SAML2 SSO Auth

Authentication ::: auth_saml2sso
Maintained by Daniel Miranda, AulaWeb Università di Genova
Authentication using exists SimpleSAMLphp Service Provider

SAML2 SSO Auth v3.3-r01

Moodle 3.3
Released: Wednesday, 2 August 2017, 3:58 AM

Code prechecks

phplint phpcs136 | 32 js css phpdoc16 | 9 savepoint1 | 0 thirdparty grunt shifter mustache
HTML | XML

SAML2 Authentication using exists SimpleSAMLphp Service Provider

You'll need the following pre-requirement:

  • A working SimpleSAMLphp Service Provider (SP) installation (https://simplesamlphp.org) working means that the metadata from SP must be registered in Identity Provider (IdP). Can be found in /config/authsources.php
  • The absolute path for the SimpleSAMLphp installation on server
  • The authsource name from SP in which your users will authenticate against

There are a couple of related SAML plugins for Moodle. Below are the main diferences between this plugin, named as auth_saml2sso, and the others

The key for this plugin is that you can use your exists Service Provider (SP) without needed to exchange the metadata with the Identity Provider (IdP) for every new Moodle instances. (for instances in the same host name)

There are two other SAML plugins that can/or use SimpleSAMLphp

  • auth_saml - There's no compatible version with Moodle 3.0+. The code is obsolete and the plugin go beyond the purpose of a authentication plugin, mixing auth and enrol rules.
  • auth_saml2 - It's a complete solution for those that don't have a working SP installation, but, because it generate its own SP, for every single instance of Moodle that you install, you must exchange the metadata with the owner of the IdP. In a environment that there are more than one IdP, this is unpractical.

The following options can be set in config:

  • SimpleSAMLphp installation path
  • Dual login (Yes/No) - Can login with manual accounts like admin
  • Single Sign Off (Yes/No) - Should we sign off users from Moodle and IdP?
  • Username mapping - Which attribute from IdP should be used for username
  • Username checking - Where to check if the username exists
  • Auto create users - Allow create new users
  • SP source name - Generally default-sp in SimpleSAMLphp
  • Logout URL to redirect users after logout
  • Allow users to edit or not the profile
  • Ability to break the full name from IdP into firstname and lastname

To override the authentication and login directly in Moodle (ex.: using admin account), add the saml=off parameter in the URL (ex.: https://my.moodle/login/index.php?saml=off)

Version information

Version build number
2017080100
Version release name
v3.3-r01
Can be updated from
v3.0-r12 (2017013100)
Can be updated to
v3.3-r03 (2017080800), v3.3-r04 (2017081000), v3.4-r02 (2018011500)
Maturity
Stable version
MD5 Sum
b84933677075f436f53009bc5b70f7e8
Supported software
PHP 5.6, PHP 7.0, Moodle 3.3, PHP 7.1
Change log URL
Alternative download URL

Version control information

Version control system (VCS)
GIT
VCS repository URL
VCS tag
v3.3-r01

Default installation instructions for plugins of the type Authentication

  1. Make sure you have all the required versions.
  2. Download and unpack the module.
  3. Place the folder (eg "myauth") in the "auth" subdirectory.
  4. Visit http://yoursite.com/admin to finish the installation