8.5. Institutions

You can use Mahara as multi-tenanted instance. That means that several different institutions can share one Mahara installation. That allows users from these different institutions to:

  • share portfolio pages with each other
  • give feedback on each other’s pages
  • work collaboratively in groups across institution boundaries

In the Site Administration you can set up as many institutions as you wish. Institution administrators can only administer their users but not make any changes to site settings.

You can also use the possibility to set up institutions if you wish different parts of your organisation to use different themes, have different default settings and / or authentication methods.

8.5.1. Overview

On Site Administration -> Institutions -> Institutions you see an overview of all institutions that exist on this Mahara installation.

Overview page for institutions

Overview page for institutions

  1. Search for a particular institution by its name.
  2. Institutions are listed alphabetically
  3. Number of registered members in this institution
  4. Maximum allowed members in this institution
  5. Number of institution members with staff rights
  6. Number of institution members with institution administrator rights
  7. Click the Edit button edit to change institution settings.
  8. Click the Delete button delete to delete an institution. You can only delete an institution when there are no members in it.
  9. Click the Add Institution button when you want to create a new institution.
  10. Click the Edit Members button when you want to add or remove members from an institution.
  11. Click the Edit Staff button when you want to add or revoke staff rights for an institution member.
  12. Click the Edit Admins button when you want to add or revoke institution administrator rights for an institution member.

Note

The institution “No Institution” is the default “institution”. It cannot be deleted as it is the standard Mahara site.

8.5.2. Add an institution

When you want to add an institution by clicking on the Add button on Site Administration -> Institutions -> Institutions, you need to fill in basic information. You can change all the settings except the institution name later on.

Add a new institution

Add a new institution

  1. Institution name: This field is required. It is the unique identifier of this institution in the database. It must only be one word without numbers and symbols.
  2. Institution display name: This field is required. It is the name that all users see throughout the site to identify this institution.
  3. Institution expiry date: Set the expiry date for this institution by selecting the year, month and day from the drop-down menus when taking the checkmark off the “Not specified” check box. Institutions do not expire by default.
    • If you specify an expiry date for this institution, two things will happen. Once the warning time for institution expiry has been reached, site and institution administrators will be emailed about this institution’s impending expiry.
    • If the auto-suspend expired institutions option is set, then once the expiry date has been reached, this institution will be automatically suspended, and users of this institution will no longer be able to log in.
    • The warning time for institution expiry and the auto-suspend expired institutions options can be found in the institution settings under Site Administration -> Configure Site -> Site options.
  4. Registration allowed? Check this box when you want to allow self-registration of new users. As institution administrators, you will be asked to confirm that users can join your institution. If you decline, their account will be associated with “No Institution”. When you do not allow registration, nobody can ask to join your institution or leave it without your permission.
  5. Default membership period: You can set how long users will remain associated with this institution per default. Choose an option from the drop-down menu and then specify the number of days, weeks, months or years. After this length of time, the users will be removed from the institution. Users will receive an email before this time reminding them that they will be removed soon. However, that does not mean that they will lose their account. They will still have that.
  6. Theme: Use the drop-down menu to choose the theme that you wish to use for this institution. All pages in that institution will receive that theme. When users from other institutions view portfolio pages that were created in this institution, they will see this institution’s theme on these pages. If Site Default is selected, when a site administrator changes the site default theme, the theme for the users of this institution will change, too. You can install more themes in the theme folder on the server. Check out the community-contributed themes.
  7. Maximum user accounts allowed: Specify the maximum number of accounts that can be created in this institution. If you leave this field blank, there is no limit to the number of accounts.
  8. Locked fields: Put a check mark into each check box for which users are not allowed to change the value. Disabled check boxes are for profile fields which are locked in the institution settings for “No Institution”. These profile fields are locked at the site level and cannot be unlocked for individual institutions.
  9. Click the Submit button to save your changes and create this institution.
  10. Click the Cancel button to abort the creation of this institution.

Note

Locking profile fields such as first name, last name and display name can be beneficial for institutions that wish to always identify their users by their real names and not allow users to choose nick names.

8.5.3. Edit an institution

Once you have created your institution, you can edit its settings or also suspend the institution. You will have to choose at least one authentication method for this institution so that user accounts can be created.

Note

Only site administrators can add, edit and delete authentication methods for an institution and suspend it.

You can add multiple authentication methods to your institution and thus allow various entry points for your users. You should set up at least one authentication method. Otherwise, nobody can log in to this institution.

Before you can use the IMAP, LDAP, SAML or XMLRPC authentication methods, you must install their extensions:

Warning

Be careful when choosing the “None” authentication method. This allows anyone to log in. It should only be used for testing purposes.

8.5.3.1. IMAP authentication

You can use this authentication method to receive the login information for your users from your IMAP server.

Set up IMAP authentication

Set up IMAP authentication

  1. Authority name: Enter a descriptive name to help you identify this authority. Preferably, choose a short name. This field is required.
  2. Hostname or address: Specify the hostname in URL form. This field is required.
  3. Port number: Specify the port under which your IMAP server can be reached. The default is 143. This field is required.
  4. Protocol: Selecte the IMAP protocol you are using by selecting it from the drop-down menu. This setting is required:
    • IMAP
    • IMAP / SSL
    • IMAP / SSL (self-signed certificate)
    • IMAP / TLS
  5. Password-change URL: If your users can only change their password in one central space, provide the URL here.
  6. Click the Submit button to save your changes.
  7. Click the Cancel button to abort your changes.

8.5.3.2. LDAP authentication

Use this authentication method to authenticate again an LDAP server so that your users can log in with their usual login and password.

Set up LDAP authentication

Set up LDAP authentication

  1. Authority name: Enter a descriptive name to help you identify this authority. Preferably, choose a short name. This field is required.
  2. Host URL: Specify hosts in URL form, e.g. ldap://ldap.example.com. Separate multiple servers with ; for failover support. This field is required.
  3. Contexts: List the contexts where users are located. Separate different contexts with ;, e.g. ou=users,o=org;ou=other,o=org. This field is required.
  4. User type: Select from the drop-down menu how users are stored in the LDAP directory. This field is required. You can choose between:
    • Novell Edirectory
    • posixAccount (rfc2307)
    • posixAccount (rfc2307 bis)
    • sambaSamAccount (v. 3.0.7)
    • MS Active Directory
    • default
  5. User atrribute: Enter the attribute used to search for users. It is often cn. This field is required.
  6. Search subcontexts: Select “Yes” if you want to search for the users also in subcontexts. This setting is required.
  7. Distinguished name: If you want to use bind-user to search users, specify it here. It should look something like cn=ldapuser,ou=public,o=org. Leave this blank for anonymous bind.
  8. Password: Enter the password for the “distinguished name”.
  9. LDAP version: Choose the LDAP version you are using from the drop-down menu. This setting is required.
  10. TLS encryption: Check this box if you use this encryption mechanism.
  11. Update user info on login: Check this box to update the first name, last name and email address with the corresponding LDAP values at each login. Enabling this option may prevent some MS ActiveDirectory sites / users from subsequent Mahara logins.
  12. We auto-create users: Check this box to create user accounts on Mahara automatically when a user autheticates successfully but does not yet have an account.
  13. LDAP field for First Name: Enter the name of the field in the LDAP record that contains the user’s first name.
  14. LDAP field for Surname: Enter the name of the field in the LDAP record that contains the user’s last name.
  15. LDAP field for Email: Enter the name of the field in the LDAP record that contains the user’s email address.
  16. Click the Submit button to save your changes.
  17. Click the Cancel button to abort your changes.

8.5.3.3. SAML authentication

Choose this authentication method for your institution when you have a SAML 2.0 Identity Provider Service set up for your organisation that allows you to use the same login for multiple applications.

SAML 2.0 authentication

SAML 2.0 authentication

  1. Institution attribute (contains ”...”): Enter the attribute that will be passed from the Identity Provider (IdP) that shows which institution the user belongs to. These usually directly correlate to LDAP attributes (the signin service of the IdP), e.g. eduPersonOrgDN. This field is required.
  2. Institution value to check against attribute: Enter the value that will be checked against the institution attribute value as passed from the IdP. If the institution regex checkbox is selected, this value can be a regular expression that will be used to check against the institution attribute value. This field is required.
  3. Do partial string match with institution shortname: Check this check box to treat the value in “Institution value to check against attribute” like a regular expression.
  4. User attribute: Enter the name of the attribute passed by the IdP that contains the username. This field is required.
  5. Match username attribute to remote username: Check this box if you want to match the user attribute value to the remote username field assigned to a given user (not the real Mahara username).
  6. Update user details on login: Check this box to update the first name, last name and email address with the corresponding IdP values passed through at each login.
  7. We auto-create users: Check this box to create user accounts on Mahara automatically when a user autheticates successfully but does not yet have an account.
  8. SSO field for First Name: Enter the name of the attribute passed by the IdP that contains the user’s first name.
  9. SSO field for Surname: Enter the name of the attribute passed by the IdP that contains the user’s last name.
  10. SSO field for Email: Enter the name of the attribute passed by the IdP that contains the user’s email address.
  11. Click the Submit button to save your changes.
  12. Click the Cancel button to abort your changes.

Warning

This security issue only affects sites which make use of the SAML authentication plugin and have more than one SAML identity provider.

By default, SAML authentication instances have the “Match username attribute to Remote username” setting unchecked. This means that a user logging in using single sign-on will log in as the local Mahara user whose Mahara username matches their SAML username attribute.

In this configuration, someone with control over any SAML identity provider could gain control over any user account on that Mahara site by setting the username attribute appropriately. In other words, administrators of one institution could control users in other institutions.

To fix this, site administrators of multi-institution sites with SAML authentication in use should ensure that the “Match username attribute to Remote username” setting is enabled in each SAML-enabled institution, unless usernames are guaranteed to be unique across all SAML providers.

8.5.3.4. MNet / XMLRPC authentication

Use the XMLRPC authentication for connection a Mahara instance to a Moodle or other Mahara installation for sharing login information. With Moodle 2 that does not only mean that you can log in to Mahara via Moodle, but also that you can transfer certain activities into your Mahara portfolio from Moodle.

A Moodle site can only be connected to Mahara once no matter how many institutions you have set up.

Note

You must have networking enabled in order to use this authentication method.

Set up MNet authentication

Set up MNet authentication

  1. Authority name: Enter a descriptive name to help you identify this authority. Preferably, choose a short name. This field is required.
  2. WWW root: Enter the web address of the root of the remote application, e.g. http://example.com. This field is required.
  3. Site name: Enter the name to present to your users to identify the remote site. If you enable SSO, they may click on this name to start a session at the remote site. This fiel is required.
  4. Application: Choose the application on the other end. You can choose between “Mahara” and “Moodle”.
  5. Port number: Enter the port number that the remote application is listening at. You probably will not need to change this unless you are connecting to a https service or your remote application is running on a non-standard port. This field is required.
  6. Parent authority: If you set a parent authority from the already existing authentication methods, users will be able to log in using that authority as well as MNet. For example, you could set up LDAP authentication and have that be the parent of this MNet authority. That means that users will be able to log in via Mahara’s in-built login form using their LDAP credentials as well as via MNet from their Moodle. You do not have to set a parent authority. If you do not, users using MNet will only be able to access Mahara via MNet, i.e. log in to Moodle or the other Mahara first.
  7. Wrong login box message: Enter a message to display when a user tries to log in via Mahara’s login form but is not allowed to if you have not set up a parent authority.
  8. SSO direction: Choose your SSO direction from the drop-down menu:
    • They SSO in: Enable this option to allow users from the remote site to roam to your Mahara site without having to enter their username and password.
    • We SSO out: Enable this option to allow your users to roam from Mahara to the remote site without having to enter their username and password there.
  9. Update user info on login: Enable this option to bring over user data from the remote site upon login and update your Mahara user record with any changes. The following fields, when filled in on Moodle, are filled in Mahara:
    • first name (always carried over)
    • last name (always carried over)
    • email address (always carried over)
    • profile picture
    • description (introduction on Mahara)
    • city
    • country
    • language
    • HTML editor setting
  10. We auto-create users: Check this box to create user accounts on Mahara automatically when a user autheticates successfully but does not yet have an account.
  11. We import content: Not all network-enabled applications support this, but if they do, e.g. Moodle 2.x, this will allow users of the remote site to import content to Mahara. It depends on the option “They SSO in” from “SSO direction” and it is sensible to also have “We auto-create users” set.
  12. Click the Submit button to save your changes.
  13. Click the Cancel button to abort your changes.

See also

Refer to the comprehensive guide about setting up Mahoodle, the combination of Mahara and Moodle, for step-by-step instructions on how to set everything up on the Moodle side and on Mahara. The guide explains the steps for both Moodle 1.9 and Moodle 2.x.

8.5.3.5. Order of authentication methods

If you have set up multiple authentication methods in one institution, you can decide on the order in which are checked.

Order of authentication methods

Order of authentication methods

  1. Use the up arrow and down arrow to move a specific authentication method up or down in the list.
  2. Delete a particular authentication method by clicking on the Delete link [x].

Note

You cannot delete an authentication method when there are still users who require it to log in. Before deleting an authentication method, you have to move the users to another authentication method.

8.5.4. Members

Under Institutions -> Members you can add and remove members from one institution in bulk. As site administrator, you can always add members to an institution. As institution administrator, you can only invite users to become members.

You can filter users to display fewer and add to or remove them more easily from your institution:

  • People who have requested institution membership
  • People who have not requested institution membership
  • People who are already institution members

8.5.4.1. People who have requested institution membership

If your institution allows self-registration, users who are not already members of your institution can request to join it.

See also

You can check your settings on self-registration:

  • when you are an institution admin: Institution administration -> Manage institutions -> Settings -> Registration allowed?
  • when you are a site admin: Site administration -> Institutions -> click the Edit button edit next to the institution you want to check -> Registration allowed?

Users can ask to join an institution on their institution membership page.

Institution administrators receive notifications about membership requests. Site administrators only receive notifications about users wanting to join “No Institution”.

Accept or decline institution membership request

Deal with an institution membership request

  1. Users to display: Choose People who have requested institution membership.
  2. Institution: Choose from the drop-down menu to which institution you wish to add users. If there is only one institution, its name will be displayed without the drop-down menu.
  3. Users who have requested membership: Select the users you wish to add to the institution.
  4. Search: You can also search for users in the search box if there are too many names listed.
  5. Add the users by clicking on the right-arrow button right-arrow.
  6. Users to be added / rejected: If you put users into the box for users to be added / rejected by accident, you can remove them from that list by clicking on them.
  7. Then click on the left-arrow button left-arrow, and they are removed from the list.
  8. When you have all the members you wish to add to the institution, click the Add members button.
  9. Alternatively, if you wish to decline users membership, you can select them and then send a general denial by clicking on the Decline requests button.

8.5.4.2. People who have not requested membership yet

An admin can also take the initiative and invite users into an institution.

Invite users to become institution members

Invite users to become institution members

  1. Users to display: Choose People who have not requested membership yet.
  2. Institution: Choose from the drop-down menu to which institution you wish to invite users. If there is only one institution, its name will be displayed without the drop-down menu.
  3. Non-members: Select the users you wish to invite to the institution.
  4. Search: You can also search for users in the search box if there are too many names listed.
  5. Add the users to the list Users to be invited by clicking on the right-arrow button right-arrow.
  6. If you put a person into the box for users to be invited by accident, you can remove them from that list by clicking on them.
  7. Then click on the left-arrow button left-arrow, and they are removed from the list.
  8. When you have all the members you wish to invite to the institution, click the Invite users button.
  9. The users receive a notification and can accept or decline the institution membership invitation.

8.5.4.3. People who are already institution members

You can remove users from an institution, e.g. if they are no longer students at a school or university, but should still have an account on Mahara or when they are just switching institutions on the same Mahara instance.

Remove users from an institution

Remove users from an institution

  1. Users to display: Choose People who are already institution members.
  2. Institution: Choose from the drop-down menu which institution’s members you wish to display. If there is only one institution, its name will be displayed without the drop-down menu.
  3. Current members: Select the users you wish to remove from the institution.
  4. Search: You can also search for users in the search box if there are too many names listed.
  5. Add the users to the list Users to be removed by clicking on the right-arrow button right-arrow.
  6. If you put a person into the box for users to be removed by accident, you can remove them from that list by clicking on them.
  7. Then click on the left-arrow button left-arrow, and they are removed from the list.
  8. When you have all the members you wish to remove from your institution, click the Remove users button.

8.5.5. Institution staff

You can give users staff rights in an institution in which they are members. The staff role will allow them to create course groups. This page allows you to do that in bulk for many users at once.

See also

You can also give staff rights on the user account settings page.

Give users institution staff rights

Give users institution staff rights.

  1. Institution: Choose the institution from the drop-down menu for which want to give staff rights to members.
  2. Institution Members: Select the institution members who shall get staff rights.
  3. Search: You can also search for users in the search box if there are too many names listed.
  4. Add the users to the list Institution Staff by clicking on the right-arrow button right-arrow.
  5. If you put a user into the institution staff list by accident or want to remove existing staff members and return them to normal membership status, select them.
  6. Then click on the left-arrow button left-arrow, and they are removed from the list.
  7. When you have all the members you wish to have as staff in the institution, click the Submit button.

8.5.6. Institution administrators

You can give users admin rights in an institution in which they are members. The administrator role will allow them to manage users in their own institution. This page allows you to do that in bulk for many users at once.

See also

You can also give admin rights on the user account settings page.

Give users institution admin rights

Give users institution admin rights.

  1. Institution: Choose the institution from the drop-down menu for which want to give admin rights to members.
  2. Institution Members: Select the institution members who shall get admin rights.
  3. Search: You can also search for users in the search box if there are too many names listed.
  4. Add the users to the list Current Admins by clicking on the right-arrow button right-arrow.
  5. If you put a user into the institution admin list by accident or want to remove existing admin members and return them to normal membership status, select them.
  6. Then click on the left-arrow button left-arrow, and they are removed from the list.
  7. When you have all the members you wish to have as admins in the institution, click the Submit button.

8.5.7. Institution pages

You can create pages for your entire institution. Although you could always create pages under a regular user account that other users could copy into their own portfolio, the advantage of institution pages is that new members in the institution can receive a copy upon joining the institution.

Create institution pages

Create institution pages

  1. When you are in Site administration -> Institutions -> Pages, click on the institution in the drop-down menu for which you want to create or edit institution pages.
  2. If you have a lot of institution pages, you can search for a particular one by searching for it. You can search in the title, description and tags or only in tags.
  3. Click on the Create Page button to start a new institution page.
  4. Click on the Copy Page button to start a new page from a copy of an already existing one. This does not have to be an institution page but can be any page that you are allowed to copy.
  5. View an institution page that you have already created.
  6. Click on the Edit button edit to change an existing institution page.
  7. click on the Delete button delete to delete an institution page.

Note

Creating and editing an institution page is very similar to creating and editing a portfolio page. Not all blocks are available when editing an instituion page in the page editor though due to the different context. Please refer to the overview of blocks for a list of all the blocks that you can use in an institution page.

8.5.8. Share institution pages

You can see a list of all institution pages from an institution under Site administration -> Institutions -> Share.

Share institution pages

Share institution pages

  1. Select the institution from the drop-down menu for which you want to see the institution pages.
  2. Pages: All institution pages for that institution are listed here.
  3. Access list: View the access permissions for the pages.
  4. Click on the Edit Access button edit_access to change the permissions of who can view and copy a page.
  5. Click the Secret URL edit button edit to define a secret URL for a page.

Sharing an instution page is very similar to sharing a portfolio page. The only difference is that you can allow new institution members to receive a copy of an institution page immediately upon joining the institution.

Setting for copying an institution page for new institution members

Setting for copying an institution page for new institution members

  1. When you clicked on the Edit Access button edit_access on the Share page for institution pages, click on the check box Allow copying under Advanced Options.
  2. Once you have put a check mark into that box, the line Copy for new institution members will appear and you can place a check mark into that box if you wish all new institution members to receive that page automatically.

8.5.9. Files

The files area in an institution holds all files that are uploaded by institution administrators as institution files. The uploading process works as the one in the personal files.