Maintained by Picture of Sixto Martin GarciaSixto Martin Garcia
SAML Authentication plugin based on the simplesamlphp software. (Also install the SAML Enrolment plugin if you want auto-enrol based on SAML)
522 sites
264 downloads
21 fans
Current versions available: 4

Donations

Donations are welcome to support the development of the plugin.

Moodle's SAML PluginMoodle's SAML Plugin

 
Sponsors:

  • Mark Stewart - Moodle Administrator in New Zealand


Info of the plugin

This plugin add SAML authentication support to Moodle.
If you need auto-enrol based on SAML you need to install the SAML Enrolment Plugin too.


Prerequisites

Install in the same machine a simpleSAMLphp instance and configure it as a Service Provider

Install Instruction
1. Unpack this saml directory into the /auth/ directory as you would for any Moodle auth module (http://docs.moodle.org/en/Installing_contributed_modules_or_plugins).

2. Login to Moodle as an administrator, and activate the module by navigating
Site administration->Plugins->Manage authentication->SAML Authentication

3. Let priivileges to the server user to write over the auth/saml/saml_config.php file.

Configuration
After the installation we must configure the saml plugin, so go to "Settings" if you are in
"Manage Authentication" page, or you can also go to Users > Authentication > SAML Authentication. These are the fields of this form:

  • simpleSAMLphp Path: it will not work unless you specify the saml library path. This refers to the library path for the simpleSAMLphp environment you want to use. For example: /var/simplesamlphp/lib
  • SimpleSAMLphp SP source. Select the SP source you want to connect to moodle. (Sources are at the SP of simpleSAMLphp in /config/authsources.php).
  • SAML username mapping: it is a SAML attribute that will be mapped to the Moodle username. By default, this attribute will be set to 'mail'.
  • Single Log out: Enable/disable the single logout. This will log out you from moodle, identity provider and all conected service providers 
  • SAML Image: when you enable the SAML authentication plugin, a new button will be shown in the login Moodle page that allows to authenticate via SAML. By default, the simpleSAMLphp image (something like a fish) will be shown, but you can specify another one you want to use. Note: this image needs to exist in the server as it is not possible to upload an image through the form right now. 
  • SAML login description: you can also specify a description text for the previous button. This description will be shown below the SAML image in the login Moodle page.
  • Log file path: this is the absolute path of a file where the plugin will log information about its actions. It is optional.
  • Hook file path: this is the absolute path of a file with php functions that will be called to alter the default behaviour of this plugin. See the file custom_hook.php for more information.
  • SAML support Courses: this select has three options:
    • No suport (default value): the plugin will not have support for enrolling the user into courses automatically
    • Internal: the plugin will use an internal database table to map the courses in the next field with Moodle courses 
    • External: the plugin will use a tabla in an external database to map the courses in the next field with Moodle courses.
  • SAML courses mapping: it is a SAML attribute that is mapped to Moodle courses data. By default, it is set to 'schacUserStatus'.
  • Field used to identify a course: this can be the Short Name or the Number ID and referes to the Moodle field used to identify a course during the matching phase of the plugin.
  • Ignore inactive courses: if this field is checked the user will stay in previous enrolled courses even if the status of the course is inactive in the SAML attribute. 
  • Data Mapping section:  The Identity Provider (IdP) provides some user's data such as the first name, surname, email address, etc. In this section, you can specify the correspondence with the same data in Moodle. By default, the configuration is set as is shown below: First name = cn Surname = sn Email Address = mail
  • Course Mapping section: The course mapping section allows the administrator to link saml courses and moodle courses. To make it working we need to create an intermediate database on where we can store this data. This database will have the following internal structure:
    Field Type  Null   Key  Default    Extra
    course_mapping_id int(11)   NO   PRI   NULL  auto_increment
    saml_course_id    varchar(20)  NO    NULL  
     saml_course_period  int(4)  NO    NULL  
     lms_course_id  text  NO    NULL  

    Once we already have created the database, we need to specify the DSN (Data Source Name) that has the following syntax: 
    • MySQL
      mysql://user:password@host/database_name
    • SQLite
      sqlite:///path/to/database/file
    • PostgresSQL
      postgres://user:password@host/database_name
  • Below the database DSN field we can start introducing course mappings between Moodle and SAML courses. No field can be null, if you try to introduce a null course mapping, this data will be ignored and it will not be saved in the database. If you try to introduce a duplicate course mapping this data will not be saved in the database and you will be redirected to the form showing an error. If you want to delete a course mapping you must only check the corresponding checkbox to the left and clicking to 'delete' button. Also, you can update the previous introduced course mappings in every moment if the new data doesn't conflicts with none of the previous course mappings. Is possible to introduce several course mappings at the same time, you can add a new row by clicking in '+' button to the right. It no errors happen while introducing the course mappings, you will be redirected to the 'Manage Authentication' page as with any other field of the form.
In order to support course enrolling you must install the SAML Enrolment plugin, otherwise set SAML support Courses to 'no support'. 
 

Internal Changes
The 'config.html' file was renamed to 'config.php' because it now has PHP code. - Two new files was created in SAML plugin directory: - 'courses.php': this file contains the needed PHP code for showing the new 'Course mapping' table. - 'DBNewDatabase.php': this file contains a tiny function for creating a database connection, because it seems there is a bug when you try to open a SQLite database connection using a DSN.

In 'auth.php' we have used 'validate_form' for validating the form and store the errors, and 'process_config' for saving the data into the database if there are no errors. Also, 'sync_roles' function have been modified for mapping roles and courses.

NOTES
These changes are tested and valid for simpleSAMLphp >= 1.7

Important for enrollment!!

This plugin suppose that the IdP send the courses data of the user in a attribute that can be configured but the pattern of the expected data is always

You can change this pattern editing the file auth/saml/course_mapping.php

Default pattern is:  <country> : <domain> : <courseId> : <period> : <role> : <status>
status could be 'active' or 'inactive',
courseId, period and role depends on the configuration of the mapping.
Example  es:moodle.org:00001:2009-10:student:active 

And you may prefix it with the urn of your attribute. The default vaulue for carry course data is shacUserStatus so you may prefix the prevous string with the related urn
Example:
urn:mace:terena.org:schac:userStatus:es:moodle.org:00001:2009-10:student:active

If you use other attribute than shacUserStatus or you want to change the fortmat of the course data you may edit the course_mapping.php file

 

 

Problems with the login view

SAML auth plugin rewirte the login view I had to copy some code of the login/index.php view and made some changes. If you find problems on the login view, you can disable the "login view replacement". Edit the auth/saml/auth.php, at the the loginpage_hoook funcion, disable the following code:
        if (empty($CFG->alternateloginurl)) {
            $CFG->alternateloginurl = $CFG->wwwroot.'/auth/saml/login.php';
        }

Then edit the login/index_form.html and insert before:

<!--

<h2><?php print_string("returningtosite") ?></h2> 

  -->

the following code


Who is using SAML plugin?

Screenshots

Screenshot #0
Screenshot #1
Screenshot #2
Screenshot #3

Contributors

Picture of Sixto Martin Garcia
Sixto Martin Garcia (Lead maintainer)
Please login to view contributors details and/or to contact them

Comments RSS

Comments

  • Germán and Temudgin
    Wed, Nov 7, 2012, 3:03 AM
    Hola Sixto,

    Ya subí a AMOS las traducciones al español de México para enrol_SAML. En 4 horas, cuando ya hayan pasado a http://download.moodle.org/langpack/2.3/ las enviaré a los responsables del español internacional (Benito Arias y colaboradores).

    Pero, pienso que sería conveniente que leyeras el foro http://lang.moodle.org/mod/forum/discuss.php?d=2485 sobre cómo deben funcionar las traducciones de plugins.

    En resumen, según el responsable de AMOS, desde el 5 de septiembre del 2012:

    "Good news! Almost all contributed plugins published in Moodle plugins directory have been imported into AMOS and are ready to be translated. As a part of MDLSITE-1836, changes were made on both AMOS and Plugins sites so that these two are now integrated.

    From now on, whenever a maintainer publishes a new version of their contributed plugin, strings are automatically sent via a web service to the AMOS. This process respects the supported Moodle version setting so the strings appear at the correct Moodle branch in AMOS.

    This works for new plugins that will be uploaded into Plugins in the future, too. With the exception that the strings appear in AMOS only after when the plugin is approved as a part of its validation.

    This new mechanism works for all plugins that were uploaded into the Plugins directory and are written for Moodle 2.0 and higher. Contributed plugin maintainers are now encouraged to transfer all their current code to this new scheme:

    The plugin code itself should now contain just the English strings in the /lang/en folder.
    All other translations are to be maintained via AMOS and you as the plugin maintainer do not need to look after them any more! Translated strings for contributed plugins are part of the standard language packs generated by AMOS.
    If your plugin code currently contains some translation, you (as the plugin maintainer) should submit it as a contribution into AMOS prior to dropping it from your plugin's source code. AMOS stage page provides a form to upload strings from an existing PHP file. You are supposed to import all non-English string files you currently have shipped with your plugin (eg. /lang/cs/yourmodule.php) into the AMOS stage and then submit them language pack maintainers.

    We believe that this new procedure will make translation of contributed plugins much easier than it ever been - for both the plugin maintainer and translators, too.

    Should you have any questions regarding this new feature, do not hesitate to ask in AMOS support forum at this site.

    Thank you all for you great work on contributed plugins and their translations!"


    Por lo que creo que lo correcto sería eliminar todas las traducciones del archivo ZIP de todos tus plugins; desde luego, después de revisar que YA ESTÁN DISPONIBLES EN EL PAQUETE DE IDIOMA ESPAÑOL INTERNACIONAL Y ESPAÑOL DE MEXICO, QUE BAJAS DEL SITIO http://download.moodle.org/langpack/2.3/

    Si hace falta que traduzca más frases (o que corrija mis errores), por favor mándame un mensaje Moodle o correo a gvalero@unam.mx

    Saludos desde México
  • Germán and Temudgin
    Wed, Nov 7, 2012, 8:05 AM
    Hola Sixto,
    Ya mandé a los responsables del español internacional las traducciones de enrol_SAML.php

    Saludos desde México
  • Picture of Dante Dinawanao
    Wed, Nov 7, 2012, 2:16 PM
    Hi, I just installed the SAML-AUTH plugin and it's working fine. I just want to know if there's a way to provide an alternative LOGOUT url into the plugin, instead of redirecting me back to the login page upon logout. Thanks!
  • Picture of Sixto Martin Garcia
    Wed, Nov 7, 2012, 4:29 PM
    @German
    Thanks, I added the lang issue to my TODO list.

    @Dante

    You can do a little hack, edit the auth/saml/index.php , search the if(isset($_GET['logout'])) line, delete the lines that follow it that try to define a $urltogo and set to the $urltogo var the value you want.
  • Picture of albert verges
    Wed, Nov 14, 2012, 1:52 AM
    Hola Sixto,

    He actualizado a la versión 2012110602 el plugin de saml en un moodle 2.3. Antes tenía la versión de 2011-02-28.

    Con la actualización ha dejado de funcionar el parámetro wantsurl que me permitía llamar a moodle y redirigir al usuario a un determinado curso después de autenticarse: http://moodle.domi.nio/auth/saml/index.php?wantsurl=http://moodle.domi.nio/course/view.php?id=2631

    Revisando el código del plugin veo que no prevé que se le pase ningún parámetro. Hay algun motivo por el que haya desaparecido este parámetro ? puede volverse a añadir ?

    Albert Vergés.
  • Picture of Sixto Martin Garcia
    Tue, Dec 4, 2012, 10:20 PM
    @albert verges The "wantsurl" functionality dissapeared in 1.9.12
    If you need it edit the auth/saml/index.php and in line 83 add the following code:

    if(isset($_REQUEST['wantsurl'])) {
    $urltogo = $_REQUEST['wantsurl'];
    }

    [ before the line $pluginconfig = get_config('auth/saml'); ]
  • Rod
    Thu, Dec 6, 2012, 3:42 AM
    I see that you have already stated that simpleSAMLphp is required, but it would be good if you could please confirm that you must download and install simpleSAMLphp before attempting to configure this module. It is not included with this plugin.
  • Picture of Sixto Martin Garcia
    Thu, Dec 6, 2012, 5:00 AM
    @Rod Spears, simpleSAMLphp is required, as said at the title. You must install and configure it. I will include this note and provide links.
  • Picture of Robert Van Dell II
    Thu, Mar 14, 2013, 7:10 AM
    I'm stuck in a constant re-direct loop from the Moodle Server and my identity server. Both are using SimpleSAMLphp. I believe the problem is occuring on the Moodle plugin side because after receiving the encoded AuthResponse it redirects to /auth/saml/index.php even though my RelayState parameter is set to the root of the site. Any help?
  • Picture of Sixto Martin Garcia
    Thu, Mar 14, 2013, 6:40 PM
    @Robert Van Dell II Seems that you have a session problem. Try to use memcache as your session handler at the simplesaml SP. And check that the sesion parameters in your simplesamlphp configuration is correct.
  • Picture of Adam Bradley
    Wed, Mar 27, 2013, 4:35 PM
    I'm trying to obtain the value of a SAML attribute "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" in custom_hook. It would appear that none of these work
    ---snip---
    else if (isset($saml_attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'])) {
    $saml_attributes['eduPersonPrincipalName'] = $saml_attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'];
    }
    else if (isset($saml_attributes['name'])) {
    $saml_attributes['eduPersonPrincipalName'] = $saml_attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'];
    }
    else if (isset($saml_attributes['NameID'])) {
    $saml_attributes['eduPersonPrincipalName'] = $saml_attributes['NameID'];
    }
    ---snip---
    Is there a trick?

    Thanks in advance!
    //Adam
  • Picture of Sixto Martin Garcia
    Wed, Mar 27, 2013, 6:21 PM
    Hi @adam,

    First of all, you can check what values the SP has from the IdP. You can put a:

    print_r($saml_attributes); exit();


    In simpleSAMLphp there is a folder called "attributemap" where are defined the mapping. Maybe you will have to create a new file with your mapping.
    To use custom mapping in simpleSAMLphp you must set a mapping filter:
    http://simplesamlphp.org/docs/stable/core:authproc_attributemap
  • Picture of Mike Jackson
    Thu, Apr 11, 2013, 1:21 AM
    I am not sure how/where to report a bug. We have just set up SAML authentication for our Moodle sites, but I have noticed that links to specific courses no longer work after logging in via SAML.It appears that the SSO is not passing the original requested URL.
  • Picture of Mike Jackson
    Thu, Apr 11, 2013, 1:25 AM
    Another problem we have encountered is that the SAML authentication does not seem to work properly with the mobile theme. When users click on the SAML log in button, the button does not take one to the login page unless one does a long press and choose new tab. Agaiun. Not sure where to report the problem other than here.
Please login to post comments