Moodle plugins directory: SAML Authentication (simpleSAMLphp required) | Moodle.org
SAML Authentication (simpleSAMLphp required)
Donations
Donations are welcome to support the development of the plugin.
Sponsors:
- Mark Stewart - Moodle Administrator in New Zealand
Info of the plugin
This plugin add SAML authentication support to Moodle.
If you need auto-enrol based on SAML you need to install the SAML Enrolment Plugin too.
Prerequisites
Install in the same machine a simpleSAMLphp instance and configure it as a Service Provider
Install Instruction
1. Unpack this saml directory into the /auth/ directory as you would for any Moodle auth module (http://docs.moodle.org/en/Installing_contributed_modules_or_plugins).
2. Login to Moodle as an administrator, and activate the module by navigating
Site administration->Plugins->Manage authentication->SAML Authentication
3. Let priivileges to the server user to write over the auth/saml/saml_config.php file.
Configuration
After the installation we must configure the saml plugin, so go to "Settings" if you are in
"Manage Authentication" page, or you can also go to Users > Authentication > SAML Authentication. These are the fields of this form:
- simpleSAMLphp Path: it will not work unless you specify the saml library path. This refers to the library path for the simpleSAMLphp environment you want to use. For example: /var/simplesamlphp/lib
- SimpleSAMLphp SP source. Select the SP source you want to connect to moodle. (Sources are at the SP of simpleSAMLphp in /config/authsources.php).
- SAML username mapping: it is a SAML attribute that will be mapped to the Moodle username. By default, this attribute will be set to 'mail'.
- Single Log out: Enable/disable the single logout. This will log out you from moodle, identity provider and all conected service providers
- SAML Image: when you enable the SAML authentication plugin, a new button will be shown in the login Moodle page that allows to authenticate via SAML. By default, the simpleSAMLphp image (something like a fish) will be shown, but you can specify another one you want to use. Note: this image needs to exist in the server as it is not possible to upload an image through the form right now.
- SAML login description: you can also specify a description text for the previous button. This description will be shown below the SAML image in the login Moodle page.
- Log file path: this is the absolute path of a file where the plugin will log information about its actions. It is optional.
- Hook file path: this is the absolute path of a file with php functions that will be called to alter the default behaviour of this plugin. See the file custom_hook.php for more information.
- SAML support Courses: this select has three options:
-
- No suport (default value): the plugin will not have support for enrolling the user into courses automatically
- Internal: the plugin will use an internal database table to map the courses in the next field with Moodle courses
- External: the plugin will use a tabla in an external database to map the courses in the next field with Moodle courses.
- SAML courses mapping: it is a SAML attribute that is mapped to Moodle courses data. By default, it is set to 'schacUserStatus'.
- Field used to identify a course: this can be the Short Name or the Number ID and referes to the Moodle field used to identify a course during the matching phase of the plugin.
- Ignore inactive courses: if this field is checked the user will stay in previous enrolled courses even if the status of the course is inactive in the SAML attribute.
- Data Mapping section: The Identity Provider (IdP) provides some user's data such as the first name, surname, email address, etc. In this section, you can specify the correspondence with the same data in Moodle. By default, the configuration is set as is shown below: First name = cn Surname = sn Email Address = mail
- Course Mapping section: The course mapping section allows the administrator to link saml courses and moodle courses. To make it working we need to create an intermediate database on where we can store this data. This database will have the following internal structure:
Field Type Null Key Default Extra course_mapping_id int(11) NO PRI NULL auto_increment saml_course_id varchar(20) NO NULL saml_course_period int(4) NO NULL lms_course_id text NO NULL
Once we already have created the database, we need to specify the DSN (Data Source Name) that has the following syntax: -
- MySQL
mysql://user:password@host/database_name - SQLite
sqlite:///path/to/database/file - PostgresSQL
postgres://user:password@host/database_name
- MySQL
- Below the database DSN field we can start introducing course mappings between Moodle and SAML courses. No field can be null, if you try to introduce a null course mapping, this data will be ignored and it will not be saved in the database. If you try to introduce a duplicate course mapping this data will not be saved in the database and you will be redirected to the form showing an error. If you want to delete a course mapping you must only check the corresponding checkbox to the left and clicking to 'delete' button. Also, you can update the previous introduced course mappings in every moment if the new data doesn't conflicts with none of the previous course mappings. Is possible to introduce several course mappings at the same time, you can add a new row by clicking in '+' button to the right. It no errors happen while introducing the course mappings, you will be redirected to the 'Manage Authentication' page as with any other field of the form.
Internal Changes
The 'config.html' file was renamed to 'config.php' because it now has PHP code. - Two new files was created in SAML plugin directory: - 'courses.php': this file contains the needed PHP code for showing the new 'Course mapping' table. - 'DBNewDatabase.php': this file contains a tiny function for creating a database connection, because it seems there is a bug when you try to open a SQLite database connection using a DSN.
In 'auth.php' we have used 'validate_form' for validating the form and store the errors, and 'process_config' for saving the data into the database if there are no errors. Also, 'sync_roles' function have been modified for mapping roles and courses.
NOTES
These changes are tested and valid for simpleSAMLphp >= 1.7
Important for enrollment!!
This plugin suppose that the IdP send the courses data of the user in a attribute that can be configured but the pattern of the expected data is always
You can change this pattern editing the file auth/saml/course_mapping.php
Default pattern is: <country> : <domain> : <courseId> : <period> : <role> : <status>
status could be 'active' or 'inactive',
courseId, period and role depends on the configuration of the mapping.
Example es:moodle.org:00001:2009-10:student:active
And you may prefix it with the urn of your attribute. The default vaulue for carry course data is shacUserStatus so you may prefix the prevous string with the related urn
Example:
urn:mace:terena.org:schac:userStatus:es:moodle.org:00001:2009-10:student:active
If you use other attribute than shacUserStatus or you want to change the fortmat of the course data you may edit the course_mapping.php file
Problems with the login view
SAML auth plugin rewirte the login view I had to copy some code of the login/index.php view and made some changes. If you find problems on the login view, you can disable the "login view replacement". Edit the auth/saml/auth.php, at the the loginpage_hoook funcion, disable the following code:
if (empty($CFG->alternateloginurl)) {
$CFG->alternateloginurl = $CFG->wwwroot.'/auth/saml/login.php';
}
<!--
<h2><?php print_string("returningtosite") ?></h2>
-->
the following code
Who is using SAML plugin?
- Edugate (Irish Higher Education Institutions and Research Organisation)
- University of Huelva
- International University (UNIA)
- University of Malaga
- University of Girona
- University of Salamanca
- Docencia-net
- University of Córdoba
- Universidad de Cádiz
- Universidad de León
- Augsburg College
I had a curious question I couldn't find much information about. There is a Moodle iPhone and Android Application. I just tested accessing the dev site with a SAML login and it doesn't work, which makes sense to me.
I am wondering is anyone has any experience with allowing SAML logins through external applications which only look at the local database?
I tried to install this plugin to version 2.5, but Iam stuck at the configuration e.g "simpleSAMLphp Path: For example: /var/simplesamlphp/lib"
when ever i tried to edit the setting i got the following error message: ''It seems there are some errors in the form. Please, see below for correcting them '' and i have install and configured (required simpleSAMLphp ).
please help
Well done for your brilliant work...
I install the plugin and works fine. One question. Is it possible to merge my users. Because my idm username are differnt from moodle, i can login but i have two different users with the same mail. For example, i am admin but when i logged in with simplesaml i am simple user.
Thanks for your time!!
Thanks!!!
Also I was wondering if there was any update on the URL pass through. If I use a URL to a particular course or activity, it does not connect through to that course after signing in.
https://github.com/pitbulk/moodle_saml/commit/4e5ba43f797bb552d44c34446c76a87596a1c2e9
I had no time to work in the mobile theme compatibility issue
@Stefanos Geo I sent to you a private message time ago, hope you read it and yuor problem is now solved.
"Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webmaster@avls.vtrainingroom.us and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request."
Has anybody seen anything like this before and know what might be causing it?
Thanks much in advance.
Thanks guys.
SimpleSAMLPHP lib directory /var/simplesamlphp/lib is not correct.
I have typed in numerous things and nothing ever seems to work
Using Moodle 2.5.2 and SimpleSamlphp is correctly installed. Thanks in advance