Authentication: SAML2 SSO Auth

auth_saml2sso
Maintained by Picture of Daniel Miranda Daniel Miranda
Authentication using exists SimpleSAMLphp Service Provider
53 sites
199 downloads
4 fans

SAML2 SSO Authentication using exists SimpleSAMLphp Service Provider


You'll need the following pre-requirement:

  • A working SimpleSAMLphp Service Provider (SP) installation (https://simplesamlphp.org) working means that the metadata from SP must be registered in Identity Provider (IdP). Can be found in /config/authsources.php
  • The absolute path for the SimpleSAMLphp installation on server
  • The authsource name from SP in which your users will authenticate against

There are a couple of related SAML plugins for Moodle. Below are the main diferences between this plugin, named as saml2sso, and the others. 

The key for this plugin is that you can use your exists Service Provider (SP) without need to exchange the metadata with the Identity Provider (IdP) for every new Moodle instances. (for instances in the same host name)


The following options can be set in config:

  • SimpleSAMLphp installation path
  • Dual login (Yes/No) - Can login with manual accounts like admin
  • Single Sign Off (Yes/No) - Should we sign off users from Moodle and IdP?
  • Username mapping - Which attribute from IdP should be used for username
  • Username checking - Where to check if the username exists
  • Auto create users - (Allow create new users)
  • SP source name (generally default-sp in SimpleSAMLphp)
  • Logout URL to redirect users after logout
  • Allow users to edit or not the profile
  • Ability to break the full name from IdP into firstname and lastname

To bypass the authentication and login directly in Moodle (ex.: using admin account), add the saml=off parameter in the URL (ex.: https://my.moodle/login/index.php?saml=off)

Screenshots

Screenshot #0
Screenshot #1

Contributors

Picture of Daniel Miranda
Daniel Miranda (Lead maintainer)
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Picture of Ruben Dario Aybar
    Mon, 8 Jan 2018, 10:51 PM
    Hi,

    After a successfull auth on the IDP, it redriects me back to my SP and I'm receiving this error from the SimpleSAMLphp:

    SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
    Backtrace:
    1 www/_include.php:45 (SimpleSAML_exception_handler)
    0 [builtin] (N/A)
    Caused by: Exception: The POST data we should restore was lost.
    Backtrace:
    1 modules/core/www/postredirect.php:38 (require)
    0 www/module.php:135 (N/A)

    The error detected in syslog:

    Jan 5 16:38:15 servidorX simplesamlphp[27557]: 7 [05007a3d7b] Session: 'wso2-sp' not valid because we are not authenticated.
    Jan 5 16:38:15 servidorX simplesamlphp[27557]: 7 [05007a3d7b] Saved state: '_45a330829a2b49a529bf8a869d7bddefa363d13fdf'
    Jan 5 16:38:15 servidorX simplesamlphp[27557]: 7 [05007a3d7b] Sending SAML 2 AuthnRequest to 'ssohalab1.x.x.x'
    Jan 5 16:38:15 servidorX simplesamlphp[27557]: 7 [05007a3d7b] Redirect to 712 byte URL: https://ssolab/samlsso?SAMLRequest=pZJLb9swEIT&RelayState=https.x.x.x.php.php (#012)
    Jan 5 16:38:15 servidorX simplesamlphp[27557]: 4 [05007a3d7b] The class or interface 'SimpleSAML_Auth_Simple' is now using namespaces, please use 'SimpleSAML\Auth\Simple'.
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Loading state: '_45a330829a2b49a529bf8a869d7bddefa363d13fdf'
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 4 [20279a93ae] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'.
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 4 [20279a93ae] Could not load state specified by InResponseTo: NOSTATE Processing response as unsolicited.
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Received SAML2 Response from 'ssohalab1.x.x.x'.
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 5 [20279a93ae] Validating certificates by fingerprint is deprecated. Please use certData or certificate options in your remote metadata configuration.
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Found 1 certificates in SAML2\Response
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Has 1 candidate keys for validation.
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Validation with key #0 succeeded.
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 5 [20279a93ae] Validating certificates by fingerprint is deprecated. Please use certData or certificate options in your remote metadata configuration.
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Found 1 certificates in SAML2\Assertion
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Has 1 candidate keys for validation.
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Validation with key #0 succeeded.
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Filter config for ssohalab1.rec.uba.ar->https://servidorX/simplesaml/module.php/saml/sp/metadata.php/wso2-sp: array ( 0 => sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr' => 'preferredLanguage', 'priority' => 90, )),)
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Session: doLogin("wso2-sp")
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] Backtrace:
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] 1 /var/simplesamlphp/www/_include.php:45 (SimpleSAML_exception_handler)
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] 0 [builtin] (N/A)
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] Caused by: Exception: The POST data we should restore was lost.
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] Backtrace:
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] 1 /var/simplesamlphp/modules/core/www/postredirect.php:38 (require)
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] 0 /var/simplesamlphp/www/module.php:135 (N/A)
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] Error report with id dfb816de generated.
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Session: Valid session found with 'wso2-sp'.
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Localization: using old system
    Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Template: Reading [/var/simplesamlphp/dictionaries/errors]

    The plugin version used is:

    v3.3-r04 (2017081000)Moodle 3.3
    Release date: Friday, 11 August 2017, 12:23 AM

    the moodle version used is:

    Moodle 3.3.2 (Build: 20170911)

    Can you help with this?
  • Picture of Daniel Miranda
    Mon, 8 Jan 2018, 11:17 PM
    Can you tell me which version of SimpleSAMLphp you are using?
    It seems to me that it is a issue with simplesamlphp installation.
    You can verify the version throught https://servidorX/simplesaml/module.php/core/frontpage_config.php
  • Picture of Ruben Dario Aybar
    Tue, 9 Jan 2018, 3:00 AM
    Thank you Daniel Miranda for the reply.

    The SimpleSAMLphp used is:

    /var/simplesamlphp (1.15.0)

    thanks for your help
  • Picture of Daniel Miranda
    Wed, 10 Jan 2018, 11:24 PM
    Like I said, it seems to me that is a issue with Simplesamlphp configuration.
    I wasn't able to reproduce the error.
    Please, try the following solution and let me know if it works
    https://www.marcus-povey.co.uk/2016/02/09/exception-the-post-data-we-should-restore-was-lost/
  • Picture of Ruben Dario Aybar
    Thu, 11 Jan 2018, 2:15 AM
    Thank you Daniel Miranda for the reply.

    I saw that post and check in the following path Settings> Site administration> Server> Session Handling, try setting a value for 'Cookie prefix'. within Moodle if a session cookie name was set, but it is empty.

    In the file config.php of simpleSAMLphp in the variable 'session.phpsession.cookiename' is set 'SimpleSAML'

    I do not understand what the error may be due to.

    thanks for your help
  • Wazza
    Sat, 13 Jan 2018, 12:20 AM
    Sorry for asking here, but when can we expect a version that works for Moodle 3.4?
  • Picture of Daniel Miranda
    Sat, 13 Jan 2018, 1:06 AM
    I'll update this weekend, but it might works with 3.3
  • Wazza
    Mon, 15 Jan 2018, 11:31 PM
    Thanks, but when I try to install the most recent update I get this error:

    Downloading auth_saml2sso ... OK
    Validating auth_saml2sso ... Error
    [Error] Required Moodle version [2017111301]
    Installation aborted due to validation failure

    I'm running Moodle version Moodle 3.4+ (Build: 20180112)
  • Picture of Daniel Miranda
    Tue, 16 Jan 2018, 2:44 AM
    I have downgraded the Moodle version requirement to 3.3 release (2017051501).
    Please, try again.
  • Picture of callum Wood
    Tue, 20 Mar 2018, 11:10 PM
    Hi Daniel,

    I'm currently trying to implement this plugin using an IdP initiated SSO. When i click the link from the IdP I am getting sent to the following URL:
    https://MYMoodle.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp

    Should I be going to this above URL with the POST data from the IdP or should I be going to just https://MYMoodle.com ?

    When I reach this URL I get the following error from simplesaml:
    ############
    SimpleSAML_Error_Error: ACSPARAMS

    Backtrace:
    1 modules/saml/www/sp/saml2-acs.php:21 (require)
    0 www/module.php:135 (N/A)
    Caused by: Exception: Unable to find the current binding.
    Backtrace:
    2 vendor/simplesamlphp/saml2/src/SAML2/Binding.php:104 (SAML2\Binding::getCurrentBinding)
    1 modules/saml/www/sp/saml2-acs.php:16 (require)
    0 www/module.php:135 (N/A)
    ############

    The process stops here and I am not redirected to https://MYMoodle.com

    However, after this is I go onto https://MYMoodle.com/simplesaml/ and test my authentication sources it is showing that I am authenticated and displays my SAML Subject and 1 attribute which is sent from the POST data.

    Thanks in advance for your help.

  • Picture of callum Wood
    Wed, 21 Mar 2018, 1:27 AM
    Hi Daniel just as an update to my last post.

    I've ordered the current user flow:

    1. The user logs into the IdP and selects the moodle button

    2. The user is redirected to: https://MyMoodle.com/simplesaml/module.php/saml/sp/saml2-acs.php/myMoodle.comSpName along with some POST data and successfully authenticates.

    3. The relay state then sends the user back to Moodle (this works up to this point)

    4. The user then is redirected to the following URL: https://MyMoodle.com.com/simplesaml/module.php/saml/sp/discoresp.php?AuthID=_fksandfknsdfk;lnasdf;klnaskdlfna;sfdknsdfhttps%3A%2F%2FMyMoodle.com%2Fsimplesaml%2Fmodule.php%2Fcore%2Fas_login.php%3FAuthId%3Ddefault-sp%26ReturnTo%3Dhttps%253A%252F%252FMyMoodle.com%252Flogin%252Findex.php&idpentityid=EntityIDName

    4. When the user hits the Moodle page they are redirected to the "SingleSignOnService Location = 'http://doesnotexist.com' " which is contained in the IdP metadata.

    I can see that the user is successfully getting authenticated with simplesamlphp but is not getting redirected and logged in to moodle, they are instead getting redirected to http://doesnotexist.com The SingleSignOnService should be ignored as the user has already been authenticated (as this is IdP initiated) and they should be logged into moodle. So the set up with SimpleSaml is working correctly however Moodle/the plugin is not handling this as expected.

  • Picture of Daniel Miranda
    Thu, 22 Mar 2018, 7:49 PM
    Callum Wood, I think you have a misunderstood about IdP.
    You must configure Moodle to redirect users to IdP and get response from it.
    Do you have a Identity Provider and a Service Provider working together?
  • Picture of Harold Yung
    Tue, 27 Mar 2018, 5:13 PM
    Hi,

    My environment:
    Moodle 3.4.2
    SimpleSAMLphp 1.15.4
    saml2sso: Release v3.4-r02

    My IdP is ADFS. I get the same error which continually sending 6 requests to ADFS and then blocked by ADFS. I read the article in https://www.marcus-povey.co.uk/2016/02/09/exception-the-post-data-we-should-restore-was-lost/ but no idea to change it. Actually, I can find the setting 'session.phpsession.cookiename' in config file but what is the value should I change?

    My ADFS administrator had checked and said their setting is correct. I can successfully get the response from "Test authentication sources" of simplesamlphp (https://xxx/simplesaml/module.php/core/authenticate.php?as=mysp). Moreover, the mapping of attributes username, lastname, firstname ane email are copy from this test page and so I sure they are correct. If any settings are wrong in my Moodle?

    Thank your for attention and help!
  • Picture of Daniel Miranda
    Fri, 6 Apr 2018, 4:43 AM
    Harold Yung, it seems you have a SimpleSAMLphp issue.

    Do you have a proper SimpleSAMLphp Service Provider in the same host name as Moodle? (https://xxx/moodle)
    In my understood you are trying to redirect users from Moodle directly to Identity Provider.

    In my environment I have a SimpleSAMLphp Service Provider in the same host name as Moodle.
    Ex.:
    My Moodle is hosting in https://moodle.dev
    My Service Provider is hosting in https://moodle.dev/sso/
    and my Identity Provider is hosting in https://idp.dev/sso

    when users try to access Moodle, the auth_saml2sso plugin require authentication from my Service Provider and then users are redirected to IdP.

    About the session.cookiename I leave as default 'SimpleSAML'
  • Picture of Harold Yung
    Fri, 13 Apr 2018, 11:01 AM
    Hi Daniel,

    Yes, the SimpleSAMLphp Service Provider is at the same host as Moodle.
    My Moodle: https://moodle.mydomain/moodle34/
    My SimpleSAMLphp: https://moodle.mydomain/simplesaml/
    My Identity Provider: https://websso.subdomain.mydomain/adfs/

    I try to change session.cookiename but it does not work. If any way to further check?

    Thank you very much!
1 2 3 4
Please login to post comments