Authentication: SAML2 SSO Auth

auth_saml2sso
Maintained by Picture of Daniel Miranda Daniel Miranda
Authentication using exists SimpleSAMLphp Service Provider
30 sites
146 downloads
4 fans

SAML2 SSO Authentication using exists SimpleSAMLphp Service Provider


You'll need the following pre-requirement:

  • A working SimpleSAMLphp Service Provider (SP) installation (https://simplesamlphp.org) working means that the metadata from SP must be registered in Identity Provider (IdP). Can be found in /config/authsources.php
  • The absolute path for the SimpleSAMLphp installation on server
  • The authsource name from SP in which your users will authenticate against

There are a couple of related SAML plugins for Moodle. Below are the main diferences between this plugin, named as saml2sso, and the others. 

The key for this plugin is that you can use your exists Service Provider (SP) without need to exchange the metadata with the Identity Provider (IdP) for every new Moodle instances. (for instances in the same host name)


The following options can be set in config:

  • SimpleSAMLphp installation path
  • Dual login (Yes/No) - Can login with manual accounts like admin
  • Single Sign Off (Yes/No) - Should we sign off users from Moodle and IdP?
  • Username mapping - Which attribute from IdP should be used for username
  • Username checking - Where to check if the username exists
  • Auto create users - (Allow create new users)
  • SP source name (generally default-sp in SimpleSAMLphp)
  • Logout URL to redirect users after logout
  • Allow users to edit or not the profile
  • Ability to break the full name from IdP into firstname and lastname

To bypass the authentication and login directly in Moodle (ex.: using admin account), add the saml=off parameter in the URL (ex.: https://my.moodle/login/index.php?saml=off)

Screenshots

Screenshot #0
Screenshot #1

Contributors

Picture of Daniel Miranda
Daniel Miranda (Lead maintainer)
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Picture of ivan matviyuk
    Thu, 6 Oct 2016, 9:50 PM
    Hi Daniel,

    Apologies, i do not have access to my test installation now. I should have feedback on Monday, sorry for that

    Best regards,
    Ivan
  • Picture of ivan matviyuk
    Mon, 10 Oct 2016, 4:53 PM
    Hi Daniel,

    Great job, thanks a lot! I am happy to recommend this plugin to be approved

    Best regards,
    Ivan
  • Picture of David Mudrák
    Mon, 10 Oct 2016, 7:41 PM

    Thank you guys so much for this excellent example of how a plugin approval peer-review can improve the plugin for everybody. I am happy to approve this now. You are cleared to land, welcome to the Plugins directory!

  • Picture of Sean Bradley
    Fri, 9 Dec 2016, 2:38 PM
    Sadly, this doesn't seem to work with 3.2.

    simplesamlphp tests fine, but when I try to use this plug-in to authenticate, I get:

    Dec 9 17:01:10 thgs-moodle3 simplesamlphp[46705]: 3 [a986d826db] SimpleSAML_Error_NoState: NOSTATE
    Dec 9 17:01:10 thgs-moodle3 simplesamlphp[46705]: 3 [a986d826db] Backtrace:
    Dec 9 17:01:10 thgs-moodle3 simplesamlphp[46705]: 3 [a986d826db] 2 /var/simplesamlphp/lib/SimpleSAML/Auth/State.php:232 (SimpleSAML_Auth_State::loadState)
    Dec 9 17:01:10 thgs-moodle3 simplesamlphp[46705]: 3 [a986d826db] 1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:54 (require)
    Dec 9 17:01:10 thgs-moodle3 simplesamlphp[46705]: 3 [a986d826db] 0 /var/simplesamlphp/www/module.php:135 (N/A)

  • Picture of Daniel Miranda
    Sat, 10 Dec 2016, 11:44 PM
    Hey Sean, can you provide more information about the error.
    I tested the last release with Moodle 3.2 and everything works fine.
    It seems to be a simplesamlphp releated error. Generally a bad configuration.
    You can add a issue in github tracker with error print.

    Thank you.
  • Picture of Anderson Hsu
    Sat, 12 Aug 2017, 9:21 PM
    Can we use the plugin for Signal Sign On with confluence ? We use ldap account to login moodle and confluence. We try to find signal sign on way for them. Thanks a lot.
  • Picture of Daniel Miranda
    Sat, 12 Aug 2017, 9:58 PM
    If you already have a working LDAP, I think it is better to use the Moodle Core LDAP login method.
    A SAML Identity Provider should be used to agregate more than one different authentication method.
    If you can, set it up for example a SimpleSAMLphp Identity provider that authenticate your users on LDAP and then use this plugin to login Moodle users. In Confluence you can use any other SAML plugin. It is a bit confuse to start from scracth.
    This plugin will only works with SimpleSAMLphp Service Provider.
  • Picture of IS Licenses
    Thu, 14 Sep 2017, 3:37 AM
    Hi Daniel

    We currently have moodle 3.3.1 and SimpleSAMLphp 1.14.15.
    SimpleSAMLphp is configured with an SP source name (wcchc-cloud) and the IdP is Microsoft ADFS.
    The SimpleSAMLphp test authentication works fine.

    When I attempt to log in to moodle using the plugin, it repeatedly authenticates against the IdP and after 6 tries Microsoft ADFS simply returns a responder error.

    And it doesn't seem to matter what combination of settings I try either in the SAML2 SSO Auth page or on the IdP side.

    Any assistance would be greatly appreciated it.

    Thank you, John Willams
  • Picture of Daniel Miranda
    Thu, 14 Sep 2017, 4:11 AM
    You should verify the returned attributes from the IdP and assure that the fields are correctly set in config page. You can get the attributes from IdP page (module.php/core/authenticate.php?as=wcchc-cloud).

    Can you please submit the response error from ADFS?
  • Picture of IS Licenses
    Thu, 14 Sep 2017, 6:55 AM
    Thanks Daniel for your reply

    So ADFS does respond with attributes and this what I see right now on module.php/core/authenticate.php?as=wcchc-cloud:

    Your attributes
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress jwilliams@wcchc.com
    http://schemas.microsoft.com/ws/2013/11/alternateloginid jwilliams
    SAML Subject
    NameId jwilliams
    Format urn:oasis:names:tc:SAML:2.0:nameid-format:transient

    But as I mentioned, the plugin repeatedly calls the IdP.

    Not sure if this is what you're asking for but in the event viewer log entry in ADFS:

    Encountered error during federation passive request.

    Additional Data

    Protocol Name:
    Saml

    Relying Party:
    https://wcchc-cloud.com/

    Exception details:
    Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '15' seconds. Contact your administrator for details.
    at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext context)
    at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.SendSignInResponse(SamlContext context, MSISSignInResponse response)
    at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
    at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
  • Picture of Daniel Miranda
    Thu, 14 Sep 2017, 8:31 AM
    I think the issue is with the attributes returned from your IdP.
    There is no mapped fields for name and last name (mandatory fields in Moodle) and the fields for email and username are not correctly.
    I have never used ADFS. I use LDAP module in SimpleSAMLphp to authenticate users in a Microsoft Active Directory.
    My AD returns the below fields:

    'attributes' => array('sAMAccountName', 'cn', 'mail', 'brPersonCPF')

    Check in your ADFS IdP config if is it possible to define the fields' name and then adjust the plugin config page with the proper names
  • Picture of IS Licenses
    Thu, 14 Sep 2017, 3:29 PM
    Hi Daniel

    So I reconfigured the ADFS to send attributes below but it still repeatedly goes back to the moodle login page and reauthenticates me over and over again (I checked with Chrome developer tools).

    From module.php/core/authenticate.php?as=wcchc-cloud:
    Your attributes
    Mail
    mail jwilliams@wcchc.com
    User ID
    uid jwilliams
    Display name
    displayName John Williams
    Given name
    givenname John
    Surname
    sn Williams
    SAML Subject
    NameId jwilliams
    Format urn:oasis:names:tc:SAML:2.0:nameid-format:transient

    I've removed and then reset all the mappings in the SAML2 SSO Auth plugin configuration page. The current settings are:
    Username = uid
    First name = givenname
    Last name = sn

    Thanks for all your help Daniel
  • Picture of Daniel Miranda
    Thu, 14 Sep 2017, 6:57 PM
    Ok, now lets try something else.

    Is it possible to you to modify the auth.php code?
    If yes, we will add a break point in code to verify what is going on after authentication success.

    edit /auth/saml2sso/auth.php

    on line 139 add the code below:

    echo "
    ";
    var_dump($attributes);

    and then

    on line 167 add the code below:

    var_dump($isuser);
    die();

    To be sure, clean up the moodle cache and try again to authenticate.

    Post the result here (be advice about sensitive data, remove if needed)
  • Picture of Daniel Miranda
    Thu, 14 Sep 2017, 7:03 PM
    Moodle has changed the previous message

    you can put "e c h o < p r e >" before the first var_dump

    line 139
    e c h o < p r e > ;
    var_dump($attributes);

    line 167
    var_dump($isuser);
    die();
  • Picture of Naaman Fallouh
    Mon, 30 Oct 2017, 5:45 AM
    Hi,
    I'm trying this plugin in a Moodle 3.2 instance, and after successfully authenticating users to the IdP it fails sign in into Moodle correctly, instead, it goes through endless loop of requesting URL's like these:
    https://sspidp.svuonline.org/saml2/idp/SSOService.php?SAMLRequest=fVJd...TX4B&RelayState=https%3A%2F%2Fmoodletest.svuonline.org%2Flogin%2Findex.php

    https://sspidp.svuonline.org/saml2/idp/SSOService.php?SAMLRequest=fVLJ...c%3D&RelayState=https%3A%2F%2Fmoodletest.svuonline.org%2Flogin%2Findex.php

    Where https://sspidp.svuonline.org is the used IdP server.

    Any help about this issue?

    Best regards,
1 2 3
Please login to post comments