When using shibboleth authentication user accounts are generated on-the-fly on the first login attempt. There is no way OpenOLAT could query the shibboleth authentication provider to pre-populate the database.
However, the big disadvantage is that by this method it is not possible to assign users to courses before they logged in the first time. Students have to login first, then teachers can assign classes. In many cases it is needed that teachers can prepare this assignments before the term starts.
In the user management users can be imported via copy/paste from an excel sheet. In that mechanism users can have passwords, however they can also have an empty password if the password is set later on. Shibboleth users could theoretically be imported that way, however there is no way to identify the user accounts during the shibboleth login process because the shibboleth authentication token is missing.
This issue is about to solve this problem.
The user import must be extended in a way that passwords are treated as follows:
- Empty passwords are ignored - user is created without password
- Passwords that start with "SHIBBOLETH::" are parsed as shibboleth unique ID - user is created with shibboleth authentication token
- Other passwords - user is created and password is used as OLAT authentication token
this will create
- An account gabi.lustig without passord
- An account fritz.mueller with a local OLAT password abc123
- An account thomas.est with a shibboleth authentication identity email@example.com
Accounts that already exist are updated or ignored depending on the configuration.