SAML2 SSO Auth

Authentication ::: auth_saml2sso

Maintained by

Daniel Miranda,

AulaWeb Università di Genova

Authentication using exists SimpleSAMLphp Service Provider

Latest release: 10 months

191 sites

143 downloads

16 fans

Current versions available: 4

Download

SAML2 SSO Authentication using exists SimpleSAMLphp Service Provider

You'll need the following pre-requirement:

A working SimpleSAMLphp Service Provider (SP) installation (https://simplesamlphp.org) working means that the metadata from SP must be registered in Identity Provider (IdP). Can be found in /config/authsources.php
The absolute path for the SimpleSAMLphp installation on server
The authsource name from SP in which your users will authenticate against

There are a couple of related SAML plugins for Moodle. Below are the main diferences between this plugin, named as saml2sso, and the others.

The key for this plugin is that you can use your exists Service Provider (SP) without need to exchange the metadata with the Identity Provider (IdP) for every new Moodle instances. (for instances in the same host name)

The following options can be set in config:

SimpleSAMLphp installation path
Dual login (Yes/No) - Can login with manual accounts like admin
Single Sign Off (Yes/No) - Should we sign off users from Moodle and IdP?
Username mapping - Which attribute from IdP should be used for username
Username checking - Where to check if the username exists
Auto create users - (Allow create new users)
Limit concurrent logins to 1 if configured as global setting
SP source name (generally default-sp in SimpleSAMLphp)
Logout URL to redirect users after logout
Allow users to edit or not the profile

To bypass the authentication and login directly in Moodle (ex.: using admin account), add the saml=off parameter in the URL (ex.: https://my.moodle/login/index.php?saml=off)

Useful links

Screenshots

Contributors

Daniel Miranda (Lead maintainer)

View other contributions

AulaWeb Università di Genova

View other contributions

Please login to view contributors details and/or to contact them

Awards

Automated testing support

Early bird 3.5

Privacy friendly

Comments

Sean Bradley
Fri, 9 Dec 2016, 2:38 PM
Sadly, this doesn't seem to work with 3.2.

simplesamlphp tests fine, but when I try to use this plug-in to authenticate, I get:

Dec 9 17:01:10 thgs-moodle3 simplesamlphp[46705]: 3 [a986d826db] SimpleSAML_Error_NoState: NOSTATE
Dec 9 17:01:10 thgs-moodle3 simplesamlphp[46705]: 3 [a986d826db] Backtrace:
Dec 9 17:01:10 thgs-moodle3 simplesamlphp[46705]: 3 [a986d826db] 2 /var/simplesamlphp/lib/SimpleSAML/Auth/State.php:232 (SimpleSAML_Auth_State::loadState)
Dec 9 17:01:10 thgs-moodle3 simplesamlphp[46705]: 3 [a986d826db] 1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:54 (require)
Dec 9 17:01:10 thgs-moodle3 simplesamlphp[46705]: 3 [a986d826db] 0 /var/simplesamlphp/www/module.php:135 (N/A)
Daniel Miranda
Sat, 10 Dec 2016, 11:44 PM
Hey Sean, can you provide more information about the error.
I tested the last release with Moodle 3.2 and everything works fine.
It seems to be a simplesamlphp releated error. Generally a bad configuration.
You can add a issue in github tracker with error print.

Thank you.
Anderson Hsu
Sat, 12 Aug 2017, 9:21 PM
Can we use the plugin for Signal Sign On with confluence ? We use ldap account to login moodle and confluence. We try to find signal sign on way for them. Thanks a lot.
Daniel Miranda
Sat, 12 Aug 2017, 9:58 PM
If you already have a working LDAP, I think it is better to use the Moodle Core LDAP login method.
A SAML Identity Provider should be used to agregate more than one different authentication method.
If you can, set it up for example a SimpleSAMLphp Identity provider that authenticate your users on LDAP and then use this plugin to login Moodle users. In Confluence you can use any other SAML plugin. It is a bit confuse to start from scracth.
This plugin will only works with SimpleSAMLphp Service Provider.
IS Licenses
Thu, 14 Sept 2017, 3:37 AM
Hi Daniel

We currently have moodle 3.3.1 and SimpleSAMLphp 1.14.15.
SimpleSAMLphp is configured with an SP source name (wcchc-cloud) and the IdP is Microsoft ADFS.
The SimpleSAMLphp test authentication works fine.

When I attempt to log in to moodle using the plugin, it repeatedly authenticates against the IdP and after 6 tries Microsoft ADFS simply returns a responder error.

And it doesn't seem to matter what combination of settings I try either in the SAML2 SSO Auth page or on the IdP side.

Any assistance would be greatly appreciated it.

Thank you, John Willams
Daniel Miranda
Thu, 14 Sept 2017, 4:11 AM
You should verify the returned attributes from the IdP and assure that the fields are correctly set in config page. You can get the attributes from IdP page (module.php/core/authenticate.php?as=wcchc-cloud).

Can you please submit the response error from ADFS?
IS Licenses
Thu, 14 Sept 2017, 6:55 AM
Thanks Daniel for your reply

So ADFS does respond with attributes and this what I see right now on module.php/core/authenticate.php?as=wcchc-cloud:

Your attributes
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress jwilliams@wcchc.com
http://schemas.microsoft.com/ws/2013/11/alternateloginid jwilliams
SAML Subject
NameId jwilliams
Format urn:oasis:names:tc:SAML:2.0:nameid-format:transient

But as I mentioned, the plugin repeatedly calls the IdP.

Not sure if this is what you're asking for but in the event viewer log entry in ADFS:

Encountered error during federation passive request.

Additional Data

Protocol Name:
Saml

Relying Party:
https://wcchc-cloud.com/

Exception details:
Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '15' seconds. Contact your administrator for details.
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext context)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.SendSignInResponse(SamlContext context, MSISSignInResponse response)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Daniel Miranda
Thu, 14 Sept 2017, 8:31 AM
I think the issue is with the attributes returned from your IdP.
There is no mapped fields for name and last name (mandatory fields in Moodle) and the fields for email and username are not correctly.
I have never used ADFS. I use LDAP module in SimpleSAMLphp to authenticate users in a Microsoft Active Directory.
My AD returns the below fields:

'attributes' => array('sAMAccountName', 'cn', 'mail', 'brPersonCPF')

Check in your ADFS IdP config if is it possible to define the fields' name and then adjust the plugin config page with the proper names
IS Licenses
Thu, 14 Sept 2017, 3:29 PM
Hi Daniel

So I reconfigured the ADFS to send attributes below but it still repeatedly goes back to the moodle login page and reauthenticates me over and over again (I checked with Chrome developer tools).

From module.php/core/authenticate.php?as=wcchc-cloud:
Your attributes
Mail
mail jwilliams@wcchc.com
User ID
uid jwilliams
Display name
displayName John Williams
Given name
givenname John
Surname
sn Williams
SAML Subject
NameId jwilliams
Format urn:oasis:names:tc:SAML:2.0:nameid-format:transient

I've removed and then reset all the mappings in the SAML2 SSO Auth plugin configuration page. The current settings are:
Username = uid
First name = givenname
Last name = sn

Thanks for all your help Daniel
Daniel Miranda
Thu, 14 Sept 2017, 6:57 PM
Ok, now lets try something else.

Is it possible to you to modify the auth.php code?
If yes, we will add a break point in code to verify what is going on after authentication success.

edit /auth/saml2sso/auth.php

on line 139 add the code below:

echo "
";
var_dump($attributes);

and then

on line 167 add the code below:

var_dump($isuser);
die();

To be sure, clean up the moodle cache and try again to authenticate.

Post the result here (be advice about sensitive data, remove if needed)
Daniel Miranda
Thu, 14 Sept 2017, 7:03 PM
Moodle has changed the previous message

you can put "e c h o < p r e >" before the first var_dump

line 139
e c h o < p r e > ;
var_dump($attributes);

line 167
var_dump($isuser);
die();
Naaman Fallouh
Mon, 30 Oct 2017, 5:45 AM
Hi,
I'm trying this plugin in a Moodle 3.2 instance, and after successfully authenticating users to the IdP it fails sign in into Moodle correctly, instead, it goes through endless loop of requesting URL's like these:
https://sspidp.svuonline.org/saml2/idp/SSOService.php?SAMLRequest=fVJd...TX4B&RelayState=https%3A%2F%2Fmoodletest.svuonline.org%2Flogin%2Findex.php

https://sspidp.svuonline.org/saml2/idp/SSOService.php?SAMLRequest=fVLJ...c%3D&RelayState=https%3A%2F%2Fmoodletest.svuonline.org%2Flogin%2Findex.php

Where https://sspidp.svuonline.org is the used IdP server.

Any help about this issue?

Best regards,
Ruben Dario Aybar
Mon, 8 Jan 2018, 10:51 PM
Hi,

After a successfull auth on the IDP, it redriects me back to my SP and I'm receiving this error from the SimpleSAMLphp:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
1 www/_include.php:45 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: The POST data we should restore was lost.
Backtrace:
1 modules/core/www/postredirect.php:38 (require)
0 www/module.php:135 (N/A)

The error detected in syslog:

Jan 5 16:38:15 servidorX simplesamlphp[27557]: 7 [05007a3d7b] Session: 'wso2-sp' not valid because we are not authenticated.
Jan 5 16:38:15 servidorX simplesamlphp[27557]: 7 [05007a3d7b] Saved state: '_45a330829a2b49a529bf8a869d7bddefa363d13fdf'
Jan 5 16:38:15 servidorX simplesamlphp[27557]: 7 [05007a3d7b] Sending SAML 2 AuthnRequest to 'ssohalab1.x.x.x'
Jan 5 16:38:15 servidorX simplesamlphp[27557]: 7 [05007a3d7b] Redirect to 712 byte URL: https://ssolab/samlsso?SAMLRequest=pZJLb9swEIT&RelayState=https.x.x.x.php.php (#012)
Jan 5 16:38:15 servidorX simplesamlphp[27557]: 4 [05007a3d7b] The class or interface 'SimpleSAML_Auth_Simple' is now using namespaces, please use 'SimpleSAML\Auth\Simple'.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Loading state: '_45a330829a2b49a529bf8a869d7bddefa363d13fdf'
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 4 [20279a93ae] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 4 [20279a93ae] Could not load state specified by InResponseTo: NOSTATE Processing response as unsolicited.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Received SAML2 Response from 'ssohalab1.x.x.x'.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 5 [20279a93ae] Validating certificates by fingerprint is deprecated. Please use certData or certificate options in your remote metadata configuration.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Found 1 certificates in SAML2\Response
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Has 1 candidate keys for validation.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Validation with key #0 succeeded.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 5 [20279a93ae] Validating certificates by fingerprint is deprecated. Please use certData or certificate options in your remote metadata configuration.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Found 1 certificates in SAML2\Assertion
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Has 1 candidate keys for validation.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Validation with key #0 succeeded.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Filter config for ssohalab1.rec.uba.ar->https://servidorX/simplesaml/module.php/saml/sp/metadata.php/wso2-sp: array ( 0 => sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr' => 'preferredLanguage', 'priority' => 90, )),)
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Session: doLogin("wso2-sp")
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] Backtrace:
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] 1 /var/simplesamlphp/www/_include.php:45 (SimpleSAML_exception_handler)
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] 0 [builtin] (N/A)
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] Caused by: Exception: The POST data we should restore was lost.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] Backtrace:
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] 1 /var/simplesamlphp/modules/core/www/postredirect.php:38 (require)
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] 0 /var/simplesamlphp/www/module.php:135 (N/A)
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 3 [20279a93ae] Error report with id dfb816de generated.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Session: Valid session found with 'wso2-sp'.
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Localization: using old system
Jan 5 16:38:58 servidorX simplesamlphp[27574]: 7 [20279a93ae] Template: Reading [/var/simplesamlphp/dictionaries/errors]

The plugin version used is:

v3.3-r04 (2017081000)Moodle 3.3
Release date: Friday, 11 August 2017, 12:23 AM

the moodle version used is:

Moodle 3.3.2 (Build: 20170911)

Can you help with this?
Daniel Miranda
Mon, 8 Jan 2018, 11:17 PM
Can you tell me which version of SimpleSAMLphp you are using?
It seems to me that it is a issue with simplesamlphp installation.
You can verify the version throught https://servidorX/simplesaml/module.php/core/frontpage_config.php
Ruben Dario Aybar
Tue, 9 Jan 2018, 3:00 AM
Thank you Daniel Miranda for the reply.

The SimpleSAMLphp used is:

/var/simplesamlphp (1.15.0)

thanks for your help