Authentication ::: auth_saml2sso
Maintained by Picture of Daniel MirandaDaniel Miranda, Picture of AulaWeb Università di GenovaAulaWeb Università di Genova
Authentication using exists SimpleSAMLphp Service Provider
Latest release:
135 sites
13 fans
Current versions available: 5

SAML2 SSO Authentication using exists SimpleSAMLphp Service Provider

You'll need the following pre-requirement:

  • A working SimpleSAMLphp Service Provider (SP) installation ( working means that the metadata from SP must be registered in Identity Provider (IdP). Can be found in /config/authsources.php
  • The absolute path for the SimpleSAMLphp installation on server
  • The authsource name from SP in which your users will authenticate against

There are a couple of related SAML plugins for Moodle. Below are the main diferences between this plugin, named as saml2sso, and the others. 

The key for this plugin is that you can use your exists Service Provider (SP) without need to exchange the metadata with the Identity Provider (IdP) for every new Moodle instances. (for instances in the same host name)

The following options can be set in config:

  • SimpleSAMLphp installation path
  • Dual login (Yes/No) - Can login with manual accounts like admin
  • Single Sign Off (Yes/No) - Should we sign off users from Moodle and IdP?
  • Username mapping - Which attribute from IdP should be used for username
  • Username checking - Where to check if the username exists
  • Auto create users - (Allow create new users)
  • new Limit concurrent logins to 1 if configured as global setting
  • SP source name (generally default-sp in SimpleSAMLphp)
  • Logout URL to redirect users after logout
  • Allow users to edit or not the profile
  • Ability to break the full name from IdP into firstname and lastname

To bypass the authentication and login directly in Moodle (ex.: using admin account), add the saml=off parameter in the URL (ex.: https://my.moodle/login/index.php?saml=off)


Screenshot #0
Screenshot #1


Picture of Daniel Miranda
Daniel Miranda (Lead maintainer)
Picture of AulaWeb Università di Genova
AulaWeb Università di Genova
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Picture of AulaWeb Università di Genova
    Sun, Sep 1, 2019, 4:31 PM
    Thank you for the report Anthony.
    I changed the default icon with a neutral one. However, you can use any pics setting its url in the control panel of the plugin.
  • Picture of Alain Raap
    Fri, Oct 18, 2019, 5:08 PM
    What is the best way to migrate users from another auth plugin (f.e. manual) to the saml2sso auth plugin? What must be changed in the Moodle database?
    When I install the latest version of your plugin and I go to my Moodle site, the wrong login page is showed (not the login of my IDP). When I end my url with
    ?saml=on it shows my IDP login. What is the right way to configure this?
  • Picture of AulaWeb Università di Genova
    Thu, Oct 24, 2019, 2:21 AM
    Hi Alain,
    I'm sorry for the delay; I suggest to all visitors to open an issue on GitHub page, which produce a warning for the developers. This forum has not this feature.

    This plugin cannot migrate users from internal sources by design. In fact, there is no guarantee that an account with an internal username is the same identity on the IdP which has the same username. Sorry, you have to check one-by-one and switch them from the user profile pages.
    Or, if your are confident, open the locallib.php file and set to false the plugin name around line 20 in order to fool the plugin import function smile

    About the second issue, I don't understand: which page is the "the wrong login page"? The Moodle default?
  • Picture of Alain Raap
    Wed, Nov 13, 2019, 10:57 PM
    Sorry for my late reply. I already solved my migration question and the issue with the login page is clear, with saml=on I go to the IDP with saml = off I go to the Moodle login page
  • Picture of Alain Raap
    Thu, Nov 14, 2019, 5:26 PM
    Is it possible to configure / use more than one authentication source in the SAML2SSO plugin settings?
  • Picture of Daniel Miranda
    Thu, Nov 14, 2019, 8:09 PM
    Hi Alain, I think you are asking about multiauth in SimpleSAMLphp.
    It is possible to use multiauth module in SimpleSAMLphp to achieve this.
    So you need to configure this in SimpleSAMLphp not in SAML2SSO.
    Is that correct?
  • Picture of Alain Raap
    Fri, Nov 15, 2019, 3:56 PM
    Hi Daniel,
    I already found the multiauth configuration option in SimpleSAMLphp, I understand that it's only possible to configure one
    authentication source in the plugin, but also in Moodle. There's only one attribute in the mdl_user table (auth attribute) which
    declares the authentication for the user on your Moodle site. I'll take a look at the multiauth configuration, thanks.
  • Picture of Daniel Miranda
    Fri, Nov 15, 2019, 8:49 PM
    What are your thoughts about multiauth Alain?
    I can say that it is possible to use multiauth, for example, using a SQL database and a LDAP at the sametime (this is my scenario) or you can have more then one Identity Provider, for example a external IdP (this is my scenario too).

    So, I have my users doing authentication against my own IdP and a external IdP. When the user choose my IdP it is possible to authenticate against a SQL database and/or a LDAP server.

    I have made a simplesSAMLphp module that try to authtenticate a user, first in SQL database and if it fails then try again in LDAP. You can see this module in my github (
  • Picture of Ludo M
    Fri, Nov 6, 2020, 8:27 AM
    I don't understand if this plugin makes Moodle an Identity Provider (use Moodle users database to connect to other websites) or Service Provider (connect to Moodle form another users database) ?
  • Picture of Daniel Miranda
    Fri, Nov 6, 2020, 8:23 PM
    Hi Ludo M, this plug-in will only work with a working SimpleSAMLphp Service Provider. Neither a IdP or SP are created. To this work properly you must have a SimpleSAMLphp Service Provider working in the same server as Moodle is running.
  • Picture of AulaWeb Università di Genova
    Fri, Nov 6, 2020, 8:27 PM
    Hi Ludo,
    this plugin is a bridge to a SimpleSAMLphp installation as Service Provider. Hovewer, the plugin is agnostic regards the authentication sources used by SimpleSAMLphp, usually a SAML 2.0 IdP, but also LDAP, SQL databases, Facebook, X.509 certificates, Twitter, RADIUS, and many others services are supported by SimpleSAMLphp out-of-the-box.
  • Picture of Florian Mauer
    Tue, Nov 10, 2020, 8:48 PM

    I installed your plugin in the most recent version in a test environment.
    Moodle in the newest version (until late last week it was still 3.9, but no difference)
    SimpleSAMLphp is 1.19.0-rc1 and set up as an SP.
    As an IDP I am using (the combination Moodle LDAP login together with jumpcloud works fine).
    If I use the SimpleSAML configuration test, I can log into the jumpcloud account and get transferred back with a valid login to the simplesaml test page.

    According to the test settings feature of your plugin everything is working fine.
    When I try to login via SAML, I am being redirected to the jumpcloud server, log in there and get redirected to my moodle. There I always get the following message:
    There is no valid e-mail address from Identity Provider
    You are still connected in a SSO session Click here to logout

    Do you have any tipp/hint, what I might have to check to get SAML login working?
    Thank you

  • Picture of AulaWeb Università di Genova
    Wed, Nov 11, 2020, 1:38 AM
    Hi Florian,
    I suppose you already map an attribute from the IdP to the Moodle email field in the plugin configuration, otherwise this is the problem origin.

    If the mapping is defined, there are three scenarios that you can check using the simplesaml test page:
    1) your IdP never provide an email address in the SAML assertion because is filtered out by the admin/settings: the test page will not show your email address and you have to check the IdP configuration for this issue
    2) your IdP provide the e-mail address but it is trasported by an attribute with a name different form the usual "mail" (as in LDAP); if this is the case you have two options: change the map to read the e-mail address from this attribute or configure the Authsource in the SimpleSAMLphp Service Provider to translate the attribute names (e.g. from the OID or MS-ADFS styles to the LDAP one)
    3) for some reason, your own entry in the IdP Authsource backend has no value for your e-mail address: since it is mandatory in Moodle, you can mark the option "Allow empty email" in the plugin configuration and Moodle will prompt you to complete the profile with an e-mail address at the first login
  • Picture of Naaman Fallouh
    Mon, Mar 15, 2021, 10:24 PM
    My IDP authenticates the users against a users database, and I'm trying to activate the users synch through the External Database on the same external database.

    The synch works fine and creates users in Moodle BUT it didn't bring into Moodle the First name, Last name, Email and the ID number values! any advice?

    A question comes to my mind, which is when depending on the External Database plugin for synchronization what set of mapping fields it uses? the set in this plugin OR the set in the external database plugin?

    Best regards,
  • Picture of AulaWeb Università di Genova
    Fri, Mar 19, 2021, 11:56 PM
    Hi Naaman,
    for the synch feature, the mapping must be defined in the External Database plugin (or LDAP plugin if you use it as synch source).
    Be aware to set the option Update Local to "On Every Login" for First name, Last name, Email etc..., otherwise if you have already ran a synchronization data of existent users will not be updated. You can reset it to "On Creation" after a successfull run.

    Even the SAML plugin has a mapping setup, but it is effective at the login stage, not during the synch task.

1 2 3 4 5 6
Please login to post comments