SAML2 Single sign on

Authentication ::: auth_saml2
Maintained by Catalyst IT, Brendan Heywood, Rossco Hellmans
SAML done 100% in moodle, fast, simple, secure
Latest release:
3398 sites
3k downloads
87 fans
Current versions available: 3

What is this?

This plugin does authentication, user auto creation with field mapping.

Why is it better?

  • 100% configured in the Moodle GUI - no installation of a whole separate app, and no touching of config files or generating certificates.
  • Minimal configuration needed, in most cases just copy the IdP metadata in and then give the SP metadata to your IdP admin and that's it.
  • Fast! - 3 redirects instead of 7
  • Supports back channel Single Logout which most big organisations require (unlike OneLogin)

How does it work?

It completely embeds a SimpleSamlPHP instance as an internal dependancy which is dynamically configured the way it should be and inherits almost all of it's configuration from Moodle configuration. In the future we should be able to swap to a different internal SAML implementation and the plugin GUI shouldn't need to change at all.

Features

  • Dual login VS forced login for all as an option, with ?saml=off on the login page for manual accounts, and ?saml=on supported everywhere to deep link and force login via saml if dual auth is on.
  • SAML attributes to Moodle user field mapping
  • Automatic certificate creation
  • Optionally auto create users

Features not yet implemented:

  • Enrolment - this should be an enrol plugin and not in an auth plugin
  • Role mapping - not yet implemented

Installation

1) Install the plugin the same as any standard moodle plugin either via the Moodle plugin directory, or you can use git to clone it into your source:

git clone git@github.com:catalyst/moodle-auth_saml2.git auth/saml2

2) Then run the Moodle upgrade 3) If your IdP has a publicly available XML descriptor, copy this url into the SAML2 auth config settings page 4) If your IdP requires whitelisting each SP then in the settings page is links to download the XML, or you can provide that url to your IdP administrator.

For most simple setups this is enough to get authentication working, there are many more settings to define how to handle new accounts, dual authentication, and to easily debug the plugin if things are not working.

If you have issues please log them in github here:

https://github.com/catalyst/moodle-auth_saml2/issues

Or if you want paid support please contact Catalyst IT Australia:

https://www.catalyst-au.net/contact-us

Testing

This plugin has been tested against:

  • SimpleSamlPHP set up as an IdP
  • openidp.feide.no
  • testshib.org
  • An AAF instance of Shibboleth

Other SAML plugins

The diversity and variable quality and features of SAML Moodle plugins is a reflection of a great need for a solid SAML plugin, but the neglect to do it properly in core. SAML2 is by far the most robust and supported protocol across the internet and should be fully integrated into moodle core as both a Service Provider and as an Identity Provider, and without any external dependencies to manage.

Here is a quick run down of the alternatives:

Core:

  • /auth/shibboleth - This requires a separately installed and configured Shibbolleth install

One big issue with this, and the category below, is as there is a whole extra application between moodle and the IdP, so the login and logout processes have more latency due to extra redirects. Latency on potentially slow mobile networks is by far the biggest bottle neck for login speed and the biggest complaint by end users in our experience.

Plugins that require SimpleSamlPHP

These are all forks of each other, and unfortunately have diverged quite early or have no common git history making it difficult to cross port features or fixes between them.

Plugins which embed a SAML client lib:

These are generally much easier to manage and configure as they are standalone.

  • https://moodle.org/plugins/view/auth_onelogin_saml - This one uses it's own embedded saml library which is great and promising, however it doesn't support 'back channel logout' which is critical for security in any large organisation.

  • This plugin, with an embedded and dynamically configured SimpleSamlPHP instance under the hood

Warm thanks

Thanks to the various authors and contributors to the other plugins above.

Thanks to LaTrobe university in Melbourne for sponsoring the initial creation of this plugin:

http://www.latrobe.edu.au

LaTrobe

Thanks to Centre de gestion informatique de l’éducation in Luxembourg for sponsoring the user autocreation and field mapping work:

http://www.cgie.lu

CGIE

This plugin was developed by Catalyst IT Australia:

https://www.catalyst-au.net/

Catalyst IT


Screenshots

Screenshot #0

Contributors

Catalyst IT (Lead maintainer)
Brendan Heywood: Solutions Architect
Rossco Hellmans: Developer
Adam Riddell: Developer
Daniel Thee Roperto: Developer
Kristian Ringer: Developer
Please login to view contributors details and/or to contact them

Comments RSS

Prikaži komentare
  • P G
    уто, 8. јун 2021, 18:10
    Hi,
    I have installed the SAML2 plugin in moodle and tried to integrate with the okta. But the IdP was not recognized on doing the test settings and an exception - "Exception - Could not find the metadata of an IdP with entity ID and some junk Id" is thrown. This was in https environment. In http environment the integration was successful.

    Kindly help with this issue.
    Thank you
  • Csaba Gloner
    сре, 9. јун 2021, 15:59
    Re my question about user creation and the error message "You are logged in to your identity provider however, this account has limited access to Moodle, please contact your administrator for more details" as it turned out it was caused by an entry in the allowed domains field. Removing it solved the problem.
  • Zuheb A
    пет, 18. јун 2021, 21:16
    I have installed this plugin in my moodle 3.10 and configured Auth0 IDP. if i login using manual idp login url am able to login into moodle.

    if i use moodle's saml login button from login screen i am getting this error:

    Exception - Failure Signing Data: error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error - SHA256

    please help me to fix this issue
  • Aaron Babitzke
    чет, 30. сеп 2021, 03:16
    Does anyone know if there is a way to get the Android/iPhone moodle app to work with the SAML2 authentication type that this plugin uses?
    It looks like the Moodle App only uses the default login window.
  • Aaron Batty
    сре, 6. окт 2021, 10:51
    I, too, was suddenly running into the "You are logged in to your identity provider however, this account has limited access to Moodle" problem with new sign-ins. This feature was working with my previous version of 3.9, but either the update to 3.9.9 or the update of SAML2 to 2021062900 (or the combination thereof) introduced this issue (or perhaps a change with my iDP?). As Csaba Gloner found above, it is possible to address by taking out the allowed domains in the authentication settings (not the SAML2 settings), but this is not a great solution, as I don't want students changing their Moodle addresses to non-university addresses.

    If anyone has any idea why/how this happened and/or ideas on how to address it, I'd love to hear them. It makes no sense.
  • Charlie Villa
    суб, 9. окт 2021, 04:08
    Can I use this plugin to make my moodle a Service Provider?

    I have a Drupal site configured as Identity Provider using SimpleSamlphp.

    Is there anyone who has done something like this that can help me? I have spent several weeks trying to do this with no success.
  • Charlie Villa
    чет, 21. окт 2021, 02:06
    Hi guys.

    I am currently trying to configure my Moodle as a Service Provider (SP) using SAML. I have already configured correctly my Identity Provider (IDP). And to be able to contact it from my Moodle (SP) I am using the plugin: SAML2 Single sign on.

    Everything is fine up to a certain point.

    When I try to authenticate for the first time from Moodle, everything works great. However if I logout and log-in again I get the following error:

    Login error
    Can't create a new account, because xxxxx@xxxx.xxx email address is already registered

    And the authentication is not successful.

    I have configured the plugin to register the user account in Moodle the first time I perform the authentication (using the plugin option: Auto create users).

    I don't understand the inner workings, but shouldn't it bypass this if the account is already in the system?

    I have also seen that in the general authentication section there is an option called: Prevent account creation when authenticating. But I have it disabled, because I want the account to be created when the user authenticates for the first time.

    My questions: How do I get the user to authenticate and the system does not try to create the account in moodle if it is already created? Because at the moment I can't re-authenticate.

    What changes should I make in the system, should I program something?
  • Charlie Villa
    чет, 21. окт 2021, 12:52
    I was able to solve the problem. It was simply a detail with the attributes mapping. The plugin works really well.
  • Ronald Vyhmeister
    чет, 19. мај 2022, 00:12
    I really need to map the SAML login to a custom field... Is there any simple way of doing this? What am I missing.
  • Markus Münch
    пон, 5. сеп 2022, 17:10
    Hello
    Is there a way, to translate the login button to different languages? So far, the ones in the language packs are just for the backend strings
    Thanks a lot!
  • Silvia Pinheiro
    сре, 7. дец 2022, 18:04
    Hello, I've tried to update this plugin twice now and it keeps coming back with the same error: SAML2 exception: The username must be in lower case

    I've tried to debug it but it's hard on localhost. The usernames we use are lowercase, however each time I'm logging with a new account, this error happens. Can I past here the error message or should I open a post on moodle forum please? Thank you
  • Jeff White
    уто, 25. јул 2023, 01:25
    When will this plugin update to the latest release of simplesamlphp? Our security scans found several major vulnerabilities that need to be addressed.
  • Thomas Johansson
    уто, 12. сеп 2023, 04:01
    Hi,
    When will you release a version for moodle 4.2?
  • Alain Raap
    чет, 19. окт 2023, 23:08
    I have a (NOAUTH) problem with the use with Redis, we use Redis with authentication, but where can I configure this in the plugin?
  • James Swash
    пет, 23. феб 2024, 19:46
    Is there a way to initiate the bulk creation of users from the IDP into Moodle, with a cron task perhaps?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Please login to post comments