Authentication: SAML2 SSO Auth

Maintained by Picture of Daniel Miranda Daniel Miranda
Authentication using exists SimpleSAMLphp Service Provider
105 sites
5 fans

SAML2 SSO Authentication using exists SimpleSAMLphp Service Provider

You'll need the following pre-requirement:

  • A working SimpleSAMLphp Service Provider (SP) installation ( working means that the metadata from SP must be registered in Identity Provider (IdP). Can be found in /config/authsources.php
  • The absolute path for the SimpleSAMLphp installation on server
  • The authsource name from SP in which your users will authenticate against

There are a couple of related SAML plugins for Moodle. Below are the main diferences between this plugin, named as saml2sso, and the others. 

The key for this plugin is that you can use your exists Service Provider (SP) without need to exchange the metadata with the Identity Provider (IdP) for every new Moodle instances. (for instances in the same host name)

The following options can be set in config:

  • SimpleSAMLphp installation path
  • Dual login (Yes/No) - Can login with manual accounts like admin
  • Single Sign Off (Yes/No) - Should we sign off users from Moodle and IdP?
  • Username mapping - Which attribute from IdP should be used for username
  • Username checking - Where to check if the username exists
  • Auto create users - (Allow create new users)
  • SP source name (generally default-sp in SimpleSAMLphp)
  • Logout URL to redirect users after logout
  • Allow users to edit or not the profile
  • Ability to break the full name from IdP into firstname and lastname

To bypass the authentication and login directly in Moodle (ex.: using admin account), add the saml=off parameter in the URL (ex.: https://my.moodle/login/index.php?saml=off)


Screenshot #0
Screenshot #1


Picture of Daniel Miranda
Daniel Miranda (Lead maintainer)
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Wazza
    Sat, 13 Jan 2018, 12:20 AM
    Sorry for asking here, but when can we expect a version that works for Moodle 3.4?
  • Picture of Daniel Miranda
    Sat, 13 Jan 2018, 1:06 AM
    I'll update this weekend, but it might works with 3.3
  • Wazza
    Mon, 15 Jan 2018, 11:31 PM
    Thanks, but when I try to install the most recent update I get this error:

    Downloading auth_saml2sso ... OK
    Validating auth_saml2sso ... Error
    [Error] Required Moodle version [2017111301]
    Installation aborted due to validation failure

    I'm running Moodle version Moodle 3.4+ (Build: 20180112)
  • Picture of Daniel Miranda
    Tue, 16 Jan 2018, 2:44 AM
    I have downgraded the Moodle version requirement to 3.3 release (2017051501).
    Please, try again.
  • Picture of callum Wood
    Tue, 20 Mar 2018, 11:10 PM
    Hi Daniel,

    I'm currently trying to implement this plugin using an IdP initiated SSO. When i click the link from the IdP I am getting sent to the following URL:

    Should I be going to this above URL with the POST data from the IdP or should I be going to just ?

    When I reach this URL I get the following error from simplesaml:
    SimpleSAML_Error_Error: ACSPARAMS

    1 modules/saml/www/sp/saml2-acs.php:21 (require)
    0 www/module.php:135 (N/A)
    Caused by: Exception: Unable to find the current binding.
    2 vendor/simplesamlphp/saml2/src/SAML2/Binding.php:104 (SAML2\Binding::getCurrentBinding)
    1 modules/saml/www/sp/saml2-acs.php:16 (require)
    0 www/module.php:135 (N/A)

    The process stops here and I am not redirected to

    However, after this is I go onto and test my authentication sources it is showing that I am authenticated and displays my SAML Subject and 1 attribute which is sent from the POST data.

    Thanks in advance for your help.

  • Picture of callum Wood
    Wed, 21 Mar 2018, 1:27 AM
    Hi Daniel just as an update to my last post.

    I've ordered the current user flow:

    1. The user logs into the IdP and selects the moodle button

    2. The user is redirected to: along with some POST data and successfully authenticates.

    3. The relay state then sends the user back to Moodle (this works up to this point)

    4. The user then is redirected to the following URL:;lnasdf;klnaskdlfna;

    4. When the user hits the Moodle page they are redirected to the "SingleSignOnService Location = '' " which is contained in the IdP metadata.

    I can see that the user is successfully getting authenticated with simplesamlphp but is not getting redirected and logged in to moodle, they are instead getting redirected to The SingleSignOnService should be ignored as the user has already been authenticated (as this is IdP initiated) and they should be logged into moodle. So the set up with SimpleSaml is working correctly however Moodle/the plugin is not handling this as expected.

  • Picture of Daniel Miranda
    Thu, 22 Mar 2018, 7:49 PM
    Callum Wood, I think you have a misunderstood about IdP.
    You must configure Moodle to redirect users to IdP and get response from it.
    Do you have a Identity Provider and a Service Provider working together?
  • Picture of Harold Yung
    Tue, 27 Mar 2018, 5:13 PM

    My environment:
    Moodle 3.4.2
    SimpleSAMLphp 1.15.4
    saml2sso: Release v3.4-r02

    My IdP is ADFS. I get the same error which continually sending 6 requests to ADFS and then blocked by ADFS. I read the article in but no idea to change it. Actually, I can find the setting 'session.phpsession.cookiename' in config file but what is the value should I change?

    My ADFS administrator had checked and said their setting is correct. I can successfully get the response from "Test authentication sources" of simplesamlphp (https://xxx/simplesaml/module.php/core/authenticate.php?as=mysp). Moreover, the mapping of attributes username, lastname, firstname ane email are copy from this test page and so I sure they are correct. If any settings are wrong in my Moodle?

    Thank your for attention and help!
  • Picture of Daniel Miranda
    Fri, 6 Apr 2018, 4:43 AM
    Harold Yung, it seems you have a SimpleSAMLphp issue.

    Do you have a proper SimpleSAMLphp Service Provider in the same host name as Moodle? (https://xxx/moodle)
    In my understood you are trying to redirect users from Moodle directly to Identity Provider.

    In my environment I have a SimpleSAMLphp Service Provider in the same host name as Moodle.
    My Moodle is hosting in
    My Service Provider is hosting in
    and my Identity Provider is hosting in

    when users try to access Moodle, the auth_saml2sso plugin require authentication from my Service Provider and then users are redirected to IdP.

    About the session.cookiename I leave as default 'SimpleSAML'
  • Picture of Harold Yung
    Fri, 13 Apr 2018, 11:01 AM
    Hi Daniel,

    Yes, the SimpleSAMLphp Service Provider is at the same host as Moodle.
    My Moodle: https://moodle.mydomain/moodle34/
    My SimpleSAMLphp: https://moodle.mydomain/simplesaml/
    My Identity Provider: https://websso.subdomain.mydomain/adfs/

    I try to change session.cookiename but it does not work. If any way to further check?

    Thank you very much!
  • Picture of Ketan Ajudiya
    Thu, 7 Jun 2018, 9:04 PM
    Hi Daniel Miranda,

    I am new to moodle and i am trying to implement SSO to my website.
    so I have setup moodle on my server and installed plugin "SAML2 SSO Auth"
    and then I have setup "SimpleSAMLphp Service Provider" on my server, all great till now.
    But when i enabled plugin and setup things which plugin requires, i wont able to access moodle at all even i can not able to login to moodle admin? also moodle login screen look messy. it was all correct before plugin activated.
    when i try to login in moodle it redirect me to "SimpleSAMLphp" (setup on server) login screen and I am not sure which username/password it accepts.
    I have tried my website user login details but it says "Incorrect username or password" not sure what to do.
    since i am new to this, am i doing something wrong? or missing to add some settings?
    Please guide as i am not able to access moodle as a user or admin.

    what I am expecting is to setup that when user login to my website and when click on Moodle link placed on my website it should not ask any login details and directly login to Moodle. is it possible with this plugin? please give some details how to achieve my goal.

    Thank you,
  • Picture of Ketan Ajudiya
    Thu, 7 Jun 2018, 9:07 PM
    sorry forgot to mentioned versions.
    I am on moodle 3.5 and SimpleSAMLphp 1.15.4
  • Picture of Péter Lukács
    Tue, 7 Aug 2018, 2:15 PM
    Problems with the latest 3.5 release. It seems that the release v3.5-r00 is a renamed v3.4-r02 without any modifications. Can you fix it? Thanks.
  • Picture of Rodney Lanuzga
    Wed, 26 Sep 2018, 12:41 AM

    I have some issue with version 3.0 r12.

    The installation and configuration of the plugin went good until i test the SSO login.
    The moment i log in get from simplesaml (version 1.14.4) a state information lost error (SimpleSAML_Error_NoState: NOSTATE).

    When i test the authentication in Simplesaml the authentication and all works just fine.
    Is there a configuration i am missing to find the session when i log in?
  • Picture of Rodney Lanuzga
    Fri, 28 Sep 2018, 9:42 PM

    I have debugged version 3.0 R12 and i found out during several test why there is a no state error.
    The moment you to the it creates a Session ID 123456 and redirects you to the SSO. Afterwards you log in and you will get a No state error, but the reason why this happens is that the session ID after you logged in through the SSO deviates with the Session ID before.

    So i was wondering am i missing a configuration in Simplesaml to complete the authentication process or is this a bug in the plugin?
1 2 3 4
Please login to post comments