Authentication: SAML2 Single sign on

auth_saml2
Maintained by Picture of Catalyst IT Catalyst IT, Picture of Brendan Heywood Brendan Heywood, Picture of Adam Riddell Adam Riddell
SAML done 100% in moodle, fast, simple, secure
264 sites
683 downloads
12 fans

What is this?

This plugin does authentication, user auto creation with field mapping.

Why is it better?

  • 100% configured in the Moodle GUI - no installation of a whole separate app, and no touching of config files or generating certificates.
  • Minimal configuration needed, in most cases just copy the IdP metadata in and then give the SP metadata to your IdP admin and that's it.
  • Fast! - 3 redirects instead of 7
  • Supports back channel Single Logout which most big organisations require (unlike OneLogin)

How does it work?

It completely embeds a SimpleSamlPHP instance as an internal dependancy which is dynamically configured the way it should be and inherits almost all of it's configuration from Moodle configuration. In the future we should be able to swap to a different internal SAML implementation and the plugin GUI shouldn't need to change at all.

Features

  • Dual login VS forced login for all as an option, with ?saml=off on the login page for manual accounts, and ?saml=on supported everywhere to deep link and force login via saml if dual auth is on.
  • SAML attributes to Moodle user field mapping
  • Automatic certificate creation
  • Optionally auto create users

Features not yet implemented:

  • Enrolment - this should be an enrol plugin and not in an auth plugin
  • Role mapping - not yet implemented

Installation

1) Install the plugin the same as any standard moodle plugin either via the Moodle plugin directory, or you can use git to clone it into your source:

git clone git@github.com:CatalystIT-AU/moodle-auth_saml2.git auth/saml2

2) Then run the Moodle upgrade 3) If your IdP has a publicly available XML descriptor, copy this url into the SAML2 auth config settings page 4) If your IdP requires whitelisting each SP then in the settings page is links to download the XML, or you can provide that url to your IdP administrator.

For most simple setups this is enough to get authentication working, there are many more settings to define how to handle new accounts, dual authentication, and to easily debug the plugin if things are not working.

If you have issues please log them in github here:

https://github.com/CatalystIT-AU/moodle-auth_saml2/issues

Or if you want paid support please contact Catalyst IT Australia:

https://www.catalyst-au.net/contact-us

Testing

This plugin has been tested against:

  • SimpleSamlPHP set up as an IdP
  • openidp.feide.no
  • testshib.org
  • An AAF instance of Shibboleth

Other SAML plugins

The diversity and variable quality and features of SAML Moodle plugins is a reflection of a great need for a solid SAML plugin, but the neglect to do it properly in core. SAML2 is by far the most robust and supported protocol across the internet and should be fully integrated into moodle core as both a Service Provider and as an Identity Provider, and without any external dependencies to manage.

Here is a quick run down of the alternatives:

Core:

  • /auth/shibboleth - This requires a separately installed and configured Shibbolleth install

One big issue with this, and the category below, is as there is a whole extra application between moodle and the IdP, so the login and logout processes have more latency due to extra redirects. Latency on potentially slow mobile networks is by far the biggest bottle neck for login speed and the biggest complaint by end users in our experience.

Plugins that require SimpleSamlPHP

These are all forks of each other, and unfortunately have diverged quite early or have no common git history making it difficult to cross port features or fixes between them.

Plugins which embed a SAML client lib:

These are generally much easier to manage and configure as they are standalone.

  • https://moodle.org/plugins/view/auth_onelogin_saml - This one uses it's own embedded saml library which is great and promising, however it doesn't support 'back channel logout' which is critical for security in any large organisation.

  • This plugin, with an embedded and dynamically configured SimpleSamlPHP instance under the hood

Warm thanks

Thanks to the various authors and contributors to the other plugins above.

Thanks to LaTrobe university in Melbourne for sponsoring the initial creation of this plugin:

http://www.latrobe.edu.au

LaTrobe

Thanks to Centre de gestion informatique de l’éducation in Luxembourg for sponsoring the user autocreation and field mapping work:

http://www.cgie.lu

CGIE

This plugin was developed by Catalyst IT Australia:

https://www.catalyst-au.net/

Catalyst IT


Screenshots

Screenshot #0

Contributors

Picture of Catalyst IT
Catalyst IT (Lead maintainer)
Picture of Adam Riddell
Adam Riddell: Developer
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Picture of koen roggemans
    Wed, 7 Sep 2016, 10:45 PM
    Hi Brendan and Adam,
    I read you support Moodle 3.1, but it is not visible in the plugins database. Also the autoinstaller in the pluginsdatabase doesn't want to install the plugin in a 3.1 (it does work in a 3.0). So I wonder if you did not release the plugin yet for 3.1 in the plugins database.
    Kind regards
    Koen
  • Picture of Brendan Heywood
    Thu, 8 Sep 2016, 8:11 AM
    thanks Koen, I've just bumped the version and released
  • Picture of it.webdevsupport Master
    Tue, 13 Sep 2016, 6:41 PM
    Hello!! I am using plugin saml2 to authenticate in my web app. Actually, I would like to create automatic cohorts when anybody logs in, but it doesn't happen. So I would like to know if it is possible and what I should do. Thanks.
  • Picture of Brendan Heywood
    Mon, 10 Oct 2016, 7:44 AM
    This plugin doesn't automatically create cohorts, and generally speaking auth plugins shouldn't be doing this (but up for debate). Perhaps a better architecture is the saml2 auth plugin manages attributes that are provided by the idp, and then saves these into a custom user profile field. Then a different plugin picks those up and creates cohorts from them and keeps them in sync. You mileage may vary but look into:

    https://moodle.org/plugins/auth_mcae

    https://github.com/netspotau/moodle-local_cohort_automation

    and there are others in the wild that do similar things
  • Picture of Brendan Heywood
    Thu, 13 Oct 2016, 12:28 PM
    From Josh B and for anyone else's benefit:

    > We are using the setting Allow any auth types and importing our users into imap and ldap (for several reason)
    We also had these auth types disabled just to be sure all users must come in through saml

    > Discovered that the Moodle task Cleanup old sessions would then remove all sessions and we would get new sessions every cron
    which will cause you to get invalidsesskey if it runs while you are in the middle of forum post or another process

    > Its debatable if this is a bug as it should only affect saml2 under specific settings

    We finally looked into this, sessions cannot belong to a plugin which is disabled, or as you found out those sessions will be immediately killed. This is not specific to saml2. There is an auth plugin hook to workaround this but it doesn't work (see MDL-56417). In the mean time just don't do that smile
  • Picture of Virgil Ashruf
    Thu, 13 Oct 2016, 10:52 PM
    Hi there. I encountered a bug when using an IdP that is still SAML1 (shib13). The link to the shire was created incorrectly and was aiming to /simplesaml/module.php/sp... and onwards. I changed it so it points to the wwwroot and the authentication directory of saml2. I have forked the repo and put in a pull request as issue #52. Can you look at it?

    Best,

    Virgil
  • Picture of Brendan Heywood
    Mon, 17 Oct 2016, 8:20 AM
    thanks to Virgil, the next release will support older saml1 / shib idp's smile
  • Picture of Praj Basnet
    Wed, 16 Nov 2016, 7:22 AM
    First off, thanks for the plugin, so much easier than rolling your own SimpleSAMLPhp install with auth/saml.

    I'm finding that the current version is causing segfaults in Apache (running PHP 5.4.16). I believe this is a known SimpleSAMLPhp bug per this:
    https://github.com/simplesamlphp/simplesamlphp/issues/293

    Are you able to confirm? Also I can't work out what version of SimpleSAMLPhp is installed as getVersion() just has "trunk" instead of a SimpleSAMLPhp version in auth/saml2/extlib/simplesamlphp/lib/SimpleSAML/Configuration.php

    Are you able to confirm what version is in the latest release? 1.14.x?

    FYI for other people that hit this issue, try moving to PHP 5.6+.
  • Picture of Brendan Heywood
    Wed, 16 Nov 2016, 9:16 AM
    Wow, segfault! smile There is very little to do done in this plugin, that needs to be fixed in apache / os land. And I think it was supposed to be 1.10 but was trunk. I'll add an issue to upgrade it to stable 1.14
  • Picture of Praj Basnet
    Thu, 17 Nov 2016, 4:08 AM
    Thanks Brendan,

    Agreed its more an issue with SimpleSAMLPhp and header_register_callback with PHP 5.4 / Apache. But good to have the latest version of SimpleSAMLphp in there too smile
  • Picture of Praj Basnet
    Thu, 15 Dec 2016, 9:03 AM
    One other feature that would be handy is to be able to set the final logout URL in the plugin settings. I might try to implement this rather myself and then add it the auth/saml2/auth.php logoutpage_hook() function to set the $redirect value. Thought I would post here just to check if you knew of another way? Presently after single logout, the redirect takes the user back to the Moodle login page.
  • Picture of Brendan Heywood
    Thu, 15 Dec 2016, 9:29 AM
    hi Praj,

    I've logged a new issue to make this configurable:

    https://github.com/catalyst/moodle-auth_saml2/issues/68

    Please read that comment for details of what needs to be done
  • Picture of Praj Basnet
    Thu, 15 Dec 2016, 9:32 AM
    Cool thanks Brendan, I have the code changes if you want me to contribute them via Github, pretty straight forward.
  • Picture of Praj Basnet
    Tue, 7 Mar 2017, 7:01 PM
    Hello, just wanted to flag another potentially useful future. Some IdPs like to use a friendly name for the Issuer ID of the SP, e.g. they might want to call the SP configuration "moodle". However by default with SimpleSAMLphp the issuer name is set to the entityID, which in term equates to $wwwroot/auth/saml2/sp/metadata.php in config/authsources.php. I figure it wouldn't be too hard to change this into a configurable setting in the plugin?
  • Picture of Brendan Heywood
    Tue, 7 Mar 2017, 9:03 PM
    hi Praj,

    I don't see a huge benefit to making it configurable, if anything I aim to hide and automate and simplify anything like that where possible. If you see a valid use case please document it in an issue on github
1 2 3
Please login to post comments