Authentication: SAML2 Single sign on

auth_saml2
Maintained by Picture of Catalyst IT Catalyst IT, Picture of Brendan Heywood Brendan Heywood, Picture of Adam Riddell Adam Riddell
SAML done 100% in moodle, fast, simple, secure
457 sites
494 downloads
20 fans

What is this?

This plugin does authentication, user auto creation with field mapping.

Why is it better?

  • 100% configured in the Moodle GUI - no installation of a whole separate app, and no touching of config files or generating certificates.
  • Minimal configuration needed, in most cases just copy the IdP metadata in and then give the SP metadata to your IdP admin and that's it.
  • Fast! - 3 redirects instead of 7
  • Supports back channel Single Logout which most big organisations require (unlike OneLogin)

How does it work?

It completely embeds a SimpleSamlPHP instance as an internal dependancy which is dynamically configured the way it should be and inherits almost all of it's configuration from Moodle configuration. In the future we should be able to swap to a different internal SAML implementation and the plugin GUI shouldn't need to change at all.

Features

  • Dual login VS forced login for all as an option, with ?saml=off on the login page for manual accounts, and ?saml=on supported everywhere to deep link and force login via saml if dual auth is on.
  • SAML attributes to Moodle user field mapping
  • Automatic certificate creation
  • Optionally auto create users

Features not yet implemented:

  • Enrolment - this should be an enrol plugin and not in an auth plugin
  • Role mapping - not yet implemented

Installation

1) Install the plugin the same as any standard moodle plugin either via the Moodle plugin directory, or you can use git to clone it into your source:

git clone git@github.com:CatalystIT-AU/moodle-auth_saml2.git auth/saml2

2) Then run the Moodle upgrade 3) If your IdP has a publicly available XML descriptor, copy this url into the SAML2 auth config settings page 4) If your IdP requires whitelisting each SP then in the settings page is links to download the XML, or you can provide that url to your IdP administrator.

For most simple setups this is enough to get authentication working, there are many more settings to define how to handle new accounts, dual authentication, and to easily debug the plugin if things are not working.

If you have issues please log them in github here:

https://github.com/CatalystIT-AU/moodle-auth_saml2/issues

Or if you want paid support please contact Catalyst IT Australia:

https://www.catalyst-au.net/contact-us

Testing

This plugin has been tested against:

  • SimpleSamlPHP set up as an IdP
  • openidp.feide.no
  • testshib.org
  • An AAF instance of Shibboleth

Other SAML plugins

The diversity and variable quality and features of SAML Moodle plugins is a reflection of a great need for a solid SAML plugin, but the neglect to do it properly in core. SAML2 is by far the most robust and supported protocol across the internet and should be fully integrated into moodle core as both a Service Provider and as an Identity Provider, and without any external dependencies to manage.

Here is a quick run down of the alternatives:

Core:

  • /auth/shibboleth - This requires a separately installed and configured Shibbolleth install

One big issue with this, and the category below, is as there is a whole extra application between moodle and the IdP, so the login and logout processes have more latency due to extra redirects. Latency on potentially slow mobile networks is by far the biggest bottle neck for login speed and the biggest complaint by end users in our experience.

Plugins that require SimpleSamlPHP

These are all forks of each other, and unfortunately have diverged quite early or have no common git history making it difficult to cross port features or fixes between them.

Plugins which embed a SAML client lib:

These are generally much easier to manage and configure as they are standalone.

  • https://moodle.org/plugins/view/auth_onelogin_saml - This one uses it's own embedded saml library which is great and promising, however it doesn't support 'back channel logout' which is critical for security in any large organisation.

  • This plugin, with an embedded and dynamically configured SimpleSamlPHP instance under the hood

Warm thanks

Thanks to the various authors and contributors to the other plugins above.

Thanks to LaTrobe university in Melbourne for sponsoring the initial creation of this plugin:

http://www.latrobe.edu.au

LaTrobe

Thanks to Centre de gestion informatique de l’éducation in Luxembourg for sponsoring the user autocreation and field mapping work:

http://www.cgie.lu

CGIE

This plugin was developed by Catalyst IT Australia:

https://www.catalyst-au.net/

Catalyst IT


Screenshots

Screenshot #0

Contributors

Picture of Catalyst IT
Catalyst IT (Lead maintainer)
Picture of Adam Riddell
Adam Riddell: Developer
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Picture of Anderson Hsu
    Sat, 12 Aug 2017, 9:30 PM
    Can we use the plugin for Signal Sign On with confluence ? We use ldap account to login moodle and confluence. We try to find signal sign on way for them. Thanks a lot.
  • Picture of Brendan Heywood
    Mon, 14 Aug 2017, 7:30 AM
    hi,

    If confluence can be setup as a saml IdP then yes this plugin should work with it. From a very quick google it looks to me like the more typical (and possibly only) setup is where confluence is acting as an SP and the IdP is say Google or your own identity server. In this setup confluence and moodle would both be peer SP's under that central IdP so Moodle and confluence would be inside the saml SSO umbrella but technically would not be aware of each other at all.

  • Picture of Gabriel Quiles-Pérez
    Tue, 22 Aug 2017, 9:26 PM
    Hi,
    I am trying to configure moodle as an SP using this plugin. My IdP is a symfony project. The problem that I am having is that the symfony authenticates, and then it redirects to moodle, but then moodle redirects back to symfony. Do you have any suggestion? What am I missing?
  • Picture of Brendan Heywood
    Wed, 23 Aug 2017, 8:23 AM
    hi Gabriel,

    This is pretty hard to debug / help without a whole bunch more info. Can you dump some detailed info into an issue here

    https://github.com/catalyst/moodle-auth_saml2/issues

    If you need urgent commercial support please contact us:

    https://www.catalyst-au.net/contact-us
  • Picture of Hertzel Kuriel
    Wed, 6 Sep 2017, 4:59 PM
    Hello there.
    We have been hosting some of our clients on our cloud and implementing SAML based SSO for them.
    We have recently upgraded one of our clients to Totora 9.9 and implements SAML2 (your plugin) to work with ADFS.

    We have found 2 critical bugs related to the SAML 2 plugin.
    Bug #1 - after implementing and enabling SAML to work in FORCE or Non Force mode, whenever you login to Totora the user was getting to the wrong Home page. The link on the browser seemed to be for the correct Home page (default home page, e.g. site) , but instead the user got a Dashboard page.

    Looking deeper in to the log, we found that there was a bug in which the expected redirect to Auth/SAML2/Login.php but instead to a different page.

    in order to fix it, this is what one of our developer did fix is in this file. We made this modification in saml_login() function

    $auth = new SimpleSAML_Auth_Simple($this->spname);
    // LearningZone redirect fix
    $auth->requireAuth([
    'ReturnTo' => "https://{$_SERVER['SERVER_NAME']}:443/auth/saml2/login.php?wants=https%3A%2F%2F{$_SERVER['SERVER_NAME']}%2F"
    ]);
    // END LEARNINGZONE

    It forces the SSO to redirect the user back, not to the current location but to /auth/saml2/login.php page. We are not completely understand why it necessary, but this is how things behave when we click Login from the ADFS when Force is disabled.

    While this seems to do the work for most of the time, we still experiences cases in which some users are being redirected again to the wrong home page when they click Home while browsing in Totora. Looks like that we are still missing something here.

    Bug#2 - NOTATE errors when users are entering the site either from a direct link (sent via an email and user clicked on it) or when user us cutting and pasting a link on their browser.
    This is not happening all the time, but a user may get the NOTATE error at least twice a day.

    Initially we though that it might be due to a catching issue related to client's Proxy server within their network, e.g. using a link with an expired IDP key (actually it does recreate the problem), however, we are also getting the NOSTATE error message when trying to access the client's site out of client network from our home or office network when we do not use any Proxy servers for navigating the Internet.

    This issues a requite critical as we are heavily dependant on the SAML2 plugin and we want to extend to to additional clients.
    Any help or guidance will be greatly appreciate it.

    We are OK to get some directions and instruction and happy to fix the bugs and contribute it back to the community.

    Thanks,
    Hertzel
  • Picture of Hertzel Kuriel
    Wed, 6 Sep 2017, 5:00 PM
    by NOTATE i meant NOSTATE error.
  • Picture of Max Kan
    Fri, 15 Sep 2017, 11:25 AM
    Hi There,

    Any idea how to verify 'back channel Single Logout'?

    Login works well with this plugin, however, when user logout in the ADFS, Moodle is not being login automatically. Hope you guys can provide some idea on how to troubleshoot.

    Thank you.
  • Picture of Brendan Heywood
    Mon, 18 Sep 2017, 8:04 AM
    hi Max,

    Verification is easy, logout of the IdP directly and moodle should also be logged out. It seems that in your testing you have verified that this is not working. You are probably running into the same issue as this:

    https://github.com/catalyst/moodle-auth_saml2/issues/138

    It's not clear yet whether that's a regression or something specific to ADFS, but please read that issue and add any examples to that issue to help diagnose it.
  • Picture of Max Kan
    Mon, 18 Sep 2017, 9:58 AM
    Hi Brendan,

    Cool!

    Let me follow that github issue and add examples over there.
  • Picture of Ronald Ramp
    Wed, 20 Sep 2017, 3:12 AM
    Hi Brendan,

    We have installed the plugin on totara 9.9 and are trying to setup it with AD FS as IdP.
    But when we triggering the SSO we do get logged into Totara but get the following error:

    "You have logged in succesfully but we could not find you 'uid' attribute to associate you to an account in Moodle"

    It seems the mapping between de claim from IdP and plugin doesn't seem to match? Where can we change this mapping?
    I tried to replace it directly in the config field "IdP to Moodle mapping" by filling in the complete URL has I read in some other posts.

    In our case it is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier but it gives the same error only 'uid' is replaced by the value filled in.

    I hope that you can help us.

    Thanks,

    Ronald
  • Picture of Brendan Heywood
    Wed, 20 Sep 2017, 7:42 AM
    hi Ronald,

    This is a fairly common support query, so I've added a new issue with some workarounds and potential long term solutions here:

    https://github.com/catalyst/moodle-auth_saml2/issues/139

    That should get you out of trouble. If you would like to sponsor any of those improvements to make this easier for yourself please contact us:

    https://www.catalyst-au.net/contact-us

    Brendan
  • Picture of Brendan Heywood
    Wed, 20 Sep 2017, 6:27 PM
    There are equivalent stable branches for 3.2 and below which we are using in production with older moodles and totara's so those ideas are applicable either way. Yes custom claims are something done on the ADFS, but they can be done per SP without affecting other SP's. I've never seen the ADFS config side of things but I've worked with multuple clients who have typically set up these claim rules in a few minutes.

    Also have you tried using the standalone test tool which helps out with getting the mapping keys exactly correct? Details are here:

    https://github.com/catalyst/moodle-auth_saml2#debugging
  • Picture of Ronald Ramp
    Thu, 21 Sep 2017, 12:09 AM
    Hi Brendan,

    Thanks for you reply.
    We fixed the issue by creating a custom claim rule.

    Regards Ronald
  • Picture of Pete Smith
    Tue, 17 Oct 2017, 6:14 PM
    Hello Brendan - I think there is a bug in the logoutpage_hook function. The $USER object gets removed even if the $USER's authtype was not saml2. This means that auth methods lower down the order do not have access to $USER when they call the function. Thanks.
  • Picture of Brendan Heywood
    Wed, 18 Oct 2017, 8:22 AM
    thanks Pete I have logged that here:

    https://github.com/catalyst/moodle-auth_saml2/issues/148

    Feel free to follow that issue and/or comment on it. If you are able to make a PR then that's great, but not as I said in the issue this isn't trivial (but not hard either). If you are able to sponsor this that would be great too.
1 2 3 4 5
Please login to post comments