Authentication: SAML2 Single sign on

auth_saml2
Maintained by Picture of Catalyst IT Catalyst IT, Picture of Brendan Heywood Brendan Heywood, Picture of Adam Riddell Adam Riddell, Picture of Daniel Thee Roperto Daniel Thee Roperto
SAML done 100% in moodle, fast, simple, secure
523 sites
712 downloads
24 fans

What is this?

This plugin does authentication, user auto creation with field mapping.

Why is it better?

  • 100% configured in the Moodle GUI - no installation of a whole separate app, and no touching of config files or generating certificates.
  • Minimal configuration needed, in most cases just copy the IdP metadata in and then give the SP metadata to your IdP admin and that's it.
  • Fast! - 3 redirects instead of 7
  • Supports back channel Single Logout which most big organisations require (unlike OneLogin)

How does it work?

It completely embeds a SimpleSamlPHP instance as an internal dependancy which is dynamically configured the way it should be and inherits almost all of it's configuration from Moodle configuration. In the future we should be able to swap to a different internal SAML implementation and the plugin GUI shouldn't need to change at all.

Features

  • Dual login VS forced login for all as an option, with ?saml=off on the login page for manual accounts, and ?saml=on supported everywhere to deep link and force login via saml if dual auth is on.
  • SAML attributes to Moodle user field mapping
  • Automatic certificate creation
  • Optionally auto create users

Features not yet implemented:

  • Enrolment - this should be an enrol plugin and not in an auth plugin
  • Role mapping - not yet implemented

Installation

1) Install the plugin the same as any standard moodle plugin either via the Moodle plugin directory, or you can use git to clone it into your source:

git clone git@github.com:CatalystIT-AU/moodle-auth_saml2.git auth/saml2

2) Then run the Moodle upgrade 3) If your IdP has a publicly available XML descriptor, copy this url into the SAML2 auth config settings page 4) If your IdP requires whitelisting each SP then in the settings page is links to download the XML, or you can provide that url to your IdP administrator.

For most simple setups this is enough to get authentication working, there are many more settings to define how to handle new accounts, dual authentication, and to easily debug the plugin if things are not working.

If you have issues please log them in github here:

https://github.com/CatalystIT-AU/moodle-auth_saml2/issues

Or if you want paid support please contact Catalyst IT Australia:

https://www.catalyst-au.net/contact-us

Testing

This plugin has been tested against:

  • SimpleSamlPHP set up as an IdP
  • openidp.feide.no
  • testshib.org
  • An AAF instance of Shibboleth

Other SAML plugins

The diversity and variable quality and features of SAML Moodle plugins is a reflection of a great need for a solid SAML plugin, but the neglect to do it properly in core. SAML2 is by far the most robust and supported protocol across the internet and should be fully integrated into moodle core as both a Service Provider and as an Identity Provider, and without any external dependencies to manage.

Here is a quick run down of the alternatives:

Core:

  • /auth/shibboleth - This requires a separately installed and configured Shibbolleth install

One big issue with this, and the category below, is as there is a whole extra application between moodle and the IdP, so the login and logout processes have more latency due to extra redirects. Latency on potentially slow mobile networks is by far the biggest bottle neck for login speed and the biggest complaint by end users in our experience.

Plugins that require SimpleSamlPHP

These are all forks of each other, and unfortunately have diverged quite early or have no common git history making it difficult to cross port features or fixes between them.

Plugins which embed a SAML client lib:

These are generally much easier to manage and configure as they are standalone.

  • https://moodle.org/plugins/view/auth_onelogin_saml - This one uses it's own embedded saml library which is great and promising, however it doesn't support 'back channel logout' which is critical for security in any large organisation.

  • This plugin, with an embedded and dynamically configured SimpleSamlPHP instance under the hood

Warm thanks

Thanks to the various authors and contributors to the other plugins above.

Thanks to LaTrobe university in Melbourne for sponsoring the initial creation of this plugin:

http://www.latrobe.edu.au

LaTrobe

Thanks to Centre de gestion informatique de l’éducation in Luxembourg for sponsoring the user autocreation and field mapping work:

http://www.cgie.lu

CGIE

This plugin was developed by Catalyst IT Australia:

https://www.catalyst-au.net/

Catalyst IT


Screenshots

Screenshot #0

Contributors

Picture of Catalyst IT
Catalyst IT (Lead maintainer)
Picture of Adam Riddell
Adam Riddell: Developer
Picture of Daniel Thee Roperto
Daniel Thee Roperto: Developer
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Wazza
    Wed, 7 Feb 2018, 5:28 PM
    I downgraded to version 2018011502 (2018011502) and now it works again. So Brendan, there's something wrong with the latest version. It has to do with the validation of the data you input in the settings form
  • Picture of Daniel Thee Roperto
    Thu, 8 Feb 2018, 6:38 AM
    Hi Richard.

    Please notice that at the moment there are two different versions of the plugin, one works until Moodle 32 and the other one from Moodle 33 onwards.

    We are putting some efforts in creating an unique version that works for all Moodles, but for the time being please ensure you have the correct version.

    If you are still experiencing problems, can you please create an issue on GitHub describing the situation:

    https://github.com/catalyst/moodle-auth_saml2/issues

    Thank you
  • Wazza
    Thu, 8 Feb 2018, 5:35 PM
    Daniel, I don't know if this is a bug worth reporting. It's just that version 2018020200 (which says is for Moodle 3.4) does NOT work for my Moodle 3.4. However, version 2018011502 (which says it's for Moodle 2.7-3.2) does work for my Moodle 3.4.

    Since uninstalling the plugin or downgrading the plugin is impossible, I had to change the version of 2018011502 to 2018020800 to get my SAML login working again.
  • Picture of Daniel Thee Roperto
    Fri, 9 Feb 2018, 7:50 AM
    Hi Richard. We wil ldo some further testing as AFAIK the version 2018011502 uses some APIs deprecated in Moodle 3.3 -- especially regarding the settings page.

    We will do some further investigation, but if you come across a bug in the meantime please let us know here or through GitHub.

    Thank you for the information so far,

    Daniel
  • Picture of Daniel Thee Roperto
    Fri, 9 Feb 2018, 8:49 AM
    Hi Richard

    I tested the following version:

    https://moodle.org/plugins/download.php/15963/auth_saml2_moodle34_2018020200.zip

    with my Moodle 3.4 and it worked fine.

    Can you double check that's the version you used, and in case it still doesn't work with Moodle 3.4 can you provide me what is the problem?

    Thank you

    Daniel
  • Wazza
    Fri, 9 Feb 2018, 5:18 PM
    Right now I'm using Moodle 3.4.1+ (Build: 20180201) Version 2017111301.03 and SAML2 version 2018011502 (2018011502). That's the only combo I get working on my site.

    The problem I have with SAML2 version 2018020200 (2018020200) is that it will not store my configuration. (see my post above di, 6 feb 2018, 22:36)
  • Picture of Daniel Thee Roperto
    Mon, 12 Feb 2018, 6:31 AM
    Hi Richard. My guess is that this happened because, as you changed the version manually, it did not run the upgrade process which changed the way configuration is stored in the database. As I tried with a fresh install, I did not run into this issue.

    Without the upgrade script you probably lose all the current configuration as they are stored under another named, but if you "save" them again it should persist correctly.

    If you have some Moodle DB knowledge, in table "config_plugins" the settings are now stored under plugin "auth/saml2" and before it was "auth_saml2".

    Regarding the error that "the URL is not valid", I will have to double check here. In the meantime, have you tried copy & paste and metadata from the URL into the textarea, instead of using the URL itself?

    Does that information help?
  • Wazza
    Mon, 12 Feb 2018, 4:29 PM
    This information certainly helps, Couldn't find in the database where stuff was stored smile I will test this week, see if it works out ok. Copying the metadata instead of the URL might be worth a try to!
  • Wazza
    Mon, 12 Feb 2018, 5:37 PM
    Hi Daniel,
    Copy and paste of the data in the first field in stead of the URL seems to work. Weird that I had to change this after upgrading from Moodle 3.1 to 3.4.

    However, I'm stuck at the next problem: the field 'Mapping IdP' contained an URL and now also says 'This value is not valid'. The URL that was in this field no longer seems to be a valid input.

    What usually needs to be the input here? In the old version for me it said http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn but this is no longer accepted as valid input.


  • Picture of Brendan Heywood
    Mon, 12 Feb 2018, 6:32 PM
    hi Richard,

    This is a known issue, there are a couple workaround which you can read about here:

    https://github.com/catalyst/moodle-auth_saml2#debugging

    and here:

    https://github.com/catalyst/moodle-auth_saml2/issues/124

    The root cause was actually a bug in moodle core itself, which was logged and fixed here:

    https://tracker.moodle.org/browse/MDL-60968

    If you have the latest 3.4 then this should work.
  • Wazza
    Mon, 12 Feb 2018, 7:36 PM
    Thanks, tried acouple of work-arounds and now its working. I don't think I'm on the latest of the latest Moodle yet, but I will be next monday so this will work out then.

    Thanks again Brendan and Daniel!
  • Wazza
    Mon, 19 Feb 2018, 7:29 PM
    Downloaded latest Moodle version AND latest SAML plugin, unfortunately I can't get it to work. Now I get this message: SAML2 exception: Responder

    Any ideas? The previous version of SAML worked for me.
  • Picture of Daniel Thee Roperto
    Tue, 20 Feb 2018, 6:28 AM
    Hi Richard,

    We are slowly rolling out the update into our Moodle instances, so far I have not encountered this problem. Something that has come up is related to the settings when updating from a version for Moodle 32 or older, please see if this is related.

    A few settings in the plugin could be potentially lost, or not applied properly. You mentioned before that you could not apply the metadata as an URL, has it been fixed for you now?

    As we unified the plugin for all Moodle versions, there were a few inconsistencies such as default values and setting names being different. I found and raised a few of them, but there could be more.

    My suggestion is to check again if the plugin settings are correct after the update. If you still have problems and have a test site where you can tweak the plugin config database (check for auth/saml2 and auth_saml2 -- there should be no more settings with slashes only underscore). Another suggestion is to clean sitedata/saml2 folder and recreate the metadata and certificates, if you find something on those areas that is related to the problem please let me know so I can investigate further.

    Thanks for reporting, let me know if any of that helps.
  • Picture of Daniel Thee Roperto
    Tue, 20 Feb 2018, 10:05 AM
    Hi Richard.

    I reproduced that bug, created https://github.com/catalyst/moodle-auth_saml2/issues/195 if you want to follow once we have a solution.

    Cheers,

    Daniel
  • Wazza
    Tue, 20 Feb 2018, 6:19 PM
    Hi Daniel,

    1, We did an upgrade from Moodle 3.1 to 3.4, so yes this problem could be related to a pre-3.2 installation
    2. The URL can still not be put in the first field, I need to copy and paste the XML there
    3. I had a tech-guy from our organisation look at it. He commented this routine out in /auth/saml2/extlib/simplesamlphp/modules/saml/lib/Messages.php

    /*
    // get the NameIDPolicy to apply. IdP metadata has precedence.
    $nameIdPolicy = array();
    if ($idpMetadata->hasValue('NameIDPolicy')) {
    $nameIdPolicy = $idpMetadata->getValue('NameIDPolicy');
    } elseif ($spMetadata->hasValue('NameIDPolicy')) {
    $nameIdPolicy = $spMetadata->getValue('NameIDPolicy');
    }

    if (!is_array($nameIdPolicy)) {
    // handle old configurations where 'NameIDPolicy' was used to specify just the format
    $nameIdPolicy = array('Format' => $nameIdPolicy);
    }

    $nameIdPolicy_cf = SimpleSAML_Configuration::loadFromArray($nameIdPolicy);
    $policy = array(
    'Format' => $nameIdPolicy_cf->getString('Format', \SAML2\Constants::NAMEID_TRANSIENT),
    'AllowCreate' => $nameIdPolicy_cf->getBoolean('AllowCreate', true),
    );
    $spNameQualifier = $nameIdPolicy_cf->getString('SPNameQualifier', false);
    if ($spNameQualifier !== false) {
    $policy['SPNameQualifier'] = $spNameQualifier;
    }
    $ar->setNameIdPolicy($policy);
    */

    Now everything works fine again. However, afterwards I have seen there are different routines in different versions for the above. One of them actually honours the 'NameIDPolicy' => null setting and skips the above routine when this is set.

    So I don't know exactly what's going on... maybe you do?
1 2 3 4 5 6 7 8
Please login to post comments