Authentication: SAML2 Single sign on

auth_saml2
Maintained by Picture of Catalyst IT Catalyst IT, Picture of Brendan Heywood Brendan Heywood, Picture of Adam Riddell Adam Riddell
SAML done 100% in moodle, fast, simple, secure
447 sites
663 downloads
19 fans

What is this?

This plugin does authentication, user auto creation with field mapping.

Why is it better?

  • 100% configured in the Moodle GUI - no installation of a whole separate app, and no touching of config files or generating certificates.
  • Minimal configuration needed, in most cases just copy the IdP metadata in and then give the SP metadata to your IdP admin and that's it.
  • Fast! - 3 redirects instead of 7
  • Supports back channel Single Logout which most big organisations require (unlike OneLogin)

How does it work?

It completely embeds a SimpleSamlPHP instance as an internal dependancy which is dynamically configured the way it should be and inherits almost all of it's configuration from Moodle configuration. In the future we should be able to swap to a different internal SAML implementation and the plugin GUI shouldn't need to change at all.

Features

  • Dual login VS forced login for all as an option, with ?saml=off on the login page for manual accounts, and ?saml=on supported everywhere to deep link and force login via saml if dual auth is on.
  • SAML attributes to Moodle user field mapping
  • Automatic certificate creation
  • Optionally auto create users

Features not yet implemented:

  • Enrolment - this should be an enrol plugin and not in an auth plugin
  • Role mapping - not yet implemented

Installation

1) Install the plugin the same as any standard moodle plugin either via the Moodle plugin directory, or you can use git to clone it into your source:

git clone git@github.com:CatalystIT-AU/moodle-auth_saml2.git auth/saml2

2) Then run the Moodle upgrade 3) If your IdP has a publicly available XML descriptor, copy this url into the SAML2 auth config settings page 4) If your IdP requires whitelisting each SP then in the settings page is links to download the XML, or you can provide that url to your IdP administrator.

For most simple setups this is enough to get authentication working, there are many more settings to define how to handle new accounts, dual authentication, and to easily debug the plugin if things are not working.

If you have issues please log them in github here:

https://github.com/CatalystIT-AU/moodle-auth_saml2/issues

Or if you want paid support please contact Catalyst IT Australia:

https://www.catalyst-au.net/contact-us

Testing

This plugin has been tested against:

  • SimpleSamlPHP set up as an IdP
  • openidp.feide.no
  • testshib.org
  • An AAF instance of Shibboleth

Other SAML plugins

The diversity and variable quality and features of SAML Moodle plugins is a reflection of a great need for a solid SAML plugin, but the neglect to do it properly in core. SAML2 is by far the most robust and supported protocol across the internet and should be fully integrated into moodle core as both a Service Provider and as an Identity Provider, and without any external dependencies to manage.

Here is a quick run down of the alternatives:

Core:

  • /auth/shibboleth - This requires a separately installed and configured Shibbolleth install

One big issue with this, and the category below, is as there is a whole extra application between moodle and the IdP, so the login and logout processes have more latency due to extra redirects. Latency on potentially slow mobile networks is by far the biggest bottle neck for login speed and the biggest complaint by end users in our experience.

Plugins that require SimpleSamlPHP

These are all forks of each other, and unfortunately have diverged quite early or have no common git history making it difficult to cross port features or fixes between them.

Plugins which embed a SAML client lib:

These are generally much easier to manage and configure as they are standalone.

  • https://moodle.org/plugins/view/auth_onelogin_saml - This one uses it's own embedded saml library which is great and promising, however it doesn't support 'back channel logout' which is critical for security in any large organisation.

  • This plugin, with an embedded and dynamically configured SimpleSamlPHP instance under the hood

Warm thanks

Thanks to the various authors and contributors to the other plugins above.

Thanks to LaTrobe university in Melbourne for sponsoring the initial creation of this plugin:

http://www.latrobe.edu.au

LaTrobe

Thanks to Centre de gestion informatique de l’éducation in Luxembourg for sponsoring the user autocreation and field mapping work:

http://www.cgie.lu

CGIE

This plugin was developed by Catalyst IT Australia:

https://www.catalyst-au.net/

Catalyst IT


Screenshots

Screenshot #0

Contributors

Picture of Catalyst IT
Catalyst IT (Lead maintainer)
Picture of Adam Riddell
Adam Riddell: Developer
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Picture of Jérémy De Pauw
    Mon, 15 May 2017, 7:01 PM
    Hello,

    Will a version for Moodle 3.3 be available soon?

    thank you in advance

  • Picture of A Guy
    Thu, 18 May 2017, 12:51 AM
    Why are you allowing suspended Moodle accounts access with this plugin? I have a situation where there is a front end application (happens to be Drupal) that is SSO'd with Moodle with this plugin. If the front end application disables the account the user cannot log in. If the front end application has the account enabled but the account is disabled in Moodle the user is still allowed in and to enroll in the course and take the course, etc. That shouldn't be. Otherwise you are turning over control to the other application, removing it from Moodle. There should be a message thrown. To me this is pretty serious.
  • Picture of Brendan Heywood
    Thu, 18 May 2017, 7:28 AM
    @Jérémy: We are working on 3.3 support right now

    @A Guy: In most setups a suspension is handled higher up at the saml idp level so it wasn't a requirement in this plugin when it was first built. That said this bug with suspended accounts was fixed very recently, please upgrade to the latest version:

    https://github.com/catalyst/moodle-auth_saml2/issues/101
  • Picture of Jérémy De Pauw
    Thu, 8 Jun 2017, 4:33 AM
    Hi Brendan,

    Do you have an approximate release date of the compatible version 3.3? I only miss this module to achieve the update to 3.3

    thank you in advance
  • Picture of Brendan Heywood
    Thu, 8 Jun 2017, 7:39 AM
    hi Jérémy,

    We actually have a stable branch for 3.3 but we just haven't yet updated the plugin directory metadata. We will get to that shortly but in the meantime the branch is here:

    https://github.com/catalyst/moodle-auth_saml2/tree/MOODLE_33PLUS
  • Picture of Daemon Hunt
    Tue, 20 Jun 2017, 6:49 AM
    Hi There

    I have left a question on the GitHub site and am waiting for a response. Is there something we are missing?

    https://github.com/catalyst/moodle-auth_saml2/issues/114
  • Picture of Jérémy De Pauw
    Tue, 18 Jul 2017, 5:04 AM
    Hi Brendan,

    Is it planned to publish the official version for 3.3 on this site?

    Is the version on git usable in production?

    Thanks
  • Picture of Fabian Sesterhenn
    Tue, 18 Jul 2017, 8:22 PM
    Hi,
    I am on Moodle 3.3 already and it seems that the plugin cannot be configured with 3.3 yet. The "settings" link is missing under Site Administration > Plugins > Authentication > SAML2. There the only options available are for test-settings and uninstall.
    Will this plugin be available for 3.3 soon by any chance?
    Thanks.
  • Picture of Brendan Heywood
    Wed, 19 Jul 2017, 7:29 AM
    Yes we support 3.3+ and there is a stable branch for this on github. We are working with HQ to try and automate the publishing to here so that this metadata is never out of sync.
  • virasat solutions
    Wed, 26 Jul 2017, 5:15 PM
    Hello ,

    Has anybody tried for the SSO between moodle and .Net using the Saml2.

    On .net side we are using this compenent http://www.componentspace.com/SAMLv20.aspx while on moodle site we are using this plugin.

    Can you guide us on the whole process of this SSO with .net.

    Will appriciate any quick reply.


    Thanks

  • Picture of Brendan Heywood
    Thu, 27 Jul 2017, 7:37 AM
    hi Virasat,

    As long as it is saml compliant it should be fine. If you run into any gotchas then please open a pull request in github against the README file with anything to help others in a similar situation (or just open an issue and I'll fold it in). Also I'm not a .Net dev at all, but I am pretty sure that full saml libraries are available in the core .Net libraries so you shouldn't need to use anything third party, especially something that costs $.

    Brendan
  • Picture of Kitti L.
    Fri, 4 Aug 2017, 9:44 PM
    Hi,

    I grabbed the latest branch from GitHub as you mentioned above, and I am current on 3.3.1, but just wanted to make sure if that will work fine?
    https://github.com/catalyst/moodle-auth_saml2/tree/MOODLE_33PLUS

    Thanks in advance!
  • Picture of Brendan Heywood
    Mon, 7 Aug 2017, 10:06 AM
    Yes we are using the 3.3+ branch in production. If you find any issues please log them in github
  • Picture of Anderson Hsu
    Sat, 12 Aug 2017, 9:30 PM
    Can we use the plugin for Signal Sign On with confluence ? We use ldap account to login moodle and confluence. We try to find signal sign on way for them. Thanks a lot.
  • Picture of Brendan Heywood
    Mon, 14 Aug 2017, 7:30 AM
    hi,

    If confluence can be setup as a saml IdP then yes this plugin should work with it. From a very quick google it looks to me like the more typical (and possibly only) setup is where confluence is acting as an SP and the IdP is say Google or your own identity server. In this setup confluence and moodle would both be peer SP's under that central IdP so Moodle and confluence would be inside the saml SSO umbrella but technically would not be aware of each other at all.

1 2 3 4
Please login to post comments