Authentication: SAML2 Single sign on

auth_saml2
Maintained by Picture of Catalyst IT Catalyst IT, Picture of Brendan Heywood Brendan Heywood, Picture of Adam Riddell Adam Riddell, Picture of Daniel Thee Roperto Daniel Thee Roperto, Picture of Rossco Hellmans Rossco Hellmans, Picture of Kristian Ringer Kristian Ringer
SAML done 100% in moodle, fast, simple, secure
785 sites
1k downloads
37 fans

What is this?

This plugin does authentication, user auto creation with field mapping.

Why is it better?

  • 100% configured in the Moodle GUI - no installation of a whole separate app, and no touching of config files or generating certificates.
  • Minimal configuration needed, in most cases just copy the IdP metadata in and then give the SP metadata to your IdP admin and that's it.
  • Fast! - 3 redirects instead of 7
  • Supports back channel Single Logout which most big organisations require (unlike OneLogin)

How does it work?

It completely embeds a SimpleSamlPHP instance as an internal dependancy which is dynamically configured the way it should be and inherits almost all of it's configuration from Moodle configuration. In the future we should be able to swap to a different internal SAML implementation and the plugin GUI shouldn't need to change at all.

Features

  • Dual login VS forced login for all as an option, with ?saml=off on the login page for manual accounts, and ?saml=on supported everywhere to deep link and force login via saml if dual auth is on.
  • SAML attributes to Moodle user field mapping
  • Automatic certificate creation
  • Optionally auto create users

Features not yet implemented:

  • Enrolment - this should be an enrol plugin and not in an auth plugin
  • Role mapping - not yet implemented

Installation

1) Install the plugin the same as any standard moodle plugin either via the Moodle plugin directory, or you can use git to clone it into your source:

git clone git@github.com:CatalystIT-AU/moodle-auth_saml2.git auth/saml2

2) Then run the Moodle upgrade 3) If your IdP has a publicly available XML descriptor, copy this url into the SAML2 auth config settings page 4) If your IdP requires whitelisting each SP then in the settings page is links to download the XML, or you can provide that url to your IdP administrator.

For most simple setups this is enough to get authentication working, there are many more settings to define how to handle new accounts, dual authentication, and to easily debug the plugin if things are not working.

If you have issues please log them in github here:

https://github.com/CatalystIT-AU/moodle-auth_saml2/issues

Or if you want paid support please contact Catalyst IT Australia:

https://www.catalyst-au.net/contact-us

Testing

This plugin has been tested against:

  • SimpleSamlPHP set up as an IdP
  • openidp.feide.no
  • testshib.org
  • An AAF instance of Shibboleth

Other SAML plugins

The diversity and variable quality and features of SAML Moodle plugins is a reflection of a great need for a solid SAML plugin, but the neglect to do it properly in core. SAML2 is by far the most robust and supported protocol across the internet and should be fully integrated into moodle core as both a Service Provider and as an Identity Provider, and without any external dependencies to manage.

Here is a quick run down of the alternatives:

Core:

  • /auth/shibboleth - This requires a separately installed and configured Shibbolleth install

One big issue with this, and the category below, is as there is a whole extra application between moodle and the IdP, so the login and logout processes have more latency due to extra redirects. Latency on potentially slow mobile networks is by far the biggest bottle neck for login speed and the biggest complaint by end users in our experience.

Plugins that require SimpleSamlPHP

These are all forks of each other, and unfortunately have diverged quite early or have no common git history making it difficult to cross port features or fixes between them.

Plugins which embed a SAML client lib:

These are generally much easier to manage and configure as they are standalone.

  • https://moodle.org/plugins/view/auth_onelogin_saml - This one uses it's own embedded saml library which is great and promising, however it doesn't support 'back channel logout' which is critical for security in any large organisation.

  • This plugin, with an embedded and dynamically configured SimpleSamlPHP instance under the hood

Warm thanks

Thanks to the various authors and contributors to the other plugins above.

Thanks to LaTrobe university in Melbourne for sponsoring the initial creation of this plugin:

http://www.latrobe.edu.au

LaTrobe

Thanks to Centre de gestion informatique de l’éducation in Luxembourg for sponsoring the user autocreation and field mapping work:

http://www.cgie.lu

CGIE

This plugin was developed by Catalyst IT Australia:

https://www.catalyst-au.net/

Catalyst IT


Screenshots

Screenshot #0

Contributors

Picture of Catalyst IT
Catalyst IT (Lead maintainer)
Picture of Adam Riddell
Adam Riddell: Developer
Picture of Daniel Thee Roperto
Daniel Thee Roperto: Developer
Picture of Rossco Hellmans
Rossco Hellmans: Developer
Picture of Kristian Ringer
Kristian Ringer: Developer
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Picture of Daniel Thee Roperto
    Wed, 16 May 2018, 7:42 AM
    Hi Harold, no need to apologise, thank you for sharing the solution as it can help myself and other people using this plugin. Cheers!
  • Picture of Ketan Ajudiya
    Thu, 14 Jun 2018, 2:34 AM
    Hi,
    I can not able to install the plugin to my moodle site.
    I have fresh installation of moodle 3.4.3 and i am trying to install "SAML2 Single sign on" plugin and it gives error

    "This page isn’t working
    your website is currently unable to handle this request.
    HTTP ERROR 500"

    I have tried both method using zip installation and from moodle plugin directory but end up with same error.
    it validates plugin properly without issue. but failed to install.

    Can you please help how to install the plugin? as i said i have fresh moodle installation so, do i missed something before install the plugin?
  • Picture of Jérémy De Pauw
    Thu, 14 Jun 2018, 4:57 PM
    Hello,

    Can you tell me when is planned the update of the plugin for version 3.5 of Moodle?

    I have to update my platform at the end of the month, so I'd like to go directly to 3.5

    Thanks
  • Picture of Daniel Thee Roperto
    Fri, 15 Jun 2018, 10:19 AM
    Hi Ketan, unfortunately it is very hard for me to know what is happening to your installation. If you have access to your server, you can try unzipping the files inside auth/saml2 (you should see a file called version.php in that folder) and running the upgrade process. If the problem persists I'd suggest posting a request in Moodle forums. Cheers, Daniel
  • Picture of Daniel Thee Roperto
    Fri, 15 Jun 2018, 11:15 AM
    Hi Jeremy,

    As you can see in https://travis-ci.org/catalyst/moodle-auth_saml2/builds/392532941 the plugin is passing for the tests using Moodle 3.5 and so far is ready for Moodle 3.6 (master)

    I have not used it with Moodle 3.5 so I'd suggest you testing it but I am confident it will work fine.

    Please let us know how did it work for you, when we have tested in a real Moodle 3.5 environment we can tag it here as compatible.

    Cheers,

    Daniel
  • Picture of Jérémy De Pauw
    Fri, 15 Jun 2018, 3:05 PM
    Hi Daniel,

    Thanks à lot. I'll try as soon as possible and give you a feedback

    Have a nice day
  • Picture of David Broomfield
    Tue, 26 Jun 2018, 3:03 PM
    We've just had a contractor in trying to get Moodle talking to our Active Directory through this plugin. All was going well but the contractor wasn't able to link identifiers between the systems. Anyone had that problem?
  • Picture of JJ Combs
    Wed, 4 Jul 2018, 12:57 AM
    We are using the latest plugin version with Moodle 3.3.5. It works great, but after a few minutes, if a user returns to the Moodle front page, it says that 'you are not logged in'. However, if the user clicks on a course, it returns them to a logged in state and everything works normally. The Moodle session timeout is set to 2 hours, and the IdP is set for a 4 hour timeout. If the user stays in the course, it does not seem to happen, only when returning to the front page. Has anyone else experienced this?
  • Picture of Lourdes Cid
    Thu, 5 Jul 2018, 7:11 PM
    I would like to include the module in Moodle 3.5, is it compatible?
  • Picture of JJ Combs
    Thu, 5 Jul 2018, 10:50 PM
    Update: after doing more testing, it appears that Moodle is purging a user's session after a few minutes, regardless of what setting we use in the site admin session setup. We currently have it set for 4 hours, but the session is purged after just a couple minutes of inactivity if the user logs in via SAML. Is there an additional session handling config for this plug?
  • Picture of Jignesh Patel
    Tue, 31 Jul 2018, 10:00 PM
    I Have Moodle 3.4 /3.5 Installed on PHP + IIS + MSSQL environment. Moodle installation completed successfully. Installed SAML2 SSO plug in which installed successfully too but i'm unable to see SAML SSO login button in Moodle login page. not sure what missing and there was not any error. Need Help.
  • Wazza
    Mon, 13 Aug 2018, 6:57 PM
    There seems to be something wrong with the zip-file (Moodle 3.5). When trying to install this plugin (among many others) I get this error (only with the SAML plugin)

    Fatal error: Maximum execution time of 30 seconds exceeded in /moodle/filestorage/zip_archive.php on line 253

    It seems Moodle can not unpack the zip-file from this plugin.
  • Wazza
    Wed, 19 Sep 2018, 9:41 PM
    After installing the latest version I'm getting the following errors:

    Exception - [ARRAY]: The option 'Format' is not a valid string value.

    More information about this error

    ×Debug info:
    Error code: generalexceptionmessage
    ×Stack trace:
    line 197 of /auth/saml2/extlib/simplesamlphp/lib/SimpleSAML/Auth/Source.php: SimpleSAML_Error_UnserializableException thrown
    line 161 of /auth/saml2/extlib/simplesamlphp/lib/SimpleSAML/Auth/Simple.php: call to SimpleSAML_Auth_Source->initLogin()
    line 103 of /auth/saml2/extlib/simplesamlphp/lib/SimpleSAML/Auth/Simple.php: call to SimpleSAML\Auth\Simple->login()
    line 474 of /auth/saml2/auth.php: call to SimpleSAML\Auth\Simple->requireAuth()
    line 324 of /auth/saml2/auth.php: call to auth_plugin_saml2->saml_login()
    line 308 of /auth/saml2/auth.php: call to auth_plugin_saml2->loginpage_hook()
    line 2622 of /lib/moodlelib.php: call to auth_plugin_saml2->pre_loginpage_hook()
    line 12 of /admin/upgradesettings.php: call to require_login()
  • Picture of Colin G
    Thu, 18 Oct 2018, 8:47 AM
    Hi. I am new to windows adfs/saml2 auth and I am trying to setup auth to our domain controller. I have setup the plugin but when I try to login via SAML2 I get this error:

    You have logged in succesfully but we could not find your 'uid' attribute to associate you to an account in Moodle.

    when I run moodle/auth/saml2/test.php all I see is:

    Authed!

    array(0) {
    }
    IdP: http://mysite.com.au/adfs/services/trust

    Can anyone give me help here or know what I am missing ??
  • Picture of marc marc
    Thu, 18 Oct 2018, 10:27 PM
    Hello, Is it possible to map two fields in one doing a concatenation in the data mapping? like data mapping (study) : "$programme.$semester" or something like this? i tried a lot of combination but nothing worked. may be it's not possible, but i would like your confirmation smile Thank you.
1 2 3 4 5 6 7 8 9 10

Commenting temporarily disabled