Moodle plugins directory: SAML2 SSO Auth | Moodle.org
SAML2 SSO Auth
Authentication ::: auth_saml2sso
Maintained by 
Daniel Miranda, 
AulaWeb Università di Genova
Authentication using exists SimpleSAMLphp Service Provider
Latest release:
191 sites
145 downloads
16 fans
Current versions available: 4
SAML2 SSO Authentication using exists SimpleSAMLphp Service Provider
You'll need the following pre-requirement:
- A working SimpleSAMLphp Service Provider (SP) installation (https://simplesamlphp.org) working means that the metadata from SP must be registered in Identity Provider (IdP). Can be found in /config/authsources.php
- The absolute path for the SimpleSAMLphp installation on server
- The authsource name from SP in which your users will authenticate against
There are a couple of related SAML plugins for Moodle. Below are the main diferences between this plugin, named as saml2sso, and the others.
The key for this plugin is that you can use your exists Service Provider (SP) without need to exchange the metadata with the Identity Provider (IdP) for every new Moodle instances. (for instances in the same host name)
The following options can be set in config:
- SimpleSAMLphp installation path
- Dual login (Yes/No) - Can login with manual accounts like admin
- Single Sign Off (Yes/No) - Should we sign off users from Moodle and IdP?
- Username mapping - Which attribute from IdP should be used for username
- Username checking - Where to check if the username exists
- Auto create users - (Allow create new users)
- Limit concurrent logins to 1 if configured as global setting
- SP source name (generally default-sp in SimpleSAMLphp)
- Logout URL to redirect users after logout
- Allow users to edit or not the profile
To bypass the authentication and login directly in Moodle (ex.: using admin account), add the saml=off parameter in the URL (ex.: https://my.moodle/login/index.php?saml=off)
Screenshots
Contributors
Daniel Miranda (Lead maintainer)
AulaWeb Università di Genova
Please login to view contributors details and/or to contact them
It is possible to use multiauth module in SimpleSAMLphp to achieve this.
So you need to configure this in SimpleSAMLphp not in SAML2SSO.
Is that correct?
I already found the multiauth configuration option in SimpleSAMLphp, I understand that it's only possible to configure one
authentication source in the plugin, but also in Moodle. There's only one attribute in the mdl_user table (auth attribute) which
declares the authentication for the user on your Moodle site. I'll take a look at the multiauth configuration, thanks.
I can say that it is possible to use multiauth, for example, using a SQL database and a LDAP at the sametime (this is my scenario) or you can have more then one Identity Provider, for example a external IdP (this is my scenario too).
So, I have my users doing authentication against my own IdP and a external IdP. When the user choose my IdP it is possible to authenticate against a SQL database and/or a LDAP server.
I have made a simplesSAMLphp module that try to authtenticate a user, first in SQL database and if it fails then try again in LDAP. You can see this module in my github (https://github.com/dmirandaa/autochooseauth)
I don't understand if this plugin makes Moodle an Identity Provider (use Moodle users database to connect to other websites) or Service Provider (connect to Moodle form another users database) ?
this plugin is a bridge to a SimpleSAMLphp installation as Service Provider. Hovewer, the plugin is agnostic regards the authentication sources used by SimpleSAMLphp, usually a SAML 2.0 IdP, but also LDAP, SQL databases, Facebook, X.509 certificates, Twitter, RADIUS, and many others services are supported by SimpleSAMLphp out-of-the-box.
I installed your plugin in the most recent version in a test environment.
Moodle in the newest version (until late last week it was still 3.9, but no difference)
SimpleSAMLphp is 1.19.0-rc1 and set up as an SP.
As an IDP I am using jumpcloud.com (the combination Moodle LDAP login together with jumpcloud works fine).
If I use the SimpleSAML configuration test, I can log into the jumpcloud account and get transferred back with a valid login to the simplesaml test page.
According to the test settings feature of your plugin everything is working fine.
When I try to login via SAML, I am being redirected to the jumpcloud server, log in there and get redirected to my moodle. There I always get the following message:
There is no valid e-mail address from Identity Provider
You are still connected in a SSO session Click here to logout
Do you have any tipp/hint, what I might have to check to get SAML login working?
Thank you
I suppose you already map an attribute from the IdP to the Moodle email field in the plugin configuration, otherwise this is the problem origin.
If the mapping is defined, there are three scenarios that you can check using the simplesaml test page:
1) your IdP never provide an email address in the SAML assertion because is filtered out by the admin/settings: the test page will not show your email address and you have to check the IdP configuration for this issue
2) your IdP provide the e-mail address but it is trasported by an attribute with a name different form the usual "mail" (as in LDAP); if this is the case you have two options: change the map to read the e-mail address from this attribute or configure the Authsource in the SimpleSAMLphp Service Provider to translate the attribute names (e.g. from the OID or MS-ADFS styles to the LDAP one)
3) for some reason, your own entry in the IdP Authsource backend has no value for your e-mail address: since it is mandatory in Moodle, you can mark the option "Allow empty email" in the plugin configuration and Moodle will prompt you to complete the profile with an e-mail address at the first login
My IDP authenticates the users against a users database, and I'm trying to activate the users synch through the External Database on the same external database.
The synch works fine and creates users in Moodle BUT it didn't bring into Moodle the First name, Last name, Email and the ID number values! any advice?
A question comes to my mind, which is when depending on the External Database plugin for synchronization what set of mapping fields it uses? the set in this plugin OR the set in the external database plugin?
Best regards,
for the synch feature, the mapping must be defined in the External Database plugin (or LDAP plugin if you use it as synch source).
Be aware to set the option Update Local to "On Every Login" for First name, Last name, Email etc..., otherwise if you have already ran a synchronization data of existent users will not be updated. You can reset it to "On Creation" after a successfull run.
Even the SAML plugin has a mapping setup, but it is effective at the login stage, not during the synch task.
Thanks for this helpful SSO authentification plugin : it works nicely on our platform.
One problem though : a logout initiated from the idp doesn't logout the moodle session.
It looks to us that no moodle logout is implemented in the plugin or correctly called when a simplesamlphp idp logout is started. Did we miss something ?
Kind regards,
Jakob Schlüpmann
there isn't an easy solution: SSP can register a logout handler, but it works only for SSP modules where library can be loaded by SSP, not for external component such Moodle plugin. On the other side, Moodle auth plugin interface doesn't provide a "is_still_logged_in()" method.
unfortunately no. I'm sorry.