Configuring a service provider and identity for Moodle

Configuring a service provider and identity for Moodle

by Sean Scott -
Number of replies: 10

Hi,

I am in the process of trying to configure Moodle to use simplesaml as a identity provider and service provider. I have successfully configured SimpleSaml, and the required metadata. When testing the default-sp from the authentication tab within the SimpleSAML URL. The test is successful. However I'm looking to now configure Moodle itself to begin using the default service provider so that when users go to the default login Moodle page they are authenticated with the default-sp I setup.


I'm not sure what the next step is. If anyone can shed some light on the process or what I may have forgotten, that would be appreciated.


If you need additional information please let me know what you may need and I'll try and send it over.


Thank you,

Average of ratings: -
In reply to Sean Scott

Re: Configuring a service provider and identity for Moodle

by Ken Task -
Picture of Particularly helpful Moodlers

There is more than one Saml plugin (an add on) one could install.   Which is the one you installed?

Did you read it's readme/docs?

Happened to be working with an entity that is now exploring the use of saml2 for SSO (single sign on) and authentication.

The plugin installed does have a 'test' button and it goes to a 'test system' that checks if the moodle can communicate with the test system ... that's all.   It won't actually create new users and populate data in a user profile because it's not really a service ... just a test.

In order to run saml2, one has to be in control of or co-ordinate with persons who run the IDM server/service.

Got one of those?

Also ... is this question about the same server (production/inuse) and mass/bulk archiving/removal of courses?

What authentications are you currently using? on production server ... on sandbox server used for testing?

'spirit of sharing', Ken


Average of ratings: -
In reply to Ken Task

Re: Configuring a service provider and identity for Moodle

by Sean Scott -

Hi,

I attached the authentication plug-ins we have configured in a screenshot. 

I also downloaded the SimpleSAML plug-in and within the SAML configuration settings pointed the SAML plug-in to the SimpleSAML library.

Most of the configurations I have done such as the service and identity provider was done was within the SimpleSAML config files.

This is the same environment I was working with when configuring the the script to backup courses in Bulk.


I am in contact with the identity provider, they have provided the needed information for configuring the simplesaml. I'm just not sure what's the next step and how to tie that in with Moodle.


Thank you,



Attachment plugins.png
Attachment Saml Configs.png
Average of ratings: -
In reply to Sean Scott

Re: Configuring a service provider and identity for Moodle

by Ken Task -
Picture of Particularly helpful Moodlers

There are multiple saml2 plugins available from Moodle:

https://moodle.org/plugins/index.php?q=saml

Guessing this one is what you installed:

https://moodle.org/plugins/auth_saml

Docs:

https://simplesamlphp.org/docs/stable/simplesamlphp-sp

At the bottom of the above link:

7 Support

If you need help to make this work, or want to discuss SimpleSAMLphp with other users of the software, you are fortunate: Around SimpleSAMLphp there is a great Open source community, and you are welcome to join! The forums are open for you to ask questions, contribute answers other further questions, request improvements or contribute with code or plugins of your own.

https://simplesamlphp.org/support

Not that you have chosen the wrong one ... the entity with which I am working isn't using same plugin.   So I won't be of much use to you.

Anyone else?

'spirit of sharing', Ken

Average of ratings: -
In reply to Ken Task

Re: Configuring a service provider and identity for Moodle

by Sean Scott -

Hi Ken,

Actually looking at the configs again I think I pretty much have it 99% configured. Maybe after explaining what I'm seeing more recently you maybe able to help.

I noticed that Moodle is actually using (or trying to use) the simplesaml to authenticate however when clicking login via SAML in Moodle I receive the following error:

IdP returned a set of data that does not contain the SAML username mapping field (eduPersonPrincipalName). This field is required to login


It seems as if the eduPersonPrinciplaName is not being sent by the ADFS idp we are using. Is there something I need to add to the authsources file that tells the idp what username mapping to use? Or do I have to map it correctly on the ADFS side?

I have attached 2 screenshota of 1. the Attributes being returned from the simplesaml config page as well as what I configured in Moodle. I'm hoping yourself or someone may recognize where I went wrong. 


Thank you,

See attached screenshots.



Attachment SAML.png
Attachment saml2.png
Average of ratings: -
In reply to Sean Scott

Re: Configuring a service provider and identity for Moodle

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

On your Moodle site you should be able to change SAML username mapping to one of the long URL-like field from your screenshot, e.g. if you want the email address to be the username use http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.

There may be a way to translate these AD FS attributes to less unwieldy names but I never found out how.

Average of ratings: -
In reply to Leon Stringer

Re: Configuring a service provider and identity for Moodle

by Sean Scott -

Hi,

Within the Moodle GUI under SAML username mapping field I replaced eduPersonPrincipalName to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, since we are using email address.

Afterwards it seems as if it is now trying to authenticate. I no longer get the error message stated earlier. Now I get an error stating 'Error in authentication process of testuser1@domain.edu.... So it does look as if it trying to authenticate.

Does anyone know of any other logs I can try searching to narrow down the issue or know what the following error means. I searched the /var/logs/syslogs and I do see the following error:

' simplesamlphp [24378]: 4 [f3e2851f86] The class or interface SimpleSAML_Auth_Simple' is now using namespaces, please use 'SimpleSAML\Auth\Simple'

Thank you,

Average of ratings: -
In reply to Sean Scott

Re: Configuring a service provider and identity for Moodle

by Alain Raap -
Picture of Particularly helpful Moodlers

Hi Sean,

Maybe this is not relevant anymore, if you enable debug in your simplesamlphp configuration file(config/config.php), you'll get more info in your logging. The integration between Moodle and SAML2 (SSO) isn't easy to configure I experienced myself. Any good postings here in the forums about this subject?

Average of ratings: -
In reply to Alain Raap

Re: Configuring a service provider and identity for Moodle

by Dave Perry -
Picture of Testers

If you use Shibboleth, the SP software is relatively straightforward to install. Then you tell moodle (in the auth configuration) what parameters the SP software is sending to the web server.

Your web server will need to have the module to pass this data from the SP to webapps (so moodle in this case) - there are instructions for this (if you state which web server you're running, I can post to links).


HTH,
Dave

Average of ratings: -
In reply to Dave Perry

Re: Configuring a service provider and identity for Moodle

by Alain Raap -
Picture of Particularly helpful Moodlers

I'm trying a test with the SAML2 SSO plugin together with SimpleSamlPHP. My SimpleSamlPHP configuration is working now (with an LDAP authentication provider), but how can I integrate this with the Moodle login?  I tested the SAML2 SSO authentication plugin after configuring the parameters and this works.
I use one testuser with auth = 'saml2sso', in my debug logging I see the login succeeds, but I 'm not forwarded to the Moodle home page. It's quite a puzzle to get this working!

Average of ratings: -
In reply to Alain Raap

Re: Configuring a service provider and identity for Moodle

by Alain Raap -
Picture of Particularly helpful Moodlers

For who's interested, I got this testcase working (SimpleSAMLPHP with Auth SAML2 SSO plugin together with LDAP login). The problem was to integrate Redis (predis client must be installed inside the SimpleSAMLPHP framework). That was a challenge to get this working, because I couldn't install predis via composer.phar (no internet connection available). I downloaded a version of the Redis module for SimpleSAMLPHP and the Predis client (as zipfiles). I uploaded them in a new directory artifact  in the root folder of SimpleSAMLPHP (I had to add a version attribute in the composer.json of the zipfiles) and ran "php composer.phar update"  in the root folder of SimpleSAMLPHP. If composer.phar is not on your system you can download this at https://github.com/composer

SimpleSAML module Redis:

https://github.com/ColourboxDevelopment/simplesamlphp-module-redis

Predis-client:

https://github.com/nrk/predis

Here's an article to install new modules without internet:

https://stackoverflow.com/questions/26378840/composer-how-to-add-a-dependency-without-network-connection

Average of ratings: -