Authentication: SAML2 Single sign on

auth_saml2
Maintained by Picture of Catalyst ITCatalyst IT, Picture of Brendan HeywoodBrendan Heywood, Picture of Adam RiddellAdam Riddell, Picture of Daniel Thee RopertoDaniel Thee Roperto, Picture of Rossco HellmansRossco Hellmans, Picture of kristian rkristian r
SAML done 100% in moodle, fast, simple, secure
994 sites
1k downloads
47 fans
Current versions available: 1

What is this?

This plugin does authentication, user auto creation with field mapping.

Why is it better?

  • 100% configured in the Moodle GUI - no installation of a whole separate app, and no touching of config files or generating certificates.
  • Minimal configuration needed, in most cases just copy the IdP metadata in and then give the SP metadata to your IdP admin and that's it.
  • Fast! - 3 redirects instead of 7
  • Supports back channel Single Logout which most big organisations require (unlike OneLogin)

How does it work?

It completely embeds a SimpleSamlPHP instance as an internal dependancy which is dynamically configured the way it should be and inherits almost all of it's configuration from Moodle configuration. In the future we should be able to swap to a different internal SAML implementation and the plugin GUI shouldn't need to change at all.

Features

  • Dual login VS forced login for all as an option, with ?saml=off on the login page for manual accounts, and ?saml=on supported everywhere to deep link and force login via saml if dual auth is on.
  • SAML attributes to Moodle user field mapping
  • Automatic certificate creation
  • Optionally auto create users

Features not yet implemented:

  • Enrolment - this should be an enrol plugin and not in an auth plugin
  • Role mapping - not yet implemented

Installation

1) Install the plugin the same as any standard moodle plugin either via the Moodle plugin directory, or you can use git to clone it into your source:

git clone git@github.com:CatalystIT-AU/moodle-auth_saml2.git auth/saml2

2) Then run the Moodle upgrade 3) If your IdP has a publicly available XML descriptor, copy this url into the SAML2 auth config settings page 4) If your IdP requires whitelisting each SP then in the settings page is links to download the XML, or you can provide that url to your IdP administrator.

For most simple setups this is enough to get authentication working, there are many more settings to define how to handle new accounts, dual authentication, and to easily debug the plugin if things are not working.

If you have issues please log them in github here:

https://github.com/CatalystIT-AU/moodle-auth_saml2/issues

Or if you want paid support please contact Catalyst IT Australia:

https://www.catalyst-au.net/contact-us

Testing

This plugin has been tested against:

  • SimpleSamlPHP set up as an IdP
  • openidp.feide.no
  • testshib.org
  • An AAF instance of Shibboleth

Other SAML plugins

The diversity and variable quality and features of SAML Moodle plugins is a reflection of a great need for a solid SAML plugin, but the neglect to do it properly in core. SAML2 is by far the most robust and supported protocol across the internet and should be fully integrated into moodle core as both a Service Provider and as an Identity Provider, and without any external dependencies to manage.

Here is a quick run down of the alternatives:

Core:

  • /auth/shibboleth - This requires a separately installed and configured Shibbolleth install

One big issue with this, and the category below, is as there is a whole extra application between moodle and the IdP, so the login and logout processes have more latency due to extra redirects. Latency on potentially slow mobile networks is by far the biggest bottle neck for login speed and the biggest complaint by end users in our experience.

Plugins that require SimpleSamlPHP

These are all forks of each other, and unfortunately have diverged quite early or have no common git history making it difficult to cross port features or fixes between them.

Plugins which embed a SAML client lib:

These are generally much easier to manage and configure as they are standalone.

  • https://moodle.org/plugins/view/auth_onelogin_saml - This one uses it's own embedded saml library which is great and promising, however it doesn't support 'back channel logout' which is critical for security in any large organisation.

  • This plugin, with an embedded and dynamically configured SimpleSamlPHP instance under the hood

Warm thanks

Thanks to the various authors and contributors to the other plugins above.

Thanks to LaTrobe university in Melbourne for sponsoring the initial creation of this plugin:

http://www.latrobe.edu.au

LaTrobe

Thanks to Centre de gestion informatique de l’éducation in Luxembourg for sponsoring the user autocreation and field mapping work:

http://www.cgie.lu

CGIE

This plugin was developed by Catalyst IT Australia:

https://www.catalyst-au.net/

Catalyst IT


Screenshots

Screenshot #0

Contributors

Picture of Catalyst IT
Catalyst IT (Lead maintainer)
Picture of Adam Riddell
Adam Riddell: Developer
Picture of Daniel Thee Roperto
Daniel Thee Roperto: Developer
Picture of Rossco Hellmans
Rossco Hellmans: Developer
Picture of kristian r
kristian r: Developer
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Picture of Christian Poirier
    Wed, Apr 17, 2019, 2:23 AM
    Hi there

    is there any person who has configured the plugin to use a SAML IdP discovery service (more than one IdP can use the service)?
  • Picture of Dmitry Pupinin
    Thu, Apr 18, 2019, 5:47 PM
    Hi! Is there a way to reject login (and auto create user) for users who not have some groups at IdP?
  • Picture of Aaron Johnson
    Thu, Apr 25, 2019, 10:28 PM
    Hello,

    I'm trying to install this plugin and it is not working. After uploading the zip file, it goes to the next page, but all I get is this:

    Install plugin from ZIP file
    Validating auth_saml2 ...

    and then it gets stuck. If I go to my plugin manager, it is not in the list. I also tried copying the unzipped folder directly into the auth folder on my server, but then the Site Admin page was just blank.

    Any ideas?

    Thanks,
    Aaron
  • Picture of Susan Mangan
    Tue, May 7, 2019, 5:51 AM
    Hello - we just implemented sso with this plug-in (moodle version 3.5.5) and I have a question regarding the logout function. It is not working for our external users (who have not logged into any other systems). I just wanted to clarify how this should be set up in the plug-in settings. There is a URL for alternate logout - it's not clear to me whether or not this should be populated or not? Does the plug-in attempt a log-out regardless of whether or not this field is updated with a path? Just trying to troubleshoot why logout is not working and starting with simple configuration. Thanks in advance!!!!
  • Picture of Jeff Jones
    Thu, May 9, 2019, 5:31 AM
    Will this version work with 3.6?
  • Picture of jeff Hall
    Tue, Jun 18, 2019, 11:59 AM
    I am planning to use this plugin to integrate with centrify. Has anyone done this yet and have any pointers or things to look out for?
  • Picture of José Carlos Bermejo
    Mon, Aug 19, 2019, 4:47 PM
    Good morning,

    Does anyone know the date of the next update of this plugin? I am also having problems between the current version of plugin ASML2 and my Moodle version (3.7).

    Any comment will be appreciated.

    Thank you.
  • Picture of Thomas Vogler
    Thu, Aug 29, 2019, 6:59 PM
    Hi all,

    I am a novice to SAML2 and i have to configure SAML2 authentication for our Totara/Moodle site. I installed the SAML2 plugin and got everything working so far. But my SAML2 system administrator wants me to change the entityID in the field

    to a given value, so that I conform to their naming policies.

    We both found no field where the entityID can be set. Is there an easy way to do this?

    TIA!
  • Picture of Thomas Vogler
    Thu, Aug 29, 2019, 8:09 PM
    The XML fragment was deleted in my above question. I am talking about the outermost md colon EntityDescriptor element containing an entityID Attribute having an URL as value. I need to replace this URL value with something different...
  • Picture of Praj Basnet
    Fri, Aug 30, 2019, 4:37 AM
    Have a look in auth/saml2/config/authsources.php, you can customise the entityId here if required.
    It might be worth requesting this as a setting in the plugin as I've certainly had to make such a change before.

    Also the best place for anything to do with the plugin is the issues section on the Github site: https://github.com/catalyst/moodle-auth_saml2/issues

    Good luck!
  • Picture of Anthony Walters
    Mon, Sep 2, 2019, 10:10 PM
    In case anyone else is having session timeout problems using this plugin. This is what was causing it for us.

    ## The problem
    Using this plugin, user sessions were timing out after about a minute no matter what we configured in moodle or the plugin regarding session timeouts.

    It turns out that the moodle "session_cleanup_task" was removing the session cookie from the server. The client then has to get a new session cookie from the server. And so with the new session, anything in the previous session was lost.
    You can verify this by examining the client cookie against the server cookies in /var/moodledata/sessions.

    ## Why this was happening
    We were in the process of migrating from ldap authentication to SAML and are using this plugin. We didn't want new moodle accounts being created for existing (ldap) users and told the plugin to use the existing LDAP moodle type accounts if they existed. So you end up with existing users keeping their "LDAP created accounts" and new users getting a "SAML created account". This would not have been a problem, but when we disabled the LDAP authentication source the moodle cron "session_cleanup_task" started to remove session cookies for the LDAP type accounts every time it ran, ignoring any session length settings that were set.

    ## To reproduce
    1) watch the server session directory:
    /var/moodledata/sessions# watch ls -al
    2) run the session cleanup scheduled task manually
    /var/www/yourmoodledir/moodle# php admin/tool/task/cli/schedule_task.php --execute=\\core\\task\\session_cleanup_task

    3) In Home->Site administration->Plugins->Authentication->Manage authentication
    ENABLE SAML2 authentication
    DISABLE LDAP Server authentication

    4) log into the moodle web gui via SAML

    5) Inspect the cookie "Moodesession[yourmoodle]" in your browser. You should find a corresponding one on the server in /var/moodledata/sessions

    6) run the session cleanup task again from step 2
    You will see that the cookie gets removed from the server, prompting the client's browser to get a new cookie.

    ## Solution

    7) ENABLE LDAP Server authentication (SAML2 and LDAP are both enabled now)

    8) do steps 4 to 6 again, but this time the cookie does not get removed from the server.

    ## Comments
    - When a user logs in via saml, if an "ldap type" user account already exists in moodle, it uses that. We have the plugin configured to do this on purpose.
    - I presume that with LDAP disabled, the cookie associated with the "ldap type" Account is removed by the scheduled task.
    - the two solutions that spring to mind are:
    - keep the LDAP auth type enabled (this one that I tested and works)
    - change all the "LDAP type" user accounts to "SAML type", with an SQL query and then disable LDAP authentication. (i have not tested this one yet)
  • Picture of Mariann Abosné Lazányi
    Fri, Sep 6, 2019, 8:53 PM
    Hi, we would like to translate this plugin to fully appear in Hungarian, but can't seem to be able to translate the "Login via SAML2" text on the button that appears on the login page of Moodle. It is not in the language file. Does anybody know where to change what to have this button appear in the right language?
  • Picture of kristian r
    Sat, Sep 7, 2019, 4:42 AM
    @mariann Go to Site administration Plugins Authentication SAML2 , and change the IdP label override setting. It's a config value that's stored in the database rather than a language string.
  • Picture of Cihat Okan ARIKAN
    Thu, Sep 19, 2019, 12:59 PM
    This is a great plugin for our system and working well on Desktop computers..
    There's a problem with Moodle Mobile Application occured while using SAML2 authentication..
    In the SAML2 settings, it si enabled for Dual login and e-mail logins are allowed..
    Desktop system is working properly.. But Mobile application could not be logged in..
    Moodle 3.7.2 and SAML2 plugin version 2018071100.
    Is there any way to fix Mobile application login problem via Saml2?
    (Btw, if SAML2 disabled, normal login is working on Mobile app.)
  • Picture of Cihat Okan ARIKAN
    Thu, Sep 19, 2019, 1:06 PM
    Many thanks to danmarsden.. It is solved by reply of github:

    Do you have 'typeoflogin' in your moodle settings set correctly?

    See: https://docs.moodle.org/en/Moodle_app_guide_for_admins#Mobile_authentication
1 2 3 4 5 6 7 8 9 10 11 12
Please login to post comments