Authentication: SAML2 Single sign on

auth_saml2
Maintained by Picture of Catalyst IT Catalyst IT, Picture of Brendan Heywood Brendan Heywood, Picture of Adam Riddell Adam Riddell, Picture of Daniel Thee Roperto Daniel Thee Roperto
SAML done 100% in moodle, fast, simple, secure
616 sites
1k downloads
29 fans

What is this?

This plugin does authentication, user auto creation with field mapping.

Why is it better?

  • 100% configured in the Moodle GUI - no installation of a whole separate app, and no touching of config files or generating certificates.
  • Minimal configuration needed, in most cases just copy the IdP metadata in and then give the SP metadata to your IdP admin and that's it.
  • Fast! - 3 redirects instead of 7
  • Supports back channel Single Logout which most big organisations require (unlike OneLogin)

How does it work?

It completely embeds a SimpleSamlPHP instance as an internal dependancy which is dynamically configured the way it should be and inherits almost all of it's configuration from Moodle configuration. In the future we should be able to swap to a different internal SAML implementation and the plugin GUI shouldn't need to change at all.

Features

  • Dual login VS forced login for all as an option, with ?saml=off on the login page for manual accounts, and ?saml=on supported everywhere to deep link and force login via saml if dual auth is on.
  • SAML attributes to Moodle user field mapping
  • Automatic certificate creation
  • Optionally auto create users

Features not yet implemented:

  • Enrolment - this should be an enrol plugin and not in an auth plugin
  • Role mapping - not yet implemented

Installation

1) Install the plugin the same as any standard moodle plugin either via the Moodle plugin directory, or you can use git to clone it into your source:

git clone git@github.com:CatalystIT-AU/moodle-auth_saml2.git auth/saml2

2) Then run the Moodle upgrade 3) If your IdP has a publicly available XML descriptor, copy this url into the SAML2 auth config settings page 4) If your IdP requires whitelisting each SP then in the settings page is links to download the XML, or you can provide that url to your IdP administrator.

For most simple setups this is enough to get authentication working, there are many more settings to define how to handle new accounts, dual authentication, and to easily debug the plugin if things are not working.

If you have issues please log them in github here:

https://github.com/CatalystIT-AU/moodle-auth_saml2/issues

Or if you want paid support please contact Catalyst IT Australia:

https://www.catalyst-au.net/contact-us

Testing

This plugin has been tested against:

  • SimpleSamlPHP set up as an IdP
  • openidp.feide.no
  • testshib.org
  • An AAF instance of Shibboleth

Other SAML plugins

The diversity and variable quality and features of SAML Moodle plugins is a reflection of a great need for a solid SAML plugin, but the neglect to do it properly in core. SAML2 is by far the most robust and supported protocol across the internet and should be fully integrated into moodle core as both a Service Provider and as an Identity Provider, and without any external dependencies to manage.

Here is a quick run down of the alternatives:

Core:

  • /auth/shibboleth - This requires a separately installed and configured Shibbolleth install

One big issue with this, and the category below, is as there is a whole extra application between moodle and the IdP, so the login and logout processes have more latency due to extra redirects. Latency on potentially slow mobile networks is by far the biggest bottle neck for login speed and the biggest complaint by end users in our experience.

Plugins that require SimpleSamlPHP

These are all forks of each other, and unfortunately have diverged quite early or have no common git history making it difficult to cross port features or fixes between them.

Plugins which embed a SAML client lib:

These are generally much easier to manage and configure as they are standalone.

  • https://moodle.org/plugins/view/auth_onelogin_saml - This one uses it's own embedded saml library which is great and promising, however it doesn't support 'back channel logout' which is critical for security in any large organisation.

  • This plugin, with an embedded and dynamically configured SimpleSamlPHP instance under the hood

Warm thanks

Thanks to the various authors and contributors to the other plugins above.

Thanks to LaTrobe university in Melbourne for sponsoring the initial creation of this plugin:

http://www.latrobe.edu.au

LaTrobe

Thanks to Centre de gestion informatique de l’éducation in Luxembourg for sponsoring the user autocreation and field mapping work:

http://www.cgie.lu

CGIE

This plugin was developed by Catalyst IT Australia:

https://www.catalyst-au.net/

Catalyst IT


Screenshots

Screenshot #0

Contributors

Picture of Catalyst IT
Catalyst IT (Lead maintainer)
Picture of Adam Riddell
Adam Riddell: Developer
Picture of Daniel Thee Roperto
Daniel Thee Roperto: Developer
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Wazza
    Tue, 20 Feb 2018, 6:19 PM
    Hi Daniel,

    1, We did an upgrade from Moodle 3.1 to 3.4, so yes this problem could be related to a pre-3.2 installation
    2. The URL can still not be put in the first field, I need to copy and paste the XML there
    3. I had a tech-guy from our organisation look at it. He commented this routine out in /auth/saml2/extlib/simplesamlphp/modules/saml/lib/Messages.php

    /*
    // get the NameIDPolicy to apply. IdP metadata has precedence.
    $nameIdPolicy = array();
    if ($idpMetadata->hasValue('NameIDPolicy')) {
    $nameIdPolicy = $idpMetadata->getValue('NameIDPolicy');
    } elseif ($spMetadata->hasValue('NameIDPolicy')) {
    $nameIdPolicy = $spMetadata->getValue('NameIDPolicy');
    }

    if (!is_array($nameIdPolicy)) {
    // handle old configurations where 'NameIDPolicy' was used to specify just the format
    $nameIdPolicy = array('Format' => $nameIdPolicy);
    }

    $nameIdPolicy_cf = SimpleSAML_Configuration::loadFromArray($nameIdPolicy);
    $policy = array(
    'Format' => $nameIdPolicy_cf->getString('Format', \SAML2\Constants::NAMEID_TRANSIENT),
    'AllowCreate' => $nameIdPolicy_cf->getBoolean('AllowCreate', true),
    );
    $spNameQualifier = $nameIdPolicy_cf->getString('SPNameQualifier', false);
    if ($spNameQualifier !== false) {
    $policy['SPNameQualifier'] = $spNameQualifier;
    }
    $ar->setNameIdPolicy($policy);
    */

    Now everything works fine again. However, afterwards I have seen there are different routines in different versions for the above. One of them actually honours the 'NameIDPolicy' => null setting and skips the above routine when this is set.

    So I don't know exactly what's going on... maybe you do?
  • Picture of Daniel Thee Roperto
    Wed, 21 Feb 2018, 7:23 AM
    Hi Richard, thank you for the information, it is helpful. I am doing some final checks in the plugin before I release it again but it seems that the problem was regenerating the SP certificates and them we have to "save" again the configuration (even if no changes) to update its internal references.

    I already removed the "regenerate certificate" part and now I am looking into the upgrade script to see how can I automate that, but at least the workaround seems to be working fine (save again the configuration).
  • Picture of Paul M
    Thu, 15 Mar 2018, 4:18 PM
    Hi

    I've read earlier comments that this plugin does not support an IDP initiated process but there may be an opportunity to sponsor this feature being built. We currently have a requirement for this and it is something we would be interested in sponsoring. I can see from your website there are various offices over the world so who would be best to contact regarding this? We are a UK based company.

    Cheers
  • Picture of A Guy
    Mon, 26 Mar 2018, 10:17 PM
    If anyone is having problems with using the 2018032000 version for 3.4 after upgrading to 3.4 I had the same problem. But to fix it I had completely uninstall the plugin from code to database to moodledata/saml2 folder. Then reinstall it. I never got the SP metadata SSL cert to update after copying in our cert/key. So I had to manually copy the cert into the moodledata/saml2/[sp].xml file as it wouldn't update with me just moving the cert/key into the moodledata/saml2 directory like in a previous version. The SSO was working at that point. But when I turned on debugging to troubleshoot this I saw LOTS of PHP deprecated errors around suing the assert function. I updated our PHP to 7.2.3 given to keep up with the PHP security patches. Hope this helps someone else out there who had this installed from times past.
  • Me
    Tue, 27 Mar 2018, 11:20 PM
    I have installed the plugin and I've implemented an idp using simplesamlphp on my server.
    My idp has a certificate through letsencrypt.
    I got my idp metadata xml to the plugin and when trying to test a login i recieve the following error

    Exception: Failure Signing Data: error:0906D06C:PEM routines:PEM_read_bio:no start line - 1

    sorry in advance if this doesn't fit here, I'm not sure if this is something related to the plugin or to my simplesamlphp configuration
  • Me
    Wed, 28 Mar 2018, 4:15 PM
    I took care of it by creating a self signed certificate in my simplesamlphp cert folder.
    But now i have another issue which i'm pretty sure is related to the plugin, after authenticating through my idp which is successful i'm redirected to moodle to the profile edit page (i checked "auto create users"), but i am not able to add any details and save them because i keep getting thrown back into the login page after pressing the save button.
    I've checked the database and in the "password" column for this newly created user it says "not cached", isn't the password supposed to get updated in moodle from the idp?
  • Picture of Daniel Thee Roperto
    Thu, 29 Mar 2018, 6:43 AM
    Hi Ben,

    Regarding not being able to save the profile fields -- if you are still having problems -- I'd suggest opening an issue at: https://github.com/catalyst/moodle-auth_saml2/issues

    Remember you can also map the user fields from you IDP so they are filled in Moodle automatically.

    The password should not be saved inside Moodle as the authentication is done by the IdP, Moodle does not need to know the user's password.

    Cheers,

    Daniel
  • Picture of Razzak Hussain
    Mon, 9 Apr 2018, 3:12 PM
    Dear Daniel

    I just wanted to know whether it is possible to get the password from Active Directory?

    If yes, can we update it in MOODLE similar to other data mapping fields?

    Reference site: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and-claims

    Required claim rule to get the user account password: http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod/password

    Looking forward for your valuable suggestion.

    Regards
    Razzak
  • Picture of Harold Yung
    Fri, 4 May 2018, 9:50 AM
    Dear Daniel,

    I have problems when using SAML2 authentication on mobile device. The mobile app (Moodle official app) does not redirect me to my college SSO page. The access through desktop or mobile web browser is work well!!!!

    And I tried another saml auth plugin (but they have another problem so I don't want to choose it) and it can successfully redirect me to SSO in Moodle official mobile app.

    If I make any mistakes on the setting?

    Thanks.
    Harold
  • Picture of A Guy
    Sat, 5 May 2018, 5:06 AM
    I upgraded my saml2 plugin from 03/20 to the latest version which is 03/29. It broke the SSO again like when I upgraded to the 03/20. To fix that upgrade I had to delete it from the code, moodledata, and db. I tried that twice this time without it fixing the issue. You don't have any of the previous versions to revert back to. Do you have any ideas? I am getting the same exact error I got before that I troubleshot for hours with the IDP finding nothing: (SimpleSAML_exception_handler)
    0 [builtin] (N/A)
    Caused by: Exception: Unable to validate signature on query string.
    Backtrace:
    Again only uninstalling your plugin and reinstalling it fix it. It doesn't this time. Do have any suggestions here?
  • Picture of Daniel Thee Roperto
    Mon, 7 May 2018, 7:40 AM
    Hi Razzak. As fas as I know we don't have any feature to fetch the password in the AD -- Moodle does not need this information in a normal install because the IdP will be the one authenticating the user. If you are willing to sponsor the development please contact us, see https://github.com/catalyst/moodle-auth_saml2#support -- Thank you
  • Picture of Daniel Thee Roperto
    Mon, 7 May 2018, 7:43 AM
    Hi Harold, I personally have not tested this with the mobile version but I'd expect it to work. If you are still having problems, can you create an issue on GitHub we can register the problem? https://github.com/catalyst/moodle-auth_saml2/issues Thank you
  • Picture of Daniel Thee Roperto
    Mon, 7 May 2018, 7:45 AM
    Hi A Guy, sorry to hear it is not working for you. Can you please create an issue on https://github.com/catalyst/moodle-auth_saml2/issues providing some details of you Moodle (version) and IdP so we can try to figure out what is wrong? Regarding the previous versions, you can find them all here: https://github.com/catalyst/moodle-auth_saml2/releases Cheers Daniel
  • Picture of Harold Yung
    Tue, 15 May 2018, 4:17 PM
    Hi Daniel,

    I am sorry that I make a mistake. I forget to change the Type of login for Mobile authentication as "Via a browser window (for SSO plugins)". After setting update, every things work well. Your plugin is perfect. Many thanks!
  • Picture of Daniel Thee Roperto
    Wed, 16 May 2018, 7:42 AM
    Hi Harold, no need to apologise, thank you for sharing the solution as it can help myself and other people using this plugin. Cheers!
1 2 3 4 5 6 7 8 9
Please login to post comments