
  12. Threaded comments: Display comments on a page in a threaded manner so you can see easily which comment is a reply to which previous comment.

  13. Show online users: If the site administrator allowed the “Online users” side block, you can decide which group of users you want to have displayed for this institution:

    • None: The side block is not displayed to institution members.
    • Institution only: Only institution members are displayed in the side block.
    • All: All users on the site are displayed in the side block.
  14. Require license information: Switch to “Yes” if your institution members need to choose a license for each artefact they upload or create. They can set a default license in their account settings. You only see this option if the site administrator turned on License metadata in the general site settings.

  15. Default license: You can choose a default license for your institution members’ content. They can overwrite this default license in their account settings. You only see this option if the site administrator turned on License metadata in the general site settings. If the site administrator allowed custom licenses, you can enter one using the drop-down menu option “Other license (enter URL)”. This license can then also be used by your institution members.

    Note

    If you are not sure which default license to choose, please consult your organisation’s lawyer or a copyright lawyer.

  16. Default quota: You can set the amount of file quota new users registering with this institution shall have.

  17. Update user quota: Swith to “Yes” if you want to apply the default quota you choose above to all existing institution members.

  18. Allow institution public pages: Switch to “Yes” if you want to allow users belonging to this institution to create portfolio pages and collections that are accessible to the public rather than only to registered users. If you allow public pages, users can also create secret URLs for their pages. Otherwise they cannot.

  19. Maximum user accounts allowed: Specify the maximum number of accounts that can be created in this institution. If you leave this field blank, there is no limit to the number of accounts.

    Note

    When the maximum number of accounts has been reached and another user tries to register for the institution, the site administrator as well as the institution administrator for that institution receive a notification. That allows them to take further steps.

  20. Allow SmartEvidence: Activate SmartEvidence if you want your institution users to work with it.

  21. Locked fields: Switch any value to “Yes” if you don’t want to allow changes to it by users. Disabled switches are for profile fields which are locked in the institution settings for “No institution”. These profile fields are locked at the site level and cannot be unlocked for individual institutions.

    Note

    Locking profile fields such as first name, last name and display name can be beneficial for institutions that wish to always identify their users by their real names and not allow users to choose nicknames.

  22. Click the Submit button to save your changes and create this institution, or click Cancel to abort the creation of this institution.

10.6.2.2. Use the configurable theme

If you do not want to use one of the built-in themes of Mahara or one of the community-contributed themes, you can either build your theme from scratch or use the configurable theme in conjunction with the logo upload.

If you do not upload a custom logo and use the Mahara logo with the configurable theme instead, it changes colour according to the theme background so it is always readable.

Note

The configurable theme is only a display theme. That means that users of the institution in which it is in use see the theme applied to the site and their pages. However, when users from another institution browse the portfolio pages of users from this institution, they do not see the configurable theme, but their own theme.

You can change the configurable theme directly on the institution settings page.

Colour options for the configurable theme

Colour options for the configurable theme

In order to change any of the colours, either provide the hexadecimal color code or choose the colour from the colour picker that becomes available as soon as you click in one of the colour fields.

  1. Theme: Choose the “Configurable Theme” from the drop-down menu and the “Custom theme configuration” options become visible.
  2. Header background: The colour of the header. It is also used as primary button background colour.
  3. Text on header background: The colour of text in the header. It is also used as text colour on primary buttons and the navigation menu icon colour in the header.
  4. Links: The link colour on pages and in the sidebar.
  5. Headings: The heading colour for all headings except in the sidebar.
  6. Navigation background: The colour of the drop-down menu navigation.
  7. Navigation text: The colour of the text / links in the navigation menu.
  8. Reset colours: Switch to “Yes” if you want to go back to the original colours of the configurable theme.
  9. Click the Submit button at the bottom of the page to make your changes.

Note

If you do not see the theme changes immediately when you are logged in as institution member, you may have to clear your browser cache.

Example of a configurable theme

Example of a configurable theme

The numbers on the example page refer to the configurable theme options above.

10.6.3. Edit the site institution

Your Mahara site itself is listed as institution under Administration → Institutions → Institutions. Per default, it has the name “No institution” and you can change certain settings that are applied to the site.

Note

Most settings for the site are made in Administration → Configure site → Site options.

Edit the "No institution" site institution

Edit the “No institution” site institution

  1. Institution display name: This field is required. It is the name that people see when registration is allowed for the site without having to register for a particular institution.

  2. Authentication plugin: You can decide which authentication methods you want to allow. See Edit an institution for more information.

  3. Registration allowed: Switch this option to “Yes” if you want to allow people to register on your site without registering for a particular institution. If you switch this setting on but not the setting Confirm registration, new user accounts do not need approval.

    Note

    Be careful disabling Confirm registration. Spammers can misuse your site and simply create accounts without your knowledge.

  4. Confirm registration: Switch this option to “Yes” if you want to control that no new accounts are created unless the site administrator approves the registration. You receive a notification about pending registrations when a new user wants to register.

  5. Logo: Here you can replace the standard site logo without having to place it in the theme folder on the server. You can upload an image that will be displayed to everyone who is not in an institution.

  6. Page skins: Switch this option on if you want your users who are not in a particular institution to use page skins.

    Note

    This feature is only available when the server administrator enabled skins for the site.

  7. Comment sort order: Decide on the sort order of comments on artefacts when they are displayed on a page. You can choose between the following:

    • Earliest: Sort your comments in chronological order showing the oldest comments first and the newest last.
    • Latest: Sort your comments in reverse chronological order showing the newest comments first and the oldest last.
  8. Threaded comments: Display comments on a page in a threaded manner so you can see easily which comment is a reply to which previous comment.

  9. Allow SmartEvidence: Activate SmartEvidence if you want your institution users to work with it.

  10. Locked fields: Switch any value to “Yes” if you don’t want to allow changes to it by users. Any field that you enable here is locked from editing in institutions.

    Note

    Locking profile fields such as first name, last name and display name can be beneficial for institutions that wish to always identify their users by their real names and not allow users to choose nicknames.

  11. Click the Submit button to save your changes, or click Cancel to discard your changes.

10.6.4. Edit an institution

Administration → Institutions → Institutions → Click the Manage icon next to an institution

Once you have created your institution, you can edit its settings, suspend or delete the institution. You will have to choose at least one authentication method for this institution so that user accounts can be created.

Note

Only site administrators can add, edit and delete authentication methods for an institution and suspend it. An institution can only be deleted if there are no members in it.

You should set up at least one authentication method. Otherwise, nobody can log in to this institution. You can add multiple authentication methods to your institution to account for different users and how they are allowed to authenticate. That means for example for a university:

  • Faculty and students could log in with their standard login and password if that is governed by LDAP / Active Directory (LDAP authentication) or single sign-on such as SAML (SAML authentication).
  • They could also log in via Moodle as that can be added as secondary authentication method for other methods like LDAP or single sign-on (XML-RPC / MNet authentication).
  • Alumni could have their MNet / LDAP authentication changed to the internal authentication once they finish their studies.
  • External assessors who do not have a university login, can be given the internal authentication so that they can receive a login, but the university administration does not have to issue a login which would give them access to other infrastructure as well.

All these then still log in to the same Mahara institution. Alternatively, you could also separate the users into their own institutions on your Mahara installation if that is more appropriate for your use case. This could mean for the above example:

  • Faculty and students log in and are automatically placed into the institution “University”. They see the standard university theme.
  • Alumni are placed into the institution “Alumni” for easier user management as you could have the alumni coordinator manage the users. Having them in a separate institution on Mahara would make it easy to see who an alumni is. Additionally, they could receive a slightly different university theme that is geared towards alumni, and they can also receive different messages on their dashboard.
  • External assessors who are placed into the separate institution “Assessors” could be administered easily by an administrator who is the liaison for them without giving that administrator access to the user management of all other university users. They can receive the standard university theme, but receive different messages on their dashboard.

Before you can use the IMAP, LDAP, SAML or XML-RPC authentication methods, you must install their extensions on your server.

Plugins available for authentication in an institution

Plugins available for authentication in an institution

  1. Once your institution is created, the settings include an additional option, Authentication plugin. You see all authentication methods that are already in use for this institution.
  2. From the drop-down menu choose one of the authentication methods that are available:
  3. Click the Add button to see the configuration screen for an external authentication method before it is added.

Warning

Be careful when choosing the “None” authentication method. This allows anyone to log in. It should only be used for testing purposes.

10.6.4.1. IMAP authentication

You can use this authentication method to receive the login information for your users from your IMAP server.

Set up IMAP authentication

Set up IMAP authentication

  1. Authority name: Enter a descriptive name to help you identify this authority. Preferably, choose a short name. This field is required.
  2. Hostname or address: Specify the hostname in URL form. This field is required.
  3. Port number: Specify the port under which your IMAP server can be reached. The default is 143. This field is required.
  4. Protocol: Select the IMAP protocol you are using by selecting it from the drop-down menu. This setting is required:
    • IMAP
    • IMAP / SSL
    • IMAP / SSL (self-signed certificate)
    • IMAP / TLS
  5. Password-change URL: If your users can only change their password in one central space, provide the URL here.
  6. Click the Submit button to enable this authentication method or click Cancel to abort your changes.

10.6.4.2. LDAP authentication

Use this authentication method to authenticate against an LDAP / Active Directory server.

Set up LDAP authentication

Set up LDAP authentication

  1. Authority name: Enter a descriptive name to help you identify this authentication method. Preferably, choose a short name. This field is required.
  2. Host URL: Specify hosts in URL form, e.g. ldap://ldap.example.com. Separate multiple servers with ; for failover support. This field is required.
  3. Contexts: List the contexts where users are located. Separate different contexts with ;, e.g. ou=users,o=org;ou=other,o=org. This field is required.
  4. User type: Select from the drop-down menu how users are stored in the LDAP directory. This field is required. You can choose between:
    • Novell Edirectory
    • posixAccount (rfc2307)
    • posixAccount (rfc2307bis)
    • sambaSamAccount (v. 3.0.7)
    • MS Active Directory
    • default
  5. User attribute: Enter the attribute used to search for users. It is often cn. This field is required.
  6. Search subcontexts: Select “Yes” if you want to search for the users also in subcontexts. This setting is required.
  7. Distinguished name: If you want to use bind-user to search users, specify it here. It should look something like cn=ldapuser,ou=public,o=org. Leave this blank for anonymous bind.
  8. Password: Enter the password for the “distinguished name”.
  9. LDAP version: Choose the LDAP version you are using from the drop-down menu. This setting is required.
  10. TLS encryption: Switch to “Yes” if you use this encryption mechanism.
  11. Update user info on login: Switch to “Yes” if you want to have the first name, last name and email address updated with the corresponding LDAP values at each login. Enabling this option may prevent some MS ActiveDirectory sites / users from subsequent Mahara logins.
  12. We auto-create users: Switch to “Yes” if you want Mahara to create user accounts automatically when a user authenticates successfully but does not yet have an account.
  13. LDAP field for first name: Enter the name of the field in the LDAP record that contains the user’s first name.
  14. LDAP field for surname: Enter the name of the field in the LDAP record that contains the user’s last name.
  15. LDAP field for email: Enter the name of the field in the LDAP record that contains the user’s email address.
  16. LDAP field for student ID: Enter the name of the field in the LDAP record that contains the user’s student ID.
  17. LDAP field for display name: Enter the name of the field in the LDAP record that contains the user’s display name.
  18. User sync: Decide whether you wish to synchronize your users via a cron job and make additional settings.
  19. Group sync: Decide whether you want to create groups automatically in Mahara based on your LDAP groups.
  20. Click the Submit button to enable this authentication method or click Cancel to abort your changes.

10.6.4.2.1. LDAP user sync

You can set up your LDAP authentication so that user account creation can be automated. User account deletion should be considered carefully.

Configure the LDAP user sync

Configure the LDAP user sync

  1. Sync users automatically via cron job: Enable this setting to activate a task in the cron which will automatically create and/or update user accounts based on records in the LDAP server.

    Note

    By default, this cron task will execute once daily at midnight (server time). Edit the record in the “auth_cron” table or use the optional command-line script supplied at htdocs/auth/ldap/cli/sync_users.php if you wish to schedule it to run at other times or with other settings.

    This setting will have no effect if the cron is not running. See the installation guide for instructions on how to set it up.

  2. Update user info in cron: Switch to “Yes” if you wish for user information to be updated via the cron if they changed in the LDAP record.

  3. Auto-create users in cron: Switch to “Yes” if you want new users in your LDAP directory to get an account automatically.

  4. Additional LDAP filter for sync: Provide an LDAP filter here, and the sync will only see users in LDAP who match that filter. Example: Example: uid=user*.

    Warning

    Use this setting with caution if you have auto-suspend or auto-delete enabled, as doing so will cause all user accounts in your institution which do not match the filter to be suspended or deleted.

  5. If a user is no longer present in LDAP: Choose from the drop-down menu what you want to do if users are no longer in your LDAP directory:

    • Do nothing: Users keep their account. This is the recommended setting.

    • Suspend user’s account: The user’s account will be suspended. The user will no longer be able to log in, and their content and pages will not be viewable. However, none of their data will be deleted, and the user can be un-suspended by the cron when their LDAP record reappears, or manually by an administrator. Alternatively, their authentication method could be changed to the Mahara internal.

    • Delete user’s account and all content: The user’s account will be deleted, along with all their content and pages.

      Warning

      The automatic deletion of user accounts is not recommended. The data is fully deleted from the server when a user’s account is deleted. The account can only be restored from a backup. Some information such as friend relationships and group membership cannot be restored.

  6. Click the Submit button to enable this authentication method or click Cancel to abort your changes.

10.6.4.2.2. LDAP group sync

You can set up your LDAP authentication so that group creation can be automated. Group deletion should be considered carefully.

Configure the LDAP group sync

Configure the LDAP group sync

  1. Sync groups automatically via cron job: Enable this setting to activate a task in the cron which will automatically create and/or update groups and their membership based on records in the LDAP server.

    Note

    By default, this cron task will execute once daily at midnight (server time). Edit the record in the “auth_cron” table or use the optional command-line scripts supplied in htdocs/auth/ldap/cli/ if you wish to schedule it to run at other times or with other settings.

    Note: You will also need to activate the “Sync groups stored as LDAP objects” and / or “Sync groups stored as user attributes” settings in order for groups to be synced.

    Group members can be removed as well as added by this setting. If a group is no longer found in the LDAP records, all of its members will be removed from the group.

    This setting will have no effect if the cron is not running. See the installation guide for instructions on how to set it up.

  2. Auto-create missing groups: Switch to “Yes” if you want to have new groups in your LDAP directory created automatically in Mahara.

  3. Role types in auto-created groups: Decide which roles users can have in auto-created groups.

    • Course: Members, tutors and administrators
    • Standard: Members and administrators
  4. Exclude LDAP groups with these names: If you want to auto-create groups, but do not want to include all groups, you can exclude some. Type their names here.

  5. Include only LDAP groups with these names: If you want to restrict the creation / synchronisation of your groups to a specified few, list them here.

  6. Sync groups stored as LDAP objects: Switch to “Yes” if your groups are stored as standalone records in LDAP. Example:

    dn: cn=languagestudents,ou=groups,dc=mahara,dc=org
    objectClass: groupOfUniqueNames
    cn: languagestudents
    uniqueMember: uid=user1,dc=mahara,dc=org
    uniqueMember: uid=user2,dc=mahara,dc=org
    uniqueMember: cn=frenchclass,ou=groups,dc=mahara,dc=org
  7. Group class: Put the LDAP objectclass that groups are expected to have here.

  8. Group attribute: Enter the LDAP attribute that maps to a group’s name. It is often cn.

  9. Group member attribute: Enter the LDAP attribute in which the group’s members are stored in. It is often uniqueMember.

  10. Member attribute is a dn? Switch to “Yes” if each entry in the “Group member attribute” field is a “distinguished name”. Disable this setting if each entry in “Group member attribute” field is a username only.

  11. Process nested group: Switch to “Yes” if your groups can contain other groups as members. If enabled, the sync process will recursively include the members of these nested groups into the parent group.

    Note

    The process will safely cease recursing if it detects a circular reference.

  12. Sync groups in these contexts only: List the contexts where groups are located. Separate different contexts with a semicolon ;. Example: ou=groups,o=org;ou=other,o=org.

    Note

    If this field is left empty, the group sync cron will fall back to using the same list of contexts as the “Contexts” setting for where users are located.

  13. Search subcontexts: Change to “Yes” if subcontexts should be included in the synchronisation.

  14. Sync groups stored as user attributes: Switch to “Yes” if each LDAP user record has an attribute which indicates a group the user should be in. This setting will cause the LDAP sync cron to create a group for each unique value in the specified user attribute (or in those listed in the “Acceptable group names” field), and place each user in the appropriate group (or groups, if they have multiple values for the attribute).

  15. User attribute group name is stored in: Provide the LDAP attribute in which the name is stored.

  16. Only these group names: When creating groups based on user attributes, only create groups with these names. This will not affect groups created via the “Sync groups stored as LDAP objects” setting, if it is active.

  17. Click the Submit button to enable this authentication method or click Cancel to abort your changes.

10.6.4.3. SAML authentication

Choose this authentication method for your institution when you have a SAML 2.0 Identity Provider Service set up for your organisation that allows you to use the same login for multiple applications.

new in Mahara 17.10 The SAML plugin can be used to connect to ADFS as well. In order to do so, the signature algorithm needs to be set appropriately in the SAML plugin configuration.

SAML 2.0 authentication

SAML 2.0 authentication

  1. Active: Set the switch to “Yes” if you want to use the IdP.

  2. Add a new Identity Provider: If you add your first SAML IdP, you can only enter the details. Once you have an IdP set up, this changes to Available Identity Providers, and you can choose from them if the metadata for the institution you are setting up uses the same IdP or set up a new IdP.

    Note

    When you have more than one SAML IdP set up on your site, people wanting to log in via SSO are taken to an overview page that lists all SSO providers.

    saml discovery

    The available information to display is the logo of the service, its name, and the service provider. If you want to display your logo on the page, add the following just below the <md:IDPSSODescriptor> line and replace “linktothelogo” with the actual location of the logo:

    <md:Extensions> <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"> <mdui:Logo width="120" height="30" xml:lang="en">linktothelogo</mdui:Logo> </mdui:UIInfo> </md:Extensions>

  3. Institution Identity Provider SAML metadata: Enter the metadata from your IdP. Make sure that all information in the SAML plugin configuration is correct and that there are no server dependencies missing.

    Note

    This element requires the XML formatted metadata for the IdP that you want to connect to. If the same IdP has already been configured for another institution, then leave this blank.

  4. Institution attribute (contains “…”): Enter the attribute that will be passed from the Identity Provider (IdP) that shows which institution the user belongs to. This usually directly correlates to the LDAP attribute (the signin service of the IdP), e.g. eduPersonOrgDN. This field is required.

  5. Institution value to check against attribute: Enter the value that will be checked against the institution attribute value as passed from the IdP. If the institution regex switch “Do partial string match with institution shortname” is set to “Yes”, this value can be a regular expression that will be used to check against the institution attribute value. This field is required.

  6. Do partial string match with institution shortname: Switch to “Yes” to treat the value in “Institution value to check against attribute” like a regular expression.

  7. User attribute: Enter the name of the attribute passed by the IdP that contains the username. This field is required.

  8. Match username attribute to remote username: This switch is set to “Yes” by default and needs to stay on this setting. It matches the user attribute value to the remote username field assigned to a given user (not the internal Mahara username). Only if you have the experimental feature of “usersuniquebyusername” turned on can you set this switch to “No”. We do not recommend this unless you are very experienced and have control over all applications in question.

    Warning

    By default, SAML authentication instances have the “Match username attribute to remote username” setting enabled. If that setting were disabled, someone with control over any SAML identity provider could gain control over any user account on that Mahara site by setting the username attribute accordingly. In other words, administrators of one institution could control users in other institutions. You would only be able to disable this setting if you set the “usersuniquebyusername” variable to “true” in config.php file. However, you should not do that on a Mahara instance to which multiple SAML providers connect and you are not in control of all usernames that are created.

    See also

    If you disable “Match username attribute to remote username”, you get an error message which talks about the config setting for “usersuniquebyusername”. Please refer to the experimental feature of the “usersuniquebyusername” variable for more information.

  9. Allow users to link own account: Switch to “Yes” if you want to allow users to link their own internal Mahara account to the authenticated SAML account. This depends on the “Match username attribute to remote username” option being enabled. If this setting is turned on when users try to log in via SSO and their username as well as the email for example match an internal username, they can link their accounts. That would allow them to log in either via the SSO login or via the regular login box into the same account and avoid account duplication.

  10. Update user details on login: Switch to “Yes” to update the first name, last name and email address with the corresponding IdP values passed through at each login.

  11. We auto-create users: Switch to Yes to create user accounts on Mahara automatically when a user authenticates successfully but does not yet have an account.

    Note

    You can turn this setting now also on for multi-tenanted sites that use SAML SSO in more than one institution.

  12. SSO field for first name: Enter the name of the attribute passed by the IdP that contains the user’s first name.

  13. SSO field for surname: Enter the name of the attribute passed by the IdP that contains the user’s last name.

  14. SSO field for email: Enter the name of the attribute passed by the IdP that contains the user’s email address.

  15. SSO field for student ID: Enter the name of the attribute passed by the IdP that contains the student ID.

  16. Click the Submit button to enable this authentication method or click Cancel to abort your changes.

10.6.4.4. Web services

If you want to use web services with users in an institution, add the web services authentication.

You need the web services authentication method if you want to allow users to connect via LTI.

You cannot configure anything for the authentication plugin, but need to do that in the Web services area.

10.6.4.5. XML-RPC / MNet authentication

Use the XML-RPC authentication for connecting a Mahara instance to a Moodle or an other Mahara installation for sharing login information. With Moodle 2 that does not only mean that you can log in to Mahara via Moodle, but also that you can transfer certain activities into your Mahara portfolio from Moodle.

A Moodle site can only be connected to Mahara once no matter how many institutions you have set up. Every XML-RPC authentication instance in Mahara must have its own unique remote wwwroot and must be associated with a single institution.

Note

You must have networking enabled in order to use this authentication method.

Set up MNet authentication

Set up MNet authentication

  1. Authority name: Enter a descriptive name to help you identify this authority. Preferably, choose a short name. This field is required.

  2. WWW root: Enter the web address of the root of the remote application, e.g. http://example.com. This field is required. If your WWW root requires a specific port, enter the port number that the remote application is listening at. You probably will not need to add a port unless you are connecting to a https service or your remote application is running on a non-standard port.

  3. Site name: Enter the name to present to your users to identify the remote site. If you enable SSO, they may click on this name to start a session at the remote site. This field is required.

  4. Application: Choose the application on the remote side. You can choose between “Mahara” and “Moodle”.

  5. Parent authority: If you set a parent authority from the already existing authentication methods, users will be able to log in using that authority as well as MNet. For example, you could set up SAML authentication and have that be the parent of this MNet authority. That means that users will be able to log in by clicking the SSO login button using their SSO credentials as well as via MNet from their Moodle. You do not have to set a parent authority. If you do not, users using MNet will only be able to access Mahara via MNet, i.e. log in to Moodle or the other Mahara first.

    Note

    If you choose a Parent authority, ensure that all the users are associated with this authentication method instead of the MNet one. Otherwise, they will not be able to log in via the parent authentication method. If the remote username for MNet and the other authentication method is already the same, you just need to change the authentication method. If they are not yet the same, you need to update the user details together with changing their authentication method.

  6. Wrong login box message: Enter a message to display when a user tries to log in via Mahara’s login form but is not allowed to if you have not set up a parent authority.

  7. SSO direction: Choose your SSO direction from the drop-down menu:

    • They SSO in: Enable this option to allow users from the remote site to roam to your Mahara site without having to enter their username and password. This is the most commonly used setting. The remote application is the source of the login information and where accounts are created initially.
    • We SSO out: Enable this option to allow your users to roam from Mahara to the remote site without having to enter their username and password there. Mahara is the source of the login information and where accounts are created initially.
  8. Update user info on login: Set this switch to “Yes” to bring over user data from the remote site upon each login and update your Mahara user record with any changes. The following fields, when filled in on Moodle, are filled in Mahara:

    • First name (always carried over)
    • Last name (always carried over)
    • Email address (always carried over)
    • Profile picture
    • Description (Introduction on Mahara)
    • City
    • Country
    • Language
    • HTML editor setting
  9. We auto-create users: Switch to “Yes” to create user accounts on Mahara automatically when a user authenticates successfully but does not yet have an account.

  10. They auto-create users: Only use this setting if you selected “We SSO out” in the SSO direction setting.

  11. We import content: Not all network-enabled applications support this, but if they do, e.g. Moodle, this will allow users of the remote site to import content to Mahara. It depends on the option “They SSO in” from “SSO direction” and it is sensible to also have “We auto-create users” set.

  12. Click the Submit button to enable this authentication method or click Cancel to abort your changes.

  13. If the connection to the remote site is successful, the public key of the remote site will be stored with the authentication method and rotated when needed. If there is a problem and the public key does not update, you can exchange it yourself with the correct one while you are troubleshooting the underlying problem.

See also

Refer to the comprehensive guide about setting up Mahoodle, the combination of Mahara and Moodle, for step-by-step instructions on how to set everything up on the Moodle side and on Mahara. The guide explains the steps for both Moodle 1.9 and Moodle 2.x.

10.6.4.6. Order of authentication methods

If you have set up multiple authentication methods in one institution, you can decide on the order in which they are checked.

Order of authentication methods

Order of authentication methods

  1. Use the Up arrow and the Down arrow button to move a specific authentication method up or down in the list. Mahara looks for accounts of users in the order of the list.
  2. Delete a particular authentication method by clicking the Delete button .

Note

You cannot delete an authentication method when there are still users who require it to log in. Before deleting an authentication method, you have to move the users to another authentication method.

10.6.4.7. Suspend institution

A site administrator can suspend an institution at any time.

Suspend an institution

Suspend and institution

Click the Suspend institution button to make an institution (temporarily) unavailable to its users.

10.6.5. Institution static pages

Administration → Institutions → Static pages

Institution administrators can overwrite the content of the static pages that the site administrator created. These pages are:

  • About
  • Home (Dashboard)
  • Logged-out home
  • Privacy statement
  • Terms and conditions

All pages come with default text that you can change entirely. Every page must contain some text. You can use the visual editor to style your page.

Edit static pages for an institution

Edit static pages for an institution

  1. Institution: If you are a site administrator or an institution administrator of more than one institution, choose the institution for which you want to change page content. If you administer only one institution, its name is displayed directly.
  2. Page name: Choose the page you want to edit from the drop-down menu.
  3. Use site default: Switch to “Yes” if you want to use the content that is displayed on the page for the entire site. Switch to “No” if you want to provide your own content.
  4. Page text: Change the text in the editor window if you selected “No”. You cannot leave this field empty.
  5. Click the Save changes button.

10.6.6. Members

Administration → Institutions → Members

You can add and remove members from one institution in bulk. As site administrator, you can always add members to an institution. As institution administrator, you can only invite users to become members.

You can filter users to display fewer and add to or remove them more easily from your institution:

  • People who have requested institution membership
  • People who have not requested institution membership
  • People who have left a given institution
  • People who are already institution members
  • People who have been invited

Note

You can double-click a name and it will be moved to the other side. This goes for all functionalities that are similar to this one here.

10.6.6.1. People who have requested institution membership

If your institution allows self-registration, users who are not already members of your institution can request to join it.

Institution administrators receive notifications about membership requests. Site administrators only receive notifications about users wanting to join “No Institution”.

Accept or decline institution membership requests

Accept or decline institution membership requests

  1. Institution: Choose from the drop-down menu to which institution you wish to add users. If there is only one institution, its name will be displayed without the drop-down menu.
  2. Users to display: Choose People who have requested institution membership.
  3. Add new members: You can search for users in the search box if there are too many names listed.
  4. Users who have requested membership: Select the users you wish to add to the institution.
  5. Add the users by clicking the right-arrow button .
  6. Users to be added / rejected: If you put users into the box for users to be added / rejected by accident, you can remove them from that list by clicking on them.
  7. Then click the left-arrow button , and they are removed from the list.
  8. When you have all the members you wish to add to the institution, click the Add members button.
  9. Alternatively, if you wish to decline users’ membership, you can select them and then send a general denial by clicking the Decline requests button.

10.6.6.2. People who have not requested membership yet

An admin can also take the initiative and invite or add users to an institution.

Invite or add users to become institution members

Invite or add users to become institution members

  1. Institution: Choose from the drop-down menu to which institution you wish to invite / add users. If there is only one institution, its name will be displayed without the drop-down menu.
  2. Users to display: Choose People who have not requested membership yet.
  3. Invite users to join the institution: You can search for users in the search box if there are too many names listed.
  4. Non-members: Select the users you wish to invite to the institution.
  5. Add the users to the list Users to be invited by clicking the right-arrow button .
  6. If you put a person into the box for users to be invited by accident, you can remove them from that list by clicking on them.
  7. Then click the left-arrow button , and they are removed from the list.
  8. When you have all the members you wish to invite to the institution, click the Invite users button. The users receive a notification and can accept or decline the institution membership invitation.
  9. Alternatively, if you are a site administrator, you can click the Add members button add users directly to the institution without asking them first.

10.6.6.3. People who have left a given institution

An administrator can filter users by the previous institution to which they were attached in order to find them more quickly.

Note

This is only of importance for a multi-tenanted Mahara instance with at least 2 institutions.

Invite / add users who had left an institution

Invite or add users to become institution members when they had left an institution

  1. Institution: Choose from the drop-down menu to which institution you wish to invite / add users. If there is only one institution, its name will be displayed without the drop-down menu.
  2. Users to display: Choose People who have left a given institution. “Left” is interpreted loosely, it also means when an administrator removed them from an institution.
  3. Previous institution: Choose the institution from which you want to add users. The users must have left it first to be listed here.
  4. Invite users to join the institution: You can search for users in the search box if there are too many names listed.
  5. Users who have left institution [name of the institution]: Select the users you wish to invite or add to the institution listed.
  6. Add the users to the list Users to be invited by clicking the right-arrow button .
  7. If you put a person into the box for users to be invited by accident, you can remove them from that list by clicking on them.
  8. Then click the left-arrow button , and they are removed from the list.
  9. When you have all the members you wish to invite to this institution, click the Invite users button. The users receive a notification and can accept or decline the institution membership invitation.
  10. Alternatively, if you are a site administrator, you can click the Add members button add users directly to the institution without asking them first.

Note

Mahara keeps track of the last institution of a user via an invisible tag.

10.6.6.4. People who are already institution members

You can remove users from an institution, e.g. if they are no longer students at a school or university, but should still have an account on Mahara or when they are just switching institutions on the same Mahara instance.

Remove users from an institution

Remove users from an institution

  1. Institution: Choose from the drop-down menu which institution’s members you wish to display. If there is only one institution, its name will be displayed without the drop-down menu.
  2. Users to display: Choose People who are already institution members.
  3. Remove users from the institution: You can search for users in the search box if there are too many names listed.
  4. Current members: Select the users you wish to remove from the institution.
  5. Add the users to the list Users to be removed by clicking the right-arrow button .
  6. If you put a person into the box for users to be removed by accident, you can remove them from that list by clicking on them.
  7. Then click the left-arrow button , and they are removed from the list.
  8. When you have all the members you wish to remove from your institution, click the Remove users button.

10.6.6.5. People who have been invited

An administrator can uninvite users from an institution.

Uninvite users from joining your institution

Uninvite users from joining your institution

  1. Institution: Choose from the drop-down menu which institution’s invited users you wish to display. If there is only one institution, its name will be displayed without the drop-down menu.
  2. Users to display: Choose People who have been invited.
  3. Revoke invitations: You can search for users in the search box if there are too many names listed.
  4. Invited users: Select the users you wish to univite from joining your institution.
  5. Add the users to the list Users to be uninvited by clicking the right-arrow button .
  6. If you put a person into the box for users to be uninvited by accident, you can remove them from that list by clicking on them.
  7. Then click the left-arrow button , and they are removed from the list.
  8. When you have all the users you wish to uninvite from the institution, click the Revoke invitations button.

10.6.7. Institution staff

You can give users staff rights in an institution in which they are members. The staff role will allow them to create course groups for example. This page allows you to do that in bulk for many users at once.

See also

You can also give staff rights on the user account settings page.

Give users institution staff rights

Give users institution staff rights.

  1. Institution: Choose the institution from the drop-down menu for which want to give staff rights to members. If there is only one institution, its name will be displayed without the drop-down menu.
  2. Staff users: You can search for users in the search box if there are too many names listed.
  3. Institution members: Select the institution members who shall get staff rights.
  4. Add the users to the list Institution staff by clicking the right-arrow button .
  5. If you put a user into the institution staff list by accident or want to remove existing staff members and return them to normal membership status, select them.
  6. Then click the left-arrow button , and they are removed from the list.
  7. When you have all the members you wish to have as staff in the institution, click the Submit button.

10.6.8. Institution administrators

You can give users administrator rights in an institution in which they are members. The administrator role will allow them to manage users in their own institution. This page allows you to do that in bulk for many users at once.

See also

You can also give admin rights on the user account settings page.

Give users institution admin rights

Give users institution admin rights.

  1. Institution: Choose the institution from the drop-down menu for which want to give admin rights to members. If there is only one institution, its name will be displayed without the drop-down menu.
  2. Admin users: You can search for users in the search box if there are too many names listed.
  3. Institution members: Select the institution members who shall get administrator rights.
  4. Add the users to the list Current administrators by clicking on the right-arrow button .
  5. If you put a user into the institution administrator list by accident or want to remove existing administration members and return them to normal membership status, select them.
  6. Then click on the left-arrow button , and they are removed from the list.
  7. When you have all the members you wish to have as administrators in the institution, click the Submit button.

10.6.9. Admin notifications

Administration → Institutions → Admin notifications

The Admin notifications page lists all users with institution and site administrator access on your site. It shows their selected notification preferences for all admin notifications. There should be at least one administrator receiving each type of message generated.

Note

Institution administrators only see admin notifications for their own institutions.

Admin notifications are:

  • Contact us
  • Objectionable content
  • Repeat virus upload
  • Virus flag release
  • Objectionable content in forum
Overview of the admin notification types

Overview of the admin notification types

10.6.10. Profile completion

Administration → Institutions → Profile completion

Profile completion lets you select content that users of an institution need in order to have a “completed” profile. The parameters for a completed profile can differ from one institution to another. In some cases you can also decide how many content items a user needs of a specific artefact type to complete their profile.

See also

The site administrator needs to enable the profile completion feature in the user settings for institutions to be able to use it.

Set up profile completion for an institution

Set up profile completion for an institution

  1. Institution: If you administer more than one institution, select the one for which you want to set up the profile completion from the drop-down menu. If there is only one institution, its name will be displayed without the drop-down menu.
  2. Profile completion preview: Once you clicked the Submit button, you will see a preview of the progress bar that is displayed to your institution users in the sidebar.
  3. Profile: Set the switches to “Yes” for the items that you want your users to fill in from their profile. Select the number of groups a user should join or number of friends a member of your institution should make.
  4. Résumé: Set the switches to “Yes” for the résumé items that your users should fill in to have a completed profile.
  5. Plans: Select the number of plans and tasks a user should have from the drop-down menus.
  6. Journals: Select whether a user needs to have a certain number of journal entries for a complete profile.
  7. Files: In this section you can decide whether users need to upload a certain number of files. You can also specify the file type and decide how many items of each file type users should upload for a complete profile.
  8. Annotation: Select from the drop-down menu the number of comments a user should make on annotations to gain a completed profile.
  9. Comment: Select from the drop-down menu the number of comments a user should make to gain a completed profile.
  10. Click the Submit button to save your changes.

10.6.11. Institution pages and collections

Administration → Institutions → Pages and collections

You can create pages and collections for your entire institution. Although you could always create portfolios under a regular user account that other users could copy into their own portfolio, the advantage of institution pages and collections is that new members in the institution can receive a copy upon joining the institution.

Creating and editing an institution portfolio is very similar to creating and editing a personal portfolio. However, not all blocks are available when editing an institution page in the page editor due to the different context. Please refer to the overview of blocks for a list of all the blocks that you can use in an institution page.

Manage institution pages and collections

Manage institution pages and collections

  1. Institution: If you administer more than one institution, select the one for which you want to create or edit pages. If there is only one institution, its name will be displayed without the drop-down menu.

  2. Click the Add button to start a new page or collection from scratch.

    Note

    A modal opens in which you can choose whether to create a page or collection.

    add page or collection

  3. Click the Copy button to choose an existing page or collection as basis.

  4. Search: Type your search term into the search field.

  5. Use the drop-down arrow to limit your search. The available options are:

    • Title, description, tags: Search for your search term in the title, descirption, and tags of your site portfolios.
    • Title, description: This is the default option. It searches in the title and description of your site portfolios.
    • Tags: Search only within the tags of your site portfolios.
  6. Sort by: Decide on the sort order in which you wish to display your portfolios.

    • Alphabetical: Portfolios are displayed in alphabetical order.
    • Date created: List the portfolios in chronologically reverse order with the newest portfolios first.
    • Last modified: Display the portfolios in the order of their last modification with the most recent portfolios that have been changed first. This is the default display option.
    • Last viewed: Show the portfolios in the order in which they were viewed by you and others starting with the most recently viewed portfolios.
    • Most visited: Display the portfolios that have been visited most first in the list.
    • Most feedback: List the portfolios in descending order based on the amount of feedback they have received.

    Note

    The sort order that you choose does not change when you navigate away from the overview page or log out. When you change the sort order, that new setting will be used until you change it again.

  7. Click the Search button to search your site portfolios based on your search term and / or sorting criteria.

  8. Edit your institution pages and collections as usual.

Note

When somebody leaves comments on an institution page or artefact, the institution and site administrators receive a notification.

10.6.12. Institution journals

Administration → Institutions → Journals

You create institution journals like regular user journals. Institution journals allow you to create a journal template and then copy that into user accounts for example. They also allow you to create a news blog for your institution.

Institution journals

Institution journals

  1. Institution: If you administer more than one institution, select the one for which you want to create or update a journal. If there is only one institution, its name will be displayed without the drop-down menu.
  2. You can create multiple journals. Click the Create journal button to set up a new journal.
  3. All your journals are listed on Administration → Institutions → Journals with their titles. The titles link through to the individual journals.
  4. You can see the description of the journal.
  5. You see how many entries you have in each journal.
  6. Click the Arrow icon to be taken to the journal and see all journal entries.
  7. Click the New entry button to create a new journal entry directly from this screen.
  8. Click the Edit button to make changes to your journal title, description or tags.
  9. Click the Delete button to delete the journal and all its entries.

Warning

When you click the Delete button, you receive a confirmation message whether you really want to delete the journal or not. If you used the journal or an entry of it in a page, Mahara lets you know so you can decide whether to delete the journal or not. Once you agree to delete the journal, your journal and all its content are removed permanently.

10.6.13. Share institution pages and collections

Administration → Institutions → Share

You can see a list of all institution pages and collections for a specific institution.

Share institution pages and collections

Share institution pages and collections

  1. Institution: If you administer more than one institution, select the one for which you want to change sharing permissions for pages or collections. If there is only one institution, its name will be displayed without the drop-down menu.

  2. Select whether you want to change permissions for a collection or a page.

    Note

    You can select more collections or pages on the following screen.

  3. Collection / page name: All collections or pages for that institution are listed here.

  4. Access list: View the access permissions for the pages and collections.

  5. Click the Edit access icon to change the permissions of who can view and copy a page or collection.

  6. Click the Edit Secret URL icon to define a secret URL for a page or collection.

Sharing an institution page or collection is very similar to sharing a portfolio page or collection. The only difference is that you can allow new institution members to receive a copy of an institution page or collection immediately upon joining the institution.

Setting for copying an institution page for new institution members

Setting for copying an institution page for new institution members

  1. When you clicked the Edit access icon on the Share page for institution pages and collections, click the Advanced options link and change the switch for Allow copying to “Yes”. This now allows everyone who has access to the selected page(s) or collection(s) to copy them.

  2. Copy for new users: Enable this option if all new users in your institution shall receive a copy of the selected page(s) or collection(s) into their portfolios when an account is created for them.

    Note

    If you enable this option without also enabling the option “Allow copying”, your users will not be able to make a copy of the page(s) or collection(s) themselves if they need another one.

  3. Click the Save button at the bottom of the page to save your changes.

When site administrators create and share an institution page or collection, they can share it with the members of the institution in which they created the page or collection.

10.6.14. Files

Administration → Institutions → Files

The files area in an institution holds all files that are uploaded by administrators as institution files. The uploading process works like the one in the personal files area.

Institution files area

Institution files area

10.6.15. Pending registrations

Administration → Institutions → Pending registrations

When you turn on Confirm registration for an institution in the institution settings, no user account in this institution is created without the administrator knowing it. If a user is rejected, no account is created. If the option Confirm registration is not turned on, a user account is created in the “No institution” institution but not in the actual institution.

Below follows the process for self-registration with Confirm registration turned on.

10.6.15.1. Self-register for an internal account

When users try to self-register for your institution, they must provide certain details.

Note

The fields for email, first and last name can appear in a different order if you have chosen the advanced spam protection settings.

User self-registration for an institution

User self-registration for an institution

  1. Email address: Provide your email address.
  2. First name: Type your first name.
  3. Last name: Provide your last name.
  4. Institution: Select the institution for which you want to register. There is an indicator whether the institution you wish to register for requires administrator approval.
  5. Registration reason: If administrator approval is required, you can provide a reason why you want to join the institution.
  6. If the site administrator requires users who self-register to agree to the terms and conditions, the “Registration agreement” of the site, you must read through them below and then make your choice.
  7. Click the Register button.
  8. The administrators of that institution and the site administrator receive a notification about the pending registration. They then review pending registrations.
  9. You will receive an email which includes a link to confirm your email address. You must click that link within 24 hours. If you do not, you will have to start the registration process again from the beginning.

10.6.15.2. Review pending registrations

As administrator, you can view pending registrations for your institutions on the Pending registrations page in Administration → Institutions → Pending registrations.

Pending registration page

Pending registrations page

  1. Institution: If you administer more than one institution, select the one for which you want to review pending registrations. If there is only one institution, its name will be displayed without the drop-down menu.
  2. Pending registration: You see a list of all registration requests that include the names of the requesters and their email addresses.
  3. Registration reason: The reason for registration is displayed.
  4. Click the Approve button when you want to approve this registration request. You will have to confirm your approval on the next page. The person self-registering receives an email with a link to complete the registration process.
  5. Click the Deny button when you do not want this person to register for your institution and receive an account.

When you approve users, you can decide whether they should receive staff rights immediately. For example, this helps to give all teachers at a school staff access rights upon their self-registration.

Approve pending registrations

Approve pending registrations

  1. Institution staff: Switch to “Yes” if the user shall have staff access rights.
  2. Click the Approve button when you want to approve this registration request or click Cancel to abort the approval process.

When you deny a person access to your institution, you can also provide a reason.

Reason for denying institution membership for a self-registering user

Reason for denying institution membership for a self-registering user

  1. Denial reason: Write your reason for denying institution membership that might help the person to know why you do not want to give them access.
  2. Click the Deny button to send a notification to the person’s email address with the reason for the denial or click Cancel to abort the denial process.

10.6.15.3. Complete self-registration

When users are accepted as members in an institution via this process, they must still complete the registration process. This is necessary to provide information in all required fields besides a password and a username.

Complete the self-registration for an institution

Complete the self-registration for an institution

  1. New username: Choose your new username. A default username is suggested, but you can provide a different one. If your suggested username is already taken, the system will let you know after you submit your information.
  2. New password: Choose a password for your account. This field is required.
  3. Confirm password: Re-type the new password. This field is required.
  4. Click the Submit button to complete your registration. You will be taken to your Dashboard.