Maintained by Picture of Sixto Martin GarciaSixto Martin Garcia
SAML Authentication plugin based on the simplesamlphp software. (Also install the SAML Enrolment plugin if you want auto-enrol based on SAML)
522 sites
263 downloads
21 fans
Current versions available: 4

Donations

Donations are welcome to support the development of the plugin.

Moodle's SAML PluginMoodle's SAML Plugin

 
Sponsors:

  • Mark Stewart - Moodle Administrator in New Zealand


Info of the plugin

This plugin add SAML authentication support to Moodle.
If you need auto-enrol based on SAML you need to install the SAML Enrolment Plugin too.


Prerequisites

Install in the same machine a simpleSAMLphp instance and configure it as a Service Provider

Install Instruction
1. Unpack this saml directory into the /auth/ directory as you would for any Moodle auth module (http://docs.moodle.org/en/Installing_contributed_modules_or_plugins).

2. Login to Moodle as an administrator, and activate the module by navigating
Site administration->Plugins->Manage authentication->SAML Authentication

3. Let priivileges to the server user to write over the auth/saml/saml_config.php file.

Configuration
After the installation we must configure the saml plugin, so go to "Settings" if you are in
"Manage Authentication" page, or you can also go to Users > Authentication > SAML Authentication. These are the fields of this form:

  • simpleSAMLphp Path: it will not work unless you specify the saml library path. This refers to the library path for the simpleSAMLphp environment you want to use. For example: /var/simplesamlphp/lib
  • SimpleSAMLphp SP source. Select the SP source you want to connect to moodle. (Sources are at the SP of simpleSAMLphp in /config/authsources.php).
  • SAML username mapping: it is a SAML attribute that will be mapped to the Moodle username. By default, this attribute will be set to 'mail'.
  • Single Log out: Enable/disable the single logout. This will log out you from moodle, identity provider and all conected service providers 
  • SAML Image: when you enable the SAML authentication plugin, a new button will be shown in the login Moodle page that allows to authenticate via SAML. By default, the simpleSAMLphp image (something like a fish) will be shown, but you can specify another one you want to use. Note: this image needs to exist in the server as it is not possible to upload an image through the form right now. 
  • SAML login description: you can also specify a description text for the previous button. This description will be shown below the SAML image in the login Moodle page.
  • Log file path: this is the absolute path of a file where the plugin will log information about its actions. It is optional.
  • Hook file path: this is the absolute path of a file with php functions that will be called to alter the default behaviour of this plugin. See the file custom_hook.php for more information.
  • SAML support Courses: this select has three options:
    • No suport (default value): the plugin will not have support for enrolling the user into courses automatically
    • Internal: the plugin will use an internal database table to map the courses in the next field with Moodle courses 
    • External: the plugin will use a tabla in an external database to map the courses in the next field with Moodle courses.
  • SAML courses mapping: it is a SAML attribute that is mapped to Moodle courses data. By default, it is set to 'schacUserStatus'.
  • Field used to identify a course: this can be the Short Name or the Number ID and referes to the Moodle field used to identify a course during the matching phase of the plugin.
  • Ignore inactive courses: if this field is checked the user will stay in previous enrolled courses even if the status of the course is inactive in the SAML attribute. 
  • Data Mapping section:  The Identity Provider (IdP) provides some user's data such as the first name, surname, email address, etc. In this section, you can specify the correspondence with the same data in Moodle. By default, the configuration is set as is shown below: First name = cn Surname = sn Email Address = mail
  • Course Mapping section: The course mapping section allows the administrator to link saml courses and moodle courses. To make it working we need to create an intermediate database on where we can store this data. This database will have the following internal structure:
    Field Type  Null   Key  Default    Extra
    course_mapping_id int(11)   NO   PRI   NULL  auto_increment
    saml_course_id    varchar(20)  NO    NULL  
     saml_course_period  int(4)  NO    NULL  
     lms_course_id  text  NO    NULL  

    Once we already have created the database, we need to specify the DSN (Data Source Name) that has the following syntax: 
    • MySQL
      mysql://user:password@host/database_name
    • SQLite
      sqlite:///path/to/database/file
    • PostgresSQL
      postgres://user:password@host/database_name
  • Below the database DSN field we can start introducing course mappings between Moodle and SAML courses. No field can be null, if you try to introduce a null course mapping, this data will be ignored and it will not be saved in the database. If you try to introduce a duplicate course mapping this data will not be saved in the database and you will be redirected to the form showing an error. If you want to delete a course mapping you must only check the corresponding checkbox to the left and clicking to 'delete' button. Also, you can update the previous introduced course mappings in every moment if the new data doesn't conflicts with none of the previous course mappings. Is possible to introduce several course mappings at the same time, you can add a new row by clicking in '+' button to the right. It no errors happen while introducing the course mappings, you will be redirected to the 'Manage Authentication' page as with any other field of the form.
In order to support course enrolling you must install the SAML Enrolment plugin, otherwise set SAML support Courses to 'no support'. 
 

Internal Changes
The 'config.html' file was renamed to 'config.php' because it now has PHP code. - Two new files was created in SAML plugin directory: - 'courses.php': this file contains the needed PHP code for showing the new 'Course mapping' table. - 'DBNewDatabase.php': this file contains a tiny function for creating a database connection, because it seems there is a bug when you try to open a SQLite database connection using a DSN.

In 'auth.php' we have used 'validate_form' for validating the form and store the errors, and 'process_config' for saving the data into the database if there are no errors. Also, 'sync_roles' function have been modified for mapping roles and courses.

NOTES
These changes are tested and valid for simpleSAMLphp >= 1.7

Important for enrollment!!

This plugin suppose that the IdP send the courses data of the user in a attribute that can be configured but the pattern of the expected data is always

You can change this pattern editing the file auth/saml/course_mapping.php

Default pattern is:  <country> : <domain> : <courseId> : <period> : <role> : <status>
status could be 'active' or 'inactive',
courseId, period and role depends on the configuration of the mapping.
Example  es:moodle.org:00001:2009-10:student:active 

And you may prefix it with the urn of your attribute. The default vaulue for carry course data is shacUserStatus so you may prefix the prevous string with the related urn
Example:
urn:mace:terena.org:schac:userStatus:es:moodle.org:00001:2009-10:student:active

If you use other attribute than shacUserStatus or you want to change the fortmat of the course data you may edit the course_mapping.php file

 

 

Problems with the login view

SAML auth plugin rewirte the login view I had to copy some code of the login/index.php view and made some changes. If you find problems on the login view, you can disable the "login view replacement". Edit the auth/saml/auth.php, at the the loginpage_hoook funcion, disable the following code:
        if (empty($CFG->alternateloginurl)) {
            $CFG->alternateloginurl = $CFG->wwwroot.'/auth/saml/login.php';
        }

Then edit the login/index_form.html and insert before:

<!--

<h2><?php print_string("returningtosite") ?></h2> 

  -->

the following code


Who is using SAML plugin?

Screenshots

Screenshot #0
Screenshot #1
Screenshot #2
Screenshot #3

Contributors

Picture of Sixto Martin Garcia
Sixto Martin Garcia (Lead maintainer)
Please login to view contributors details and/or to contact them

Comments RSS

Comments

  • Picture of Shail Jai
    Wed, Apr 11, 2012, 3:27 PM
    hi Sixto I also want to know how can I add idp for moodle in simplesaml ? this is very confusing for me ?
  • Picture of Sixto Martin Garcia
    Wed, Apr 11, 2012, 8:32 PM
    Hi shailesh jai
    DSN setting is needed only if you are using an external databse to store the mapping and you configure it at the plugin configuration view, but you can use internal database and tables will be store at moodle databse.

    If you want to underestand simplesamlphp check how to config IdP here (http://simplesamlphp.org/docs/trunk/simplesamlphp-idp) and SP here (http://simplesamlphp.org/docs/trunk/simplesamlphp-sp)
  • Picture of Shail Jai
    Tue, May 8, 2012, 5:19 PM
    Hi Sixto , first of all thanks for reply , and sorry from side for delay posting (this is because I lost all hope to use simpleSAML, it looks too tough)...
    I am getting error "Invalid authentication source: saml" on moodle login page(in case of simpleSAML) and error metadata not found ... my file for adding metadata is ...
    1. in authsource.php file ---- 'example' => array(
    'saml:SP',
    'entityID' => 'http://172.16.1.113/simplesaml',
    'privatekey' => 'saml.pem',
    'certificate' => 'saml.crt',
    //'idp' => 'http://172.16.1.215:8085/eLearning/',
    ),

    2. in idp file :---- $metadata['http://172.16.1.113/simplesaml'] = array(
    'name' => 'myLMS',
    'description' => array(
    'en' => 'Authenticate with your identity from a school or university in Norway.',

    ),
    'SingleSignOnService' => 'http://172.16.1.113/simplesaml/saml2/idp/SSOService.php',
    'SingleLogoutService' => 'http://172.16.1.113/simplesaml/saml2/idp/SingleLogoutService.php',
    'certFingerprint' => '31:47:12:96:D7:91:D3:64:DA:3E:AD:2C:DE:A4:97:50:CE:92:F5:ED',
    );

    can u please let me know where I am making mistake ?
  • Picture of Sixto Martin Garcia
    Thu, May 10, 2012, 8:14 PM
    @shailesh jai You must config the 'SimpleSAMLphp SP source' parameter. Select the SP source you want to connect to moodle. (Sources are at the SP of simpleSAMLphp in /config/authsources.php).

    So you have to use 'example' instead of 'saml'

    After that if you have "metadata not found" error take a look on how to set metadatas on the IdPs and SPs
    * http://simplesamlphp.org/docs/1.9/simplesamlphp-idp#section_6
    * http://simplesamlphp.org/docs/1.9/simplesamlphp-sp#section_2
  • Picture of Paul Martin
    Tue, Aug 7, 2012, 9:54 AM
    Sixto,

    First off, let me say thanks for wrapping this code up into a proper Moodle 2.x authentication plugin.

    That said, I've got an implementation question, and I think I've just been staring at the code too long and I'm missing something bleedingly obvious. Our users are managed via the LDAP sync tool, so the "auth" method for all of our users is either "manual" (for admins and such) or "ldap". Since they're all flagged as "ldap", the saml plugin doesn't recognize them unless I go through and change them in the database from "ldap" to "saml" after the LDAP sync runs. This isn't difficult, but it feels...hacky. Is there somewhere in your plugin that I can have it recognize LDAP users as valid? Maybe a custom hook?

    Also, have you considered using git or Github for code hosting? It would (probably) fit into a lot of peoples' workflows a bit better than CVS since a good number of plugins have migrated to using git.

    Either way, thanks again.
  • Picture of Finton Paul
    Sun, Aug 12, 2012, 1:47 AM
    I AM USING MOODLE 2.3
    I am in dire need of help configuring this plugin. I've installed the authentication as well as the enrollment plugins but don't know what to do particularly when faced with the task of configuring the authentication plugin.
    I am hosting with hostek.com and at this time i'm unclear as to the creation of the DB. Is that necessary at all? Also, the path to the lib(rary) is a bit of a challenge to identify.

    I merely wanted users to be able to auto-enrol based on SAML
  • Picture of Glenn Wearen
    Mon, Sep 10, 2012, 6:25 PM
    I have this working on mysite/auth/saml, I expected the default login user/pass block on the moodle front page would show the logo containing the auth/saml login link, but no. Also, the 'Login' link on the top right invokes the default user login page, again, there is no link for saml login?
  • Picture of Glenn Wearen
    Mon, Sep 10, 2012, 11:01 PM
    found answer to my question in README
  • Picture of Teddy Aprilianto
    Mon, Nov 5, 2012, 4:11 PM
    Hi ,

    Playing with this plugin now .. But I got error like this ( moodle 2.3.2+ , debugging mode enabled ) :

    Debug info: Argument 1 passed to check_user_preferences_loaded() must be an instance of stdClass, boolean given, called in /www/webapps/moodle-rep/lib/moodlelib.php on line 1885 and defined
    Error code: codingerror
    Stack trace:

    line 397 of /lib/setuplib.php: coding_exception thrown
    line 1639 of /lib/moodlelib.php: call to default_error_handler()
    line 1885 of /lib/moodlelib.php: call to check_user_preferences_loaded()
    line 8685 of /lib/moodlelib.php: call to get_user_preferences()
    line 651 of /lib/pagelib.php: call to get_user_device_type()
    line 732 of /lib/pagelib.php: call to moodle_page->magic_get_devicetypeinuse()
    line 1488 of /lib/pagelib.php: call to moodle_page->__get()
    line 1438 of /lib/pagelib.php: call to moodle_page->resolve_theme()
    line 1444 of /lib/setuplib.php: call to moodle_page->initialise_theme_and_output()
    line 23 of /auth/saml/error.php: call to bootstrap_renderer->__call()
    line 23 of /auth/saml/error.php: call to bootstrap_renderer->header()
    line 179 of /auth/saml/index.php: call to saml_error()

    Any idea about it ??

    Thanks
    Teddy

  • Picture of Sixto Martin Garcia
    Mon, Nov 5, 2012, 11:30 PM
    @Teddy

    There is an error in the view that render errors in saml (saml/error.php line 23, the $OUTPUT->header().

    You can't see your real problem due the template error in saml has an error. I will fix it as soon as possible.


    Seem an error with the error template view of the saml plugin. I will fix it as soon as posible.

    Notice that your real problem is located at the line 179 of the auth/saml/index.php. Probably the authenticate_user_login function is failing.
  • Picture of Sixto Martin Garcia
    Tue, Nov 6, 2012, 3:19 AM
    @Teddy
    I released a new version of the auth_saml plugin. Check if the changes fix your problem
  • Picture of Teddy Aprilianto
    Tue, Nov 6, 2012, 10:16 AM
    Hi Sixto ,

    Thank you for fast response .... Seems almost in there ....

    I have a question, is this plugin still involve manual auth, authenticating username and password ? /auth/manual/auth.php ?

    I got error like this "Error in authentication process of taprilianto" ( taprilianto is my username in my moodle)

    Then what I did was :

    In /auth/manual/auth.php line 57 function user_login($username, $password)

    The scripts below
    if (!validate_internal_user_password($user, $password)) {
    return false;
    }

    I modified ( disable return false ) :

    if (!validate_internal_user_password($user, $password)) {
    //return false;
    }

    Then saml authentication worked fine .


    Any idea ? Or any clue what's wrong with this ? or maybe something wrong in file /login/index.php that I should check ?

    Thanks
    Teddy
  • Picture of Sixto Martin Garcia
    Tue, Nov 6, 2012, 10:41 PM
    @Teddy

    No idea about the error process that you got, the saml auth plugin is
    compatible with the manual auth plugin and I have it working on several
    machines with manual and saml auth enabled and no hacks were needed on the
    manual auth.


    I updated a new version of the plugin. SAML auth plugin rewirte the login view
    I had to copy some code of the login/index.php view and made some changes.

    If you see problems on the login view check the notes I wrote on the plugin description
  • Germán and Temudgin
    Wed, Nov 7, 2012, 1:37 AM
    Hola Sixto,

    Perdón que no haya visto que eres español. Cometí la torpeza de traducir las cadenas del plugin auth_SAML del original en inglés al español de México y mandé estas mismas frases a los responsables del español internacional. Esto debido a que en AMOS no estaba ninguna traducción al español disponible (http://lang.moodle.org).

    En el paquete de idioma de español de México 2.3 en http://download.moodle.org/langpack/2.3/ está el archivo auth_saml.php con las traducciones referidas.

    Te agradecería si pudieras echarle un ojo.
    Espero no haber hecho demasiadas burradas; pués tendría que corregirlas pronto.

    Nota: En México usamos autenticar, mientras que en España al parecer usan identificar para traducir el inglés authenticate.

    Saludos desde México y gracias por anticipado por tu ayuda.
  • Picture of Sixto Martin Garcia
    Wed, Nov 7, 2012, 2:02 AM
    @German Valero

    Added the es_mx lang. Now I'm waiting for the translation of the enrol_saml plugin
Please login to post comments