SAML2 SSO Auth

Authentication ::: auth_saml2sso

Maintained by

Daniel Miranda,

AulaWeb Università di Genova

Authentication using exists SimpleSAMLphp Service Provider

Latest release: 9 months

190 sites

147 downloads

16 fans

Current versions available: 4

Download

SAML2 SSO Authentication using exists SimpleSAMLphp Service Provider

You'll need the following pre-requirement:

A working SimpleSAMLphp Service Provider (SP) installation (https://simplesamlphp.org) working means that the metadata from SP must be registered in Identity Provider (IdP). Can be found in /config/authsources.php
The absolute path for the SimpleSAMLphp installation on server
The authsource name from SP in which your users will authenticate against

There are a couple of related SAML plugins for Moodle. Below are the main diferences between this plugin, named as saml2sso, and the others.

The key for this plugin is that you can use your exists Service Provider (SP) without need to exchange the metadata with the Identity Provider (IdP) for every new Moodle instances. (for instances in the same host name)

The following options can be set in config:

SimpleSAMLphp installation path
Dual login (Yes/No) - Can login with manual accounts like admin
Single Sign Off (Yes/No) - Should we sign off users from Moodle and IdP?
Username mapping - Which attribute from IdP should be used for username
Username checking - Where to check if the username exists
Auto create users - (Allow create new users)
Limit concurrent logins to 1 if configured as global setting
SP source name (generally default-sp in SimpleSAMLphp)
Logout URL to redirect users after logout
Allow users to edit or not the profile

To bypass the authentication and login directly in Moodle (ex.: using admin account), add the saml=off parameter in the URL (ex.: https://my.moodle/login/index.php?saml=off)

Useful links

Screenshots

Contributors

Daniel Miranda (Lead maintainer)

View other contributions

AulaWeb Università di Genova

View other contributions

Please login to view contributors details and/or to contact them

Awards

Automated testing support

Early bird 3.5

Privacy friendly

Comments

Daniel Miranda
Wed, 10 Jan 2018, 11:24 PM
Like I said, it seems to me that is a issue with Simplesamlphp configuration.
I wasn't able to reproduce the error.
Please, try the following solution and let me know if it works
https://www.marcus-povey.co.uk/2016/02/09/exception-the-post-data-we-should-restore-was-lost/
Ruben Dario Aybar
Thu, 11 Jan 2018, 2:15 AM
Thank you Daniel Miranda for the reply.

I saw that post and check in the following path Settings> Site administration> Server> Session Handling, try setting a value for 'Cookie prefix'. within Moodle if a session cookie name was set, but it is empty.

In the file config.php of simpleSAMLphp in the variable 'session.phpsession.cookiename' is set 'SimpleSAML'

I do not understand what the error may be due to.

thanks for your help
Richard van Iwaarden
Sat, 13 Jan 2018, 12:20 AM
Sorry for asking here, but when can we expect a version that works for Moodle 3.4?
Daniel Miranda
Sat, 13 Jan 2018, 1:06 AM
I'll update this weekend, but it might works with 3.3
Richard van Iwaarden
Mon, 15 Jan 2018, 11:31 PM
Thanks, but when I try to install the most recent update I get this error:

Downloading auth_saml2sso ... OK
Validating auth_saml2sso ... Error
[Error] Required Moodle version [2017111301]
Installation aborted due to validation failure

I'm running Moodle version Moodle 3.4+ (Build: 20180112)
Daniel Miranda
Tue, 16 Jan 2018, 2:44 AM
I have downgraded the Moodle version requirement to 3.3 release (2017051501).
Please, try again.
callum Wood
Tue, 20 Mar 2018, 11:10 PM
Hi Daniel,

I'm currently trying to implement this plugin using an IdP initiated SSO. When i click the link from the IdP I am getting sent to the following URL:
https://MYMoodle.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp

Should I be going to this above URL with the POST data from the IdP or should I be going to just https://MYMoodle.com ?

When I reach this URL I get the following error from simplesaml:
############
SimpleSAML_Error_Error: ACSPARAMS

Backtrace:
1 modules/saml/www/sp/saml2-acs.php:21 (require)
0 www/module.php:135 (N/A)
Caused by: Exception: Unable to find the current binding.
Backtrace:
2 vendor/simplesamlphp/saml2/src/SAML2/Binding.php:104 (SAML2\Binding::getCurrentBinding)
1 modules/saml/www/sp/saml2-acs.php:16 (require)
0 www/module.php:135 (N/A)
############

The process stops here and I am not redirected to https://MYMoodle.com

However, after this is I go onto https://MYMoodle.com/simplesaml/ and test my authentication sources it is showing that I am authenticated and displays my SAML Subject and 1 attribute which is sent from the POST data.

Thanks in advance for your help.
callum Wood
Wed, 21 Mar 2018, 1:27 AM
Hi Daniel just as an update to my last post.

I've ordered the current user flow:

1. The user logs into the IdP and selects the moodle button

2. The user is redirected to: https://MyMoodle.com/simplesaml/module.php/saml/sp/saml2-acs.php/myMoodle.comSpName along with some POST data and successfully authenticates.

3. The relay state then sends the user back to Moodle (this works up to this point)

4. The user then is redirected to the following URL: https://MyMoodle.com.com/simplesaml/module.php/saml/sp/discoresp.php?AuthID=_fksandfknsdfk;lnasdf;klnaskdlfna;sfdknsdfhttps%3A%2F%2FMyMoodle.com%2Fsimplesaml%2Fmodule.php%2Fcore%2Fas_login.php%3FAuthId%3Ddefault-sp%26ReturnTo%3Dhttps%253A%252F%252FMyMoodle.com%252Flogin%252Findex.php&idpentityid=EntityIDName

4. When the user hits the Moodle page they are redirected to the "SingleSignOnService Location = 'http://doesnotexist.com' " which is contained in the IdP metadata.

I can see that the user is successfully getting authenticated with simplesamlphp but is not getting redirected and logged in to moodle, they are instead getting redirected to http://doesnotexist.com The SingleSignOnService should be ignored as the user has already been authenticated (as this is IdP initiated) and they should be logged into moodle. So the set up with SimpleSaml is working correctly however Moodle/the plugin is not handling this as expected.
Daniel Miranda
Thu, 22 Mar 2018, 7:49 PM
Callum Wood, I think you have a misunderstood about IdP.
You must configure Moodle to redirect users to IdP and get response from it.
Do you have a Identity Provider and a Service Provider working together?
Harold Yung
Tue, 27 Mar 2018, 5:13 PM
Hi,

My environment:
Moodle 3.4.2
SimpleSAMLphp 1.15.4
saml2sso: Release v3.4-r02

My IdP is ADFS. I get the same error which continually sending 6 requests to ADFS and then blocked by ADFS. I read the article in https://www.marcus-povey.co.uk/2016/02/09/exception-the-post-data-we-should-restore-was-lost/ but no idea to change it. Actually, I can find the setting 'session.phpsession.cookiename' in config file but what is the value should I change?

My ADFS administrator had checked and said their setting is correct. I can successfully get the response from "Test authentication sources" of simplesamlphp (https://xxx/simplesaml/module.php/core/authenticate.php?as=mysp). Moreover, the mapping of attributes username, lastname, firstname ane email are copy from this test page and so I sure they are correct. If any settings are wrong in my Moodle?

Thank your for attention and help!
Daniel Miranda
Fri, 6 Apr 2018, 4:43 AM
Harold Yung, it seems you have a SimpleSAMLphp issue.

Do you have a proper SimpleSAMLphp Service Provider in the same host name as Moodle? (https://xxx/moodle)
In my understood you are trying to redirect users from Moodle directly to Identity Provider.

In my environment I have a SimpleSAMLphp Service Provider in the same host name as Moodle.
Ex.:
My Moodle is hosting in https://moodle.dev
My Service Provider is hosting in https://moodle.dev/sso/
and my Identity Provider is hosting in https://idp.dev/sso

when users try to access Moodle, the auth_saml2sso plugin require authentication from my Service Provider and then users are redirected to IdP.

About the session.cookiename I leave as default 'SimpleSAML'
Harold Yung
Fri, 13 Apr 2018, 11:01 AM
Hi Daniel,

Yes, the SimpleSAMLphp Service Provider is at the same host as Moodle.
My Moodle: https://moodle.mydomain/moodle34/
My SimpleSAMLphp: https://moodle.mydomain/simplesaml/
My Identity Provider: https://websso.subdomain.mydomain/adfs/

I try to change session.cookiename but it does not work. If any way to further check?

Thank you very much!
Ketan Ajudiya
Thu, 7 Jun 2018, 9:04 PM
Hi Daniel Miranda,

I am new to moodle and i am trying to implement SSO to my website.
so I have setup moodle on my server and installed plugin "SAML2 SSO Auth"
and then I have setup "SimpleSAMLphp Service Provider" on my server, all great till now.
But when i enabled plugin and setup things which plugin requires, i wont able to access moodle at all even i can not able to login to moodle admin? also moodle login screen look messy. it was all correct before plugin activated.
when i try to login in moodle it redirect me to "SimpleSAMLphp" (setup on server) login screen and I am not sure which username/password it accepts.
I have tried my website user login details but it says "Incorrect username or password" not sure what to do.
since i am new to this, am i doing something wrong? or missing to add some settings?
Please guide as i am not able to access moodle as a user or admin.

what I am expecting is to setup that when user login to my website and when click on Moodle link placed on my website it should not ask any login details and directly login to Moodle. is it possible with this plugin? please give some details how to achieve my goal.

Thank you,
Ketan Ajudiya
Thu, 7 Jun 2018, 9:07 PM
sorry forgot to mentioned versions.
I am on moodle 3.5 and SimpleSAMLphp 1.15.4
Péter Lukács
Tue, 7 Aug 2018, 2:15 PM
Problems with the latest 3.5 release. It seems that the release v3.5-r00 is a renamed v3.4-r02 without any modifications. Can you fix it? Thanks.