Moodle needs certain Shibboleth attributes

When logging into the http://ccle.ucla.edu (Moodle) site through the UCLA Login option, if you see one of these error messages, see the explanation and instructions below:

Official Email Missing

Moodle needs certain Shibboleth attributes which are not present in your case. The attributes are: ‘HTTP_SHIB_EDUPERSONPPN’ (‘yourID@ucla.edu’), ‘HTTP_SHIB_GIVENNAME’ (‘YOURFIRSTNAME’), ‘HTTP_SHIB_CN’ (‘YOURLASTNAME’) and ‘HTTP_SHIB_UCLAOFFICIALEMAIL’ (’’)
Please contact the webmaster of this server or your Identity Provider. You are not logged in. (comes from moodle/root/auth/shibboleth/lib.php)

In this case, everything is there except the UCLAOFFICIALEMAIL. Unfortunately, Moodle requires that.

What to do for users who get this message: If nothing appears in the parentheses after ‘HTTP_SHIB_UCLAOFFICIALEMAIL’, that means the system does not currently have an official email for the student. The student should logon to www.ursa.ucla.edu to setup his/her official email designation. It may then take until the next day for that information to propagate to the system and allow you to log in.

Note to students concurrently enrolled through UCLA Extension: If your UCLA Logon ID is not working, the problem may be that CTS hasn’t activated your Bruin Online (BOL) services because they have not yet received your enrollment paperwork proving your UCLA affiliation. Once your BOL services are activated, your @ucla.edu address will get pushed into the Enterprise Directory, which will enable successful login to CCLE through Shibbleth using UCLA Logon ID. To expedite this happening, the student should visit the BOL help desk with their concurrent enrollment paperwork (including the receipt showing concurrent enrollment) to have all services activated.

Here is an explanation from AIS of the issues involved:

“There are several emails which qualify to be official email – BOL email, Work email, LAW school email, Anderson school email, Other Student email (URSA).

When one of the emails is first added we designate that as Official automatically, because there would be no other eligible email for this person at that time. Subsequently there may be other eligible emails added to the entry. When an email is deleted by the authority (for ex, Anderson school sends a delete request for Anderson email for a person) we check if Anderson email has been designated as Official for this entry; If yes we delete Official also. It does not make sense to keep it Official when the underlying source email itself is deleted.

Next time an email is added to the entry, if there is already another email, we won’t designate the newly added email as Official simply because we wouldn’t know which one to designate as Official.

URSA allows students and former students to re-designate their official email. For employees who were never students here, we were expecting ODMP to provide the functionality, which hasn’t come along so far.

The solution in that case if you are an employee is to contact AIS and ask them to help you designate one of your email addresses as UCLAOFFICIALEMAIL.

Moodle didn’t receive any user attributes

You seem to be Shibboleth authenticated but Moodle didn’t receive any user attributes. Please check that your Identity Provider releases the necessary attributes (‘HTTP_SHIB_EDUPERSONPPN’, ‘HTTP_SHIB_GIVENNAME’, ‘HTTP_SHIB_CN’ and ‘HTTP_SHIB_UCLAOFFICIALEMAIL’) to the Service Provider Moodle is running on or inform the webmaster of this server. (comes from moodle/root/auth/shibboleth/index.php )

In this case, there could be three explanations that we know of:

  1. System-wide problem. If no one else can login, the UCLA Shibboleth Identity Provider could be down or having problems. Contact AIS Help Desk at 66951.
  2. Individual problem. We’ve had one case where someone’s BOL EMAIL address was not in the correct Enterprise Directory database and until it was added, this person couldn’t log into CCLE. Contact Warren Leung at IT Services, if you suspect this could be the problem.
  3. Intermittent problem. If you usually can login to CCLE and now you can’t, try closing your web browser completely (to clear the cookies) and then try logging in again. Or, try a different machine.

A test process to capture information at each step and send to the appropriate people.

See also: Authentication Expired