Moodle plugins directory: SAML2 SSO Auth | Moodle.org
SAML2 SSO Auth
Authentication ::: auth_saml2sso
Maintained by Daniel Miranda, AulaWeb Università di Genova
Authentication using exists SimpleSAMLphp Service Provider
Latest release:
191 sites
143 downloads
16 fans
Current versions available: 4
SAML2 SSO Authentication using exists SimpleSAMLphp Service Provider
You'll need the following pre-requirement:
- A working SimpleSAMLphp Service Provider (SP) installation (https://simplesamlphp.org) working means that the metadata from SP must be registered in Identity Provider (IdP). Can be found in /config/authsources.php
- The absolute path for the SimpleSAMLphp installation on server
- The authsource name from SP in which your users will authenticate against
There are a couple of related SAML plugins for Moodle. Below are the main diferences between this plugin, named as saml2sso, and the others.
The key for this plugin is that you can use your exists Service Provider (SP) without need to exchange the metadata with the Identity Provider (IdP) for every new Moodle instances. (for instances in the same host name)
The following options can be set in config:
- SimpleSAMLphp installation path
- Dual login (Yes/No) - Can login with manual accounts like admin
- Single Sign Off (Yes/No) - Should we sign off users from Moodle and IdP?
- Username mapping - Which attribute from IdP should be used for username
- Username checking - Where to check if the username exists
- Auto create users - (Allow create new users)
- Limit concurrent logins to 1 if configured as global setting
- SP source name (generally default-sp in SimpleSAMLphp)
- Logout URL to redirect users after logout
- Allow users to edit or not the profile
To bypass the authentication and login directly in Moodle (ex.: using admin account), add the saml=off parameter in the URL (ex.: https://my.moodle/login/index.php?saml=off)
Contributors
Daniel Miranda (Lead maintainer)
AulaWeb Università di Genova
Please login to view contributors details and/or to contact them
simplesamlphp tests fine, but when I try to use this plug-in to authenticate, I get:
Dec 9 17:01:10 thgs-moodle3 simplesamlphp[46705]: 3 [a986d826db] SimpleSAML_Error_NoState: NOSTATE
Dec 9 17:01:10 thgs-moodle3 simplesamlphp[46705]: 3 [a986d826db] Backtrace:
Dec 9 17:01:10 thgs-moodle3 simplesamlphp[46705]: 3 [a986d826db] 2 /var/simplesamlphp/lib/SimpleSAML/Auth/State.php:232 (SimpleSAML_Auth_State::loadState)
Dec 9 17:01:10 thgs-moodle3 simplesamlphp[46705]: 3 [a986d826db] 1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:54 (require)
Dec 9 17:01:10 thgs-moodle3 simplesamlphp[46705]: 3 [a986d826db] 0 /var/simplesamlphp/www/module.php:135 (N/A)
I tested the last release with Moodle 3.2 and everything works fine.
It seems to be a simplesamlphp releated error. Generally a bad configuration.
You can add a issue in github tracker with error print.
Thank you.
A SAML Identity Provider should be used to agregate more than one different authentication method.
If you can, set it up for example a SimpleSAMLphp Identity provider that authenticate your users on LDAP and then use this plugin to login Moodle users. In Confluence you can use any other SAML plugin. It is a bit confuse to start from scracth.
This plugin will only works with SimpleSAMLphp Service Provider.
We currently have moodle 3.3.1 and SimpleSAMLphp 1.14.15.
SimpleSAMLphp is configured with an SP source name (wcchc-cloud) and the IdP is Microsoft ADFS.
The SimpleSAMLphp test authentication works fine.
When I attempt to log in to moodle using the plugin, it repeatedly authenticates against the IdP and after 6 tries Microsoft ADFS simply returns a responder error.
And it doesn't seem to matter what combination of settings I try either in the SAML2 SSO Auth page or on the IdP side.
Any assistance would be greatly appreciated it.
Thank you, John Willams
Can you please submit the response error from ADFS?
So ADFS does respond with attributes and this what I see right now on module.php/core/authenticate.php?as=wcchc-cloud:
Your attributes
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress jwilliams@wcchc.com
http://schemas.microsoft.com/ws/2013/11/alternateloginid jwilliams
SAML Subject
NameId jwilliams
Format urn:oasis:names:tc:SAML:2.0:nameid-format:transient
But as I mentioned, the plugin repeatedly calls the IdP.
Not sure if this is what you're asking for but in the event viewer log entry in ADFS:
Encountered error during federation passive request.
Additional Data
Protocol Name:
Saml
Relying Party:
https://wcchc-cloud.com/
Exception details:
Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '15' seconds. Contact your administrator for details.
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext context)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.SendSignInResponse(SamlContext context, MSISSignInResponse response)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
There is no mapped fields for name and last name (mandatory fields in Moodle) and the fields for email and username are not correctly.
I have never used ADFS. I use LDAP module in SimpleSAMLphp to authenticate users in a Microsoft Active Directory.
My AD returns the below fields:
'attributes' => array('sAMAccountName', 'cn', 'mail', 'brPersonCPF')
Check in your ADFS IdP config if is it possible to define the fields' name and then adjust the plugin config page with the proper names
So I reconfigured the ADFS to send attributes below but it still repeatedly goes back to the moodle login page and reauthenticates me over and over again (I checked with Chrome developer tools).
From module.php/core/authenticate.php?as=wcchc-cloud:
Your attributes
Mail
mail jwilliams@wcchc.com
User ID
uid jwilliams
Display name
displayName John Williams
Given name
givenname John
Surname
sn Williams
SAML Subject
NameId jwilliams
Format urn:oasis:names:tc:SAML:2.0:nameid-format:transient
I've removed and then reset all the mappings in the SAML2 SSO Auth plugin configuration page. The current settings are:
Username = uid
First name = givenname
Last name = sn
Thanks for all your help Daniel
Is it possible to you to modify the auth.php code?
If yes, we will add a break point in code to verify what is going on after authentication success.
edit /auth/saml2sso/auth.php
on line 139 add the code below:
echo "
you can put "e c h o < p r e >" before the first var_dump
line 139
e c h o < p r e > ;
var_dump($attributes);
line 167
var_dump($isuser);
die();
I'm trying this plugin in a Moodle 3.2 instance, and after successfully authenticating users to the IdP it fails sign in into Moodle correctly, instead, it goes through endless loop of requesting URL's like these:
https://sspidp.svuonline.org/saml2/idp/SSOService.php?SAMLRequest=fVJd...TX4B&RelayState=https%3A%2F%2Fmoodletest.svuonline.org%2Flogin%2Findex.php
https://sspidp.svuonline.org/saml2/idp/SSOService.php?SAMLRequest=fVLJ...c%3D&RelayState=https%3A%2F%2Fmoodletest.svuonline.org%2Flogin%2Findex.php
Where https://sspidp.svuonline.org is the used IdP server.
Any help about this issue?
Best regards,
After a successfull auth on the IDP, it redriects me back to my SP and I'm receiving this error from the SimpleSAMLphp:
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
1 www/_include.php:45 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: The POST data we should restore was lost.
Backtrace:
1 modules/core/www/postredirect.php:38 (require)
0 www/module.php:135 (N/A)
The error detected in syslog:
Jan 5 16:38:15 servidorX simplesamlphp[27557]: 7 [05007a3d7b] Session: 'wso2-sp' not valid because we are not authenticated.
Jan 5 16:38:15 servidorX simplesamlphp[27557]: 7 [05007a3d7b] Saved state: '_45a330829a2b49a529bf8a869d7bddefa363d13fdf'
Jan 5 16:38:15 servidorX simplesamlphp[27557]: 7 [05007a3d7b] Sending SAML 2 AuthnRequest to 'ssohalab1.x.x.x'
Jan 5 16:38:15 servidorX simplesamlphp[27557]: 7 [05007a3d7b] Redirect to 712 byte URL: https://ssolab/samlsso?SAMLRequest=pZJLb9swEIT&RelayState=https.x.x.x.php.php (#012)
Jan 5 16:38:15 servidorX simplesamlphp[27557]: 4 [05007a3d7b] The class or interface 'SimpleSAML_Auth_Simple' is now using namespaces, please use 'SimpleSAML\Auth\Simple'.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Loading state: '_45a330829a2b49a529bf8a869d7bddefa363d13fdf'
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 4 [20279a93ae] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 4 [20279a93ae] Could not load state specified by InResponseTo: NOSTATE Processing response as unsolicited.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Received SAML2 Response from 'ssohalab1.x.x.x'.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 5 [20279a93ae] Validating certificates by fingerprint is deprecated. Please use certData or certificate options in your remote metadata configuration.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Found 1 certificates in SAML2\Response
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Has 1 candidate keys for validation.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Validation with key #0 succeeded.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 5 [20279a93ae] Validating certificates by fingerprint is deprecated. Please use certData or certificate options in your remote metadata configuration.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Found 1 certificates in SAML2\Assertion
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Has 1 candidate keys for validation.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Validation with key #0 succeeded.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Filter config for ssohalab1.rec.uba.ar->https://servidorX/simplesaml/module.php/saml/sp/metadata.php/wso2-sp: array ( 0 => sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr' => 'preferredLanguage', 'priority' => 90, )),)
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Session: doLogin("wso2-sp")
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] Backtrace:
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] 1 /var/simplesamlphp/www/_include.php:45 (SimpleSAML_exception_handler)
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] 0 [builtin] (N/A)
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] Caused by: Exception: The POST data we should restore was lost.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] Backtrace:
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] 1 /var/simplesamlphp/modules/core/www/postredirect.php:38 (require)
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] 0 /var/simplesamlphp/www/module.php:135 (N/A)
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] Error report with id dfb816de generated.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Session: Valid session found with 'wso2-sp'.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Localization: using old system
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Template: Reading [/var/simplesamlphp/dictionaries/errors]
The plugin version used is:
v3.3-r04 (2017081000)Moodle 3.3
Release date: Friday, 11 August 2017, 12:23 AM
the moodle version used is:
Moodle 3.3.2 (Build: 20170911)
Can you help with this?
It seems to me that it is a issue with simplesamlphp installation.
You can verify the version throught https://servidorX/simplesaml/module.php/core/frontpage_config.php
The SimpleSAMLphp used is:
/var/simplesamlphp (1.15.0)
thanks for your help