This works. I'm living the dream... users get pulled from our SIS into Active Directory via a script in a scheduled task. Admissions has a report to communicate new credentials; I never have to touch incoming or returning student accounts. Even courses and enrollments are created via External Database plugin. Moodle, library, e-mail, and intranet all use ldap to import accounts. Students sign into e-mail, library, our intranet site, or our Moodle site, and that authentication ticket works across the other services as well. Click a link to a Moodle course in your e-mail, and when the page finally loads (after a couple saml redirects) you are already logged in because of the e-mail authentication ticket.
However, there is one point of failure here. There is an option in the auth_saml plugin labeled, "Syncronize users from module:". This option is currently set to "ldap". This is supposed to make it so the users pulled into moodle via the ldap module are able to login via saml. Unfortunately, this not happening. I have to periodically run the following SQL directly on our DB:
UPDATE mdl_user SET auth='saml' WHERE auth='ldap';
How can I fix this so I don't have to run this script? I could set up a scheduled job on the server, but it seems like that would be fixing the symptom rather than the disease here. We're on Moodle 3.1, using Postgresql as the DB and CentOS 6.8 as the OS.