Moodle plugins directory: SAML2 SSO Auth | Moodle.org
SAML2 SSO Auth
Authentication ::: auth_saml2sso
Maintained by Daniel Miranda, AulaWeb Università di Genova
Authentication using exists SimpleSAMLphp Service Provider
Latest release:
190 sites
140 downloads
16 fans
Current versions available: 4
SAML2 SSO Authentication using exists SimpleSAMLphp Service Provider
You'll need the following pre-requirement:
- A working SimpleSAMLphp Service Provider (SP) installation (https://simplesamlphp.org) working means that the metadata from SP must be registered in Identity Provider (IdP). Can be found in /config/authsources.php
- The absolute path for the SimpleSAMLphp installation on server
- The authsource name from SP in which your users will authenticate against
There are a couple of related SAML plugins for Moodle. Below are the main diferences between this plugin, named as saml2sso, and the others.
The key for this plugin is that you can use your exists Service Provider (SP) without need to exchange the metadata with the Identity Provider (IdP) for every new Moodle instances. (for instances in the same host name)
The following options can be set in config:
- SimpleSAMLphp installation path
- Dual login (Yes/No) - Can login with manual accounts like admin
- Single Sign Off (Yes/No) - Should we sign off users from Moodle and IdP?
- Username mapping - Which attribute from IdP should be used for username
- Username checking - Where to check if the username exists
- Auto create users - (Allow create new users)
- Limit concurrent logins to 1 if configured as global setting
- SP source name (generally default-sp in SimpleSAMLphp)
- Logout URL to redirect users after logout
- Allow users to edit or not the profile
To bypass the authentication and login directly in Moodle (ex.: using admin account), add the saml=off parameter in the URL (ex.: https://my.moodle/login/index.php?saml=off)
Contributors
Daniel Miranda (Lead maintainer)
AulaWeb Università di Genova
Please login to view contributors details and/or to contact them
the saml2 refer to the specification about SAML 2.0.
Because of this, I named auth_saml2_auth, with auth in the end, to differentiate from the existing auth_saml2.
But, if this is a concern, I can change to a better name.
I think auth_saml2_sso are a good one.
we have a plugin called "auth_saml2" in the plugins directory.
it would be better not to add an underscore to the end of that name and create a new plugin name.
even "auth_saml2auth" would be better.
this is because the frankenstyle naming convention in moodle requires functions to be prefixed with the plugin name eg:
function auth_saml2_dosomething()
function auth_saml2_auth_dosomething();
the "auth_saml2" plugin could legitimately have a function called
function auth_saml2_auth() - which could then clash with your plugin
does that make more sense now?
I already changed the plugin name to auth_saml2sso in github.
Do I need to submit a new plugin or can a submit the changes here?
If it is possible to keep here would be great because the discussion here was very constructive to me. It's my first plugin contribution.
Normally we would shut this plugin record down and would ask you to submit a new one (as technically they are two distinct plugins). I'll try to change the frankenstyle directly in the database and will let you know.
I had to delete all the previously uploaded versions as they did not validate any more, having the different component name in the version.php. Please upload a new version ZIP with the plugin component set to the new name.
By the way, I noticed the version tagged as v3.0-r4 in your github repository still has the -r3 in the version.php and that was changed after tagging in additional commit. It seems it would be easiest to change the release name in version.php to v3.0-r5, tag the latest version as v3.0-r5 and upload it as a new ZIP here.
With regard to the previous comments, thanks both Dan and Ivan for useful feedback.The new component (frankenstyle) name looks better and has less chances for collisions (even though I would not expect multiple SAML auth plugins installed at once are something common).
Thanks to David Mudrák that has changed the plugin's name directly in database to maintain this discussion.
I hope it can be usefull to everyone that needs a single sign on solution.
Ok, let us wait for final word from Ivan here. Thanks for your patience.
There is another thing. I can see that this plugin redirects to an IdP unconditionally, without an option to choose to enter manual credentials (like the auth_saml plugin does). Is there a special reason for that and actually, would it be possible to implement that choice? Keeping the option to redirect to IdP right away of course. I can see that the SAML users have the saml auth type, so this should be easy to achieve. Using the existing mechanism of appending "?saml=off " is not practical: an admin will have to manually create a login page with that string appended, so in other words, manually implement this choice, while it can be shipped with the plugin
I also left some bug reports in a tracker. It's not complete yet, i will need to continue working on the review
Best regards,
Ivan
Concerning the issues on github, I'm already checking.
Can you help me to figure out how to validate the Data mapping form to avoid the empty fields that are required?
I'm very appreciated for your help and report and because it's my first contribution, I'm trying to make my best.
The basic validation can be done in auth.php in process_config(), but i just checked and authentication plugins do not usually provide fine error reporting, so sending back to a form a list of fields that don't pass the validation would require some additional html in the form. This way I think it's ok to let the form to accept empty fields, but i still believe it would be wise to consider what happens if the field is empty
Thanks a lot for your effort so far. I am thinking about a fully functional replacement of auth_saml, capable to perform generic SAML authentication, that's why i'm trying to pay attention to details
Best regards,
Ivan
I have released a new version (v3.0-r8) which include all three issues corretions about config form validations.
In the next versions I'll change the dual login procedure to give users the option to choose IdP or local login.
Thank you for your support
Apologies, i do not have access to my test installation now. I should have feedback on Monday, sorry for that
Best regards,
Ivan
Great job, thanks a lot! I am happy to recommend this plugin to be approved
Best regards,
Ivan
Thank you guys so much for this excellent example of how a plugin approval peer-review can improve the plugin for everybody. I am happy to approve this now. You are cleared to land, welcome to the Plugins directory!