SAML Identity Provider

Authentication ::: auth_samlidp
Maintained by Enovation Dev Team
This is a plugin that makes Moodle an Identity Provider site: other application can use Moodle as a login portal. Requires SimpleSAMLphp, configured as IdP: https://simplesamlphp.org/docs/stable/simplesamlphp-idp.
Latest release:
108 sites
35 downloads
9 fans
Current versions available: 2

This is a plugin that makes Moodle an Identity Provider site: other application can use Moodle as a login portal.

Requires SimpleSAMLphp, configured as IdP: https://simplesamlphp.org/docs/stable/simplesamlphp-idp.

ATTENTION: SimpleSAMLphp's session store (config/config.php, 'store.type') MUST BE "sql" - "phpsession" will not work, "memcache" is not tested.
ATTENTION: SimpleSAMLphp's baseurlpath (config/config.php, 'baseurlpath') MUST BE in the full URL format.

This instruction describes the situation, when we have two Moodle instances and use one of them as Identity Provider (IdP) server and another as Service Provider (SP). In our example we have:

  • samlsp.enovation.lan as Service Provider (SP)
  • idp.enovation.lan as Identity Provider(IDP)

First of all, you need to install Simple SAMLphp according to its instructions and locate it in the folder near IPD site installation directory. Since these must be on the same physical server.


In SimpleSAMLphp, add the plugin's ./moodle directory to SimpleSAMLphp' /modules directory.

Use standard Moodle installation mechanism to install the plugin to auth/samlidp on idp.enovation.lan.

In config/config.php configure session datastore:

    'store.type'         => 'sql',
    'store.sql.dsn'      => 'mysql:dbname=idp_moodle31;host=localhost',
    'store.sql.username' => 'your_db_username',
    'store.sql.password' => 'your_db_password',
    'store.sql.prefix' => 'SimpleSAMLphp',

As one of the possible options please use Moodle DB credentials. SQLite should also work.

In SimpleSAMLphp config/authsources.php, add following to $config var:

'moodle-userpass' => array(
    'moodle:External',
    'moodle_coderoot' => '/var/www/ticket/moodle314/www',
    'logout_url' => 'https://idp.enovation.lan/auth/samlidp/logout.php', // plugin's logout page
    'login_url' => 'https://idp.enovation.lan/login/index.php', // standard Moodle login page
    'cookie_name' => 'MoodleSAMLIDPSessionID',
)

In SimpleSAMLphp, in metadata/saml20-idp-hosted.php, modify 'auth' with the name from previous step:

'auth' => 'moodle-userpass'

Now lets config the plugin in Moodle:
Go to Site administration -> Plugins -> Authentication -> SAML Identity Provider and set two parameters:
SimpleSAMLphp installation directory: /opt/vhosts/idp.enovation.lan/www-simplesamlphp
Auth source: moodle-userpass - the string from two previous steps.

Lets configurate SP samlsp.enovation.lan. Download SAML2 plugin and install it (https://moodle.org/plugins/auth_saml2). Go to Site administration -> Plugins -> Authentication ->SAML2 and set parameters. Some of them are described below:

  • IdP metadata xml - copy metadata from idp.enovation.lan/idp_simplesaml/saml2/idp/metadata.php?output=xhtml
  • Idp label override - any string for display the link on logging page for using SAML IdP logging.
  • IdP to Moodle mapping - it is better to map users by email. If you use user id it can cause conflicts between two systems.
  • Data mapping - describe how to match data from idp.enovation.lan to samlsp.enovation.lan
  • SP metadata - allow you to download SP metadata. Download it and convert to php format - use metada converter: http://idp.enovation.lan/idp_simplesaml/admin/metadata-converter.php. Converted code put in opt/vhosts/idp.enovation.lan/www-simplesamlphp/metadata/saml20-sp-remote.php

Now you can test the logging via SAML_IdP plugin. Create a new user or use existing idp.enovation.lan. Go to samlsp.enovation.lan login page and choose the SAML2 option. Enter username and password of a user from idp.enovation.lan and log in. After logging in the user will be added do samlsp.enovation.lan. That's all.

KNOWN ISSUES

  1. If a user logs out from Moodle, it will not log them out from their SP application. The logout process is one-directional, from the SP app to Moodle


Potential privacy issues

If a user logs out from Moodle, it will not log them out from their SP application. The logout process is one-directional, from the SP app to Moodle

Screenshots

Screenshot #0
Screenshot #1
Screenshot #2
Screenshot #3
Screenshot #4
Screenshot #5
Screenshot #6
Screenshot #7
Screenshot #8
Screenshot #9

Contributors

Enovation Dev Team (Lead maintainer)
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Greg B
    Wed, Mar 2, 2022, 2:36 PM
    Thanks Enovation team. For what it is worth.. I managed to downgrade the PHP to 7.4, and also installed Moodle 3.9 next to my 3.11, and had the same issue, with same output.. Will continue to work on it..
  • Enovation Dev Team
    Thu, Mar 3, 2022, 6:28 PM
    "User not authenticated after login page" usually means issues with a session and/or cookies. I'd recommend to double check cookies on both Moodle and SimpleSAMLphp sides - for any anomalies, whether the protocol matches, paths are correct, etc
  • Enovation Dev Team
    Thu, Mar 3, 2022, 7:08 PM
    Hi Greg,

    The newest Moodle 3.11 does not officially support php8, therefore we will not be doing any upgrades to the plugin as of the moment
  • Greg B
    Tue, Mar 8, 2022, 2:33 PM
    Thanks Enovation Team!

    I'm still working through this, using Moodle 3.9.12+, PHP 7.4 and Apache 2.4.52, admittedly on Windows.. but still coming unstuck..

    3 cookies get set:
    - SimpleSAMLSessionID (/simplesaml/)
    - MoodleSession (/moodle39/)
    - PHPSESSID (/)


    Windows Server structure:
    - D:\Apache24/htdocs/moodle39
    - D:\Apache24/var/simplesamlphp
    (Apache has an alias for /simplesaml from "D:/Apache24/var/simplesamlphp/www", do https://myMoodle/simplesaml works. )

    Moodle plugin settings:
    - SimpleSAMLphp installation directory: /var/simplesamlphp
    - AuthSource: moodle-userpass

    SimpleSAML config:
    - followed all config steps, and double-checked against your screen grabs
    - extract of authsources.php:
    'moodle-userpass' => array(
    'moodle:External',
    'moodle_coderoot' => '/htdocs/moodle39',
    'logout_url' => 'https://MyMoodle/moodle39/auth/samlidp/logout.php', // plugins logout page
    'login_url' => 'https://MyMoodle/moodle39/login/index.php', // standard Moodle login page
    'cookie_name' => 'MoodleSession',
    ),

    If I set (above) cookie_name to anything other than "MoodleSession", the cookie remains.
    - If it is set to "MoodleSession", then the cookie gets deleted
    - So I assume the configuration is correct (SimpleSAMLPHP and/or plugin is delete the original Moodle cookie, as a kind of clean-up).

    I don't understand why I am still not getting anything useful, and still getting "User not authenticated after login page."
    I have tried toggling "httpOnly", "isSecure" and "isSession" on the cookies, but so far have still not managed to get this..
    Has anyone else on Apache and Windows had this issue?
    I'd really appreciate some additional input, if possible.
    Should I downgrade further to an older Apache, Moodle, or anything?

    Thanks in advance!
  • Enovation Dev Team
    Tue, Mar 8, 2022, 4:18 PM
    we also have no experience with Windows, the plugin was developed and tested on Linux
    the only obvious thing is PHPSESSID - it should not be set (neither Moodle nor SimpleSAMLphp is supposed to set it). Maybe it's worth finding out, and eliminating
    a side note - "MoodleSession" should be deleted, that's a correct behaviour
  • Greg B
    Wed, Mar 9, 2022, 5:57 AM
    thanks so much for the pointers! I'll keep digging..
  • Greg B
    Fri, Mar 18, 2022, 1:30 PM
    I've continued to play with this (still Windows 2012, Apache 2.4, PHP7.4, Moodle 3.9+, SimpleSAMLPHP 1.19.5), and have determined:
    - Launch SimpleSAMLPHP, and click to test Moodle-pass
    - At this stage, a SimpleSAMLSessionID cookie exists.
    - On clicking seeing the Moodle logon screen:
    = a 2nd cookie is created (MoodleSession). It has the same contents as the filename (just a string of characters)

    On submitting a valid ID and password into Moodle..
    - I am re-directed back to the SimpleSAML screen, with the error mentioned in previous posts: "User not authenticated after login page."
    = I notice the original cookie was deleted, and a new one is created (you have said this is correct behavior)
    = the new cookie (obviously) has a different name to the first
    = this new cookie has contents that are the same as the cookie name (both are (egsmile "2n4490st7nk8orrq61lsr47b2m")

    - I created a debug line, in the simplesamlphp\modules\moodle\lib\Auth\Source\Exteral.php
    = In "private function getUser()",
    = immediately after the line "$arr_cookie = explode(':', $str_cookie);"

    - the debug line is: "throw new SimpleSAML\Error\BadRequest('Cookie:' . $str_cookie . ' - ' .json_encode($arr_cookie));"
    = in theory I should get both the cookie name and the (exploded) string it contains.

    It reports (eg):
    - SimpleSAML\Error\BadRequest: BADREQUEST('%REASON%' => 'Cookie:2n4490st7nk8orrq61lsr47b2m - ["2n4490st7nk8orrq61lsr47b2m"]')

    The contents don't explode to anything useful..
    Is it possible the cookie is not being populated correctly in auth/samlidp/auth.php , or that the exploding is not working?

    Still working on it, but hoping that based on this, you may have some thoughts..
    (Thanks again, once more in advance for your time.)
  • Enovation Dev Team
    Sat, Mar 19, 2022, 6:03 AM
    Hi Greg,

    I re-tested the plugin today with Moodle 3.10, works smoothly with the 1st attempt. no issues.. But again I'm on Linux, that can make the difference

    Re your debug:
    - We're working ONLY with the MoodleSAMLIDPSessionID cookie, it is set in {simplesamlphp dirroot}/config/authsources.php in: 'cookie_name' => 'MoodleSAMLIDPSessionID'. Do you have this part (config/authsources.php) done correctly? All other cookies are unrelated to our case
    - you've got the wrong content of the cookie. It must be splittable by ':', and it should be sth like '7f949b31a7d61e6db03399cf8fedc69ccc4bc972:2' (decoded), where the value "2" after ":" is the direct Moodle user ID. Additionally: for the 1st part hash_hmac('sha1') is used and that should not produce a string containing chars above "f"
    - " this new cookie has contents that are the same as the cookie name" is very wrong, as i said - we're working only with "MoodleSAMLIDPSessionID"
    - the cookie is set in {moodle rootdir}/auth/samlidp/auth.php in "private function set_cookie ($user)". Can you debug there and see what goes wrong? By printing out every value used to create the cookie, including the cookie name. Frankly looking at the code i don't see how it's possible the cookie does not contain ":", even if setting $uid fails
  • Greg B
    Mon, Mar 21, 2022, 8:31 AM
    Thank-you, that's very helpful. I'll get back to you.
  • Ronald Vyhmeister
    Sat, May 14, 2022, 4:53 AM
    Will you be making this available for Moodle 4.0? If so, any time estimate?
  • Enovation Dev Team
    Fri, May 27, 2022, 10:19 PM
    Hi Ronald,

    We just added an updated version, it should be fully compatible with Moodle 4.0
    In fairness, there is not much change over the previous version. The next update for the plugin will be most probably the support for php8 - but as long as your server runs php7 the plugin should work with any Moodle version
  • Ioannis Calemis
    Fri, Nov 25, 2022, 6:55 PM
    I am trying to use the plugin between two moodle systems - 4.0 as IDP kai 3.10 as SP. I set up everything as shown above. But when I try to login, I get the following:
    - Click the button on moodle 3.11 (SP) to log with moodle 4.0 (IDP)
    - Redirects me to login page of moodle 4.0 (IDP)
    - I log with data from moodle 4.0 (IDP)
    - Redirects me to moodle 4.0 logged
    - I return to the address of 3.11 and no logged user there
    Is something that I am doing wrong? I can provide more data if needed
  • Enovation Dev Team
    Fri, Nov 25, 2022, 7:04 PM
    Hi Ioannis,

    Your symptoms look like not enabled auth plugin in Moodle 4.0 - can you please verify there? in Site adm -> Plugins -> Authentication -> manage authentication
  • Ioannis Calemis
    Fri, Nov 25, 2022, 7:21 PM
    Yes that was the problem! I am getting the following problem: You have successfully logged in as '*****' but do not have a Moodle account. (on SP) I have added allow create on auth_saml2 and datamapping username + update local on create but I still get it
  • Enovation Dev Team
    Fri, Nov 25, 2022, 7:37 PM
    does '*****' correctly represent your user?

    generally that error does mean Moodle SP does not create new accounts, and allowing creating in auth_saml2 should fix the issue

    to check if user attributes come from IdP you'd need to go to (on SP!):
    Site adm -> Plugins -> Authentication -> Manage authentication
    and there "Test settings" against SAML2, then login to IdP from that page

    If the result page displays a correct set of user attributes, it means the SAML IdP plugin works OK and the issue is on the auth_saml2 side
1 2 3
Please login to post comments