Authentication: SAML2 Single sign on

auth_saml2
Maintained by Picture of Catalyst IT Catalyst IT, Picture of Brendan Heywood Brendan Heywood, Picture of Adam Riddell Adam Riddell
SAML done 100% in moodle, fast, simple, secure
399 sites
778 downloads
19 fans

What is this?

This plugin does authentication, user auto creation with field mapping.

Why is it better?

  • 100% configured in the Moodle GUI - no installation of a whole separate app, and no touching of config files or generating certificates.
  • Minimal configuration needed, in most cases just copy the IdP metadata in and then give the SP metadata to your IdP admin and that's it.
  • Fast! - 3 redirects instead of 7
  • Supports back channel Single Logout which most big organisations require (unlike OneLogin)

How does it work?

It completely embeds a SimpleSamlPHP instance as an internal dependancy which is dynamically configured the way it should be and inherits almost all of it's configuration from Moodle configuration. In the future we should be able to swap to a different internal SAML implementation and the plugin GUI shouldn't need to change at all.

Features

  • Dual login VS forced login for all as an option, with ?saml=off on the login page for manual accounts, and ?saml=on supported everywhere to deep link and force login via saml if dual auth is on.
  • SAML attributes to Moodle user field mapping
  • Automatic certificate creation
  • Optionally auto create users

Features not yet implemented:

  • Enrolment - this should be an enrol plugin and not in an auth plugin
  • Role mapping - not yet implemented

Installation

1) Install the plugin the same as any standard moodle plugin either via the Moodle plugin directory, or you can use git to clone it into your source:

git clone git@github.com:CatalystIT-AU/moodle-auth_saml2.git auth/saml2

2) Then run the Moodle upgrade 3) If your IdP has a publicly available XML descriptor, copy this url into the SAML2 auth config settings page 4) If your IdP requires whitelisting each SP then in the settings page is links to download the XML, or you can provide that url to your IdP administrator.

For most simple setups this is enough to get authentication working, there are many more settings to define how to handle new accounts, dual authentication, and to easily debug the plugin if things are not working.

If you have issues please log them in github here:

https://github.com/CatalystIT-AU/moodle-auth_saml2/issues

Or if you want paid support please contact Catalyst IT Australia:

https://www.catalyst-au.net/contact-us

Testing

This plugin has been tested against:

  • SimpleSamlPHP set up as an IdP
  • openidp.feide.no
  • testshib.org
  • An AAF instance of Shibboleth

Other SAML plugins

The diversity and variable quality and features of SAML Moodle plugins is a reflection of a great need for a solid SAML plugin, but the neglect to do it properly in core. SAML2 is by far the most robust and supported protocol across the internet and should be fully integrated into moodle core as both a Service Provider and as an Identity Provider, and without any external dependencies to manage.

Here is a quick run down of the alternatives:

Core:

  • /auth/shibboleth - This requires a separately installed and configured Shibbolleth install

One big issue with this, and the category below, is as there is a whole extra application between moodle and the IdP, so the login and logout processes have more latency due to extra redirects. Latency on potentially slow mobile networks is by far the biggest bottle neck for login speed and the biggest complaint by end users in our experience.

Plugins that require SimpleSamlPHP

These are all forks of each other, and unfortunately have diverged quite early or have no common git history making it difficult to cross port features or fixes between them.

Plugins which embed a SAML client lib:

These are generally much easier to manage and configure as they are standalone.

  • https://moodle.org/plugins/view/auth_onelogin_saml - This one uses it's own embedded saml library which is great and promising, however it doesn't support 'back channel logout' which is critical for security in any large organisation.

  • This plugin, with an embedded and dynamically configured SimpleSamlPHP instance under the hood

Warm thanks

Thanks to the various authors and contributors to the other plugins above.

Thanks to LaTrobe university in Melbourne for sponsoring the initial creation of this plugin:

http://www.latrobe.edu.au

LaTrobe

Thanks to Centre de gestion informatique de l’éducation in Luxembourg for sponsoring the user autocreation and field mapping work:

http://www.cgie.lu

CGIE

This plugin was developed by Catalyst IT Australia:

https://www.catalyst-au.net/

Catalyst IT


Screenshots

Screenshot #0

Contributors

Picture of Catalyst IT
Catalyst IT (Lead maintainer)
Picture of Adam Riddell
Adam Riddell: Developer
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Picture of Phil Hudson
    Fri, 31 Mar 2017, 6:21 PM
    Hi Brendan, quick question, can the plugin support multiple identity providers?
  • Picture of Brendan Heywood
    Mon, 3 Apr 2017, 8:27 AM
    hi Phil,

    Currently no. A few people have expressed interest in sponsoring that improvement but none have followed through. If you are interested in supporting this please email me brendan@catalyst-au.net, see also

    https://github.com/catalyst/moodle-auth_saml2/issues/5
  • Picture of W Roes
    Tue, 25 Apr 2017, 11:14 PM
    Hi Brendan,

    Nice work, thanks! Have you given some thoughts on how to handle rotating certificates on the Idp side (ADFS) and autorefreshing the metadata? In those cases where a URL to the Idp's metadata is available it should be possible to regenerate the metadata periodically easily. In a task for instance. Would that be an approach you'd consider?
    Or would you rather use simplesamlphp's approach https://simplesamlphp.org/docs/1.5/simplesamlphp-automated_metadata ?

    Thanks,
    Willem

  • Picture of Brendan Heywood
    Wed, 26 Apr 2017, 7:32 AM
    hi Willem,

    Yes and this is logged here: https://github.com/catalyst/moodle-auth_saml2/issues/25

    The correct approach is to do it as a moodle task because there are things moodle needs to be aware off at each refresh.

    Note that there is a pull request which is almost ready for merging here: https://github.com/catalyst/moodle-auth_saml2/pull/96

    If you are feeling adventurous you can pull that in locally and give it a whirl, but it's not quite ready yet and Sam ran out of funding. Sooner or later someone will sponsor this, if you'd like to sponsor the last bit of polish please email me brendan@catalyst-au.net
  • Picture of W Roes
    Wed, 26 Apr 2017, 2:18 PM
    Hi Brendan,

    This does look pretty good to me! It does seem the right approach in those cases where metadata URL's are used. From https://github.com/catalyst/moodle-auth_saml2/pull/96 it is not clear to me what is missing still though?

    Willem
  • Picture of Brendan Heywood
    Thu, 27 Apr 2017, 7:51 AM
    The code I think is mostly functional, it's just any remaining tidy up and my time to review and test it.
  • Picture of W Roes
    Thu, 27 Apr 2017, 4:10 PM
    Hi Brendan,

    Ok, thanks. I will test as well.

    Willem
  • Picture of W Roes
    Mon, 8 May 2017, 4:09 PM
    Hi Brendan,

    I noticed that a suspended user (in Moodle) will still be logged-in in Moodle if it's a SAML2 user. Maybe you're assuming that in those cases the user should be suspended in the AD? What are your thoughts about this?

    Willem
  • Picture of Brendan Heywood
    Mon, 15 May 2017, 7:45 AM
    hi Willem,

    This was logged here and was resolved very recently. If you are suspended then you should login and then get a 'you are suspended' message. If you are deleted then this should behave the same as if you didn't exist and it should depend on whether the account auto creation is on or not.

    I've just tagged and pushed a new release which has this fix:

    https://github.com/catalyst/moodle-auth_saml2/issues/101
  • Picture of Jérémy De Pauw
    Mon, 15 May 2017, 7:01 PM
    Hello,

    Will a version for Moodle 3.3 be available soon?

    thank you in advance

  • Picture of A Guy
    Thu, 18 May 2017, 12:51 AM
    Why are you allowing suspended Moodle accounts access with this plugin? I have a situation where there is a front end application (happens to be Drupal) that is SSO'd with Moodle with this plugin. If the front end application disables the account the user cannot log in. If the front end application has the account enabled but the account is disabled in Moodle the user is still allowed in and to enroll in the course and take the course, etc. That shouldn't be. Otherwise you are turning over control to the other application, removing it from Moodle. There should be a message thrown. To me this is pretty serious.
  • Picture of Brendan Heywood
    Thu, 18 May 2017, 7:28 AM
    @Jérémy: We are working on 3.3 support right now

    @A Guy: In most setups a suspension is handled higher up at the saml idp level so it wasn't a requirement in this plugin when it was first built. That said this bug with suspended accounts was fixed very recently, please upgrade to the latest version:

    https://github.com/catalyst/moodle-auth_saml2/issues/101
  • Picture of Jérémy De Pauw
    Thu, 8 Jun 2017, 4:33 AM
    Hi Brendan,

    Do you have an approximate release date of the compatible version 3.3? I only miss this module to achieve the update to 3.3

    thank you in advance
  • Picture of Brendan Heywood
    Thu, 8 Jun 2017, 7:39 AM
    hi Jérémy,

    We actually have a stable branch for 3.3 but we just haven't yet updated the plugin directory metadata. We will get to that shortly but in the meantime the branch is here:

    https://github.com/catalyst/moodle-auth_saml2/tree/MOODLE_33PLUS
  • Picture of Daemon Hunt
    Tue, 20 Jun 2017, 6:49 AM
    Hi There

    I have left a question on the GitHub site and am waiting for a response. Is there something we are missing?

    https://github.com/catalyst/moodle-auth_saml2/issues/114
1 2 3 4
Please login to post comments