Moodle Plugins directory: SAML Identity Provider: Versions: 2017031400 | Moodle.org
SAML Identity Provider
Authentication ::: auth_samlidp
Maintained by 
Enovation Dev Team
This is a plugin that makes Moodle an Identity Provider site: other application can use Moodle as a login portal.
Requires SimpleSAMLphp, configured as IdP: https://simplesamlphp.org/docs/stable/simplesamlphp-idp.
SAML Identity Provider 2017031400
Moodle 3.1, 3.2, 3.3, 3.4
Released: lunis, 30 abrile 2018, 8:59 PM
This is a plugin that makes Moodle an Identity Provider site: other application can use Moodle as a login portal.
Requires SimpleSAMLphp, configured as IdP: https://simplesamlphp.org/docs/stable/simplesamlphp-idp.
ATTENTION: SimpleSAMLphp's session store (config/config.php, 'store.type') MUST BE "sql" - "phpsession" will not work, "memcache" is not tested.
ATTENTION: SimpleSAMLphp's baseurlpath (config/config.php, 'baseurlpath') MUST BE in the full URL format.
This instruction describes the situation, when we have two Moodle instances and use one of them as Identity Provider (IdP) server and another as Service Provider (SP). In our example we have:
* samlsp.enovation.lan as Service Provider (SP)
* idp.enovation.lan as Identity Provider(IDP)
First of all, you need to install Simple SAMLphp according to its instructions and locate it in the folder near IPD site installation directory.
Use standard Moodle installation mechanism to install the plugin to auth/samlidp on idp.enovation.lan.
In config/config.php configure session datastore:
As one of the possible options please use Moodle DB credentials. SQLite should also work.
In SimpleSAMLphp config/authsources.php, add following to $config var:
'moodle-userpass' => array(
'moodle:External',
'moodle_coderoot' => '/var/www/ticket/moodle314/www',
'logout_url' => 'https://idp.enovation.lan/auth/samlidp/logout.php', // plugin's logout page
'login_url' => 'https://idp.enovation.lan/login/index.php', // standard Moodle login page
'cookie_name' => 'MoodleSAMLIDPSessionID',
)
In SimpleSAMLphp, in metadata/saml20-idp-hosted.php, modify 'auth' with the name from previous step:
'auth' => 'moodle-userpass'
Now lets config the plugin in Moodle:
Go to Site administration -> Plugins -> Authentication -> SAML Identity Provider and set two parameters:
SimpleSAMLphp installation directory: /opt/vhosts/idp.enovation.lan/www-simplesamlphp
Auth source: moodle-userpass - the string from two previous steps.
Lets configure SP samlsp.enovation.lan. Download the SAML2 plugin and install it (https://moodle.org/plugins/auth_saml2). Go to Site administration -> Plugins -> Authentication ->SAML2 and set parameters. Some of them are described below:
* IdP metadata XML - copy metadata from idp.enovation.lan/idp_simplesaml/saml2/idp/metadata.php?output=xhtml
* Idp label override - any string for display the link on logging page for using SAML IdP logging.
* IdP to Moodle mapping - it is better to map users by email. If you use user id it can cause conflicts between two systems.
* Data mapping - describe how to match data from idp.enovation.lan to samlsp.enovation.lan
* SP metadata - allow you to download SP metadata. Download it and convert to PHP format - use metadata converter: http://idp.enovation.lan/idp_simplesaml/admin/metadata-converter.php. Converted code put in opt/vhosts/idp.enovation.lan/www-simplesamlphp/metadata/saml20-sp-remote.php
Now you can test the logging via SAML_IdP plugin. Create a new user or use existing idp.enovation.lan. Go to samlsp.enovation.lan login page and choose the SAML2 option. Enter username and password of a user from idp.enovation.lan and log in. After logging in the user will be added do samlsp.enovation.lan. That's all.
KNOWN ISSUES
1. If a user logs out from Moodle, it will not log them out from their SP application. The logout process is one-directional, from the SP app to Moodle
Requires SimpleSAMLphp, configured as IdP: https://simplesamlphp.org/docs/stable/simplesamlphp-idp.
ATTENTION: SimpleSAMLphp's session store (config/config.php, 'store.type') MUST BE "sql" - "phpsession" will not work, "memcache" is not tested.
ATTENTION: SimpleSAMLphp's baseurlpath (config/config.php, 'baseurlpath') MUST BE in the full URL format.
This instruction describes the situation, when we have two Moodle instances and use one of them as Identity Provider (IdP) server and another as Service Provider (SP). In our example we have:
* samlsp.enovation.lan as Service Provider (SP)
* idp.enovation.lan as Identity Provider(IDP)
First of all, you need to install Simple SAMLphp according to its instructions and locate it in the folder near IPD site installation directory.
Use standard Moodle installation mechanism to install the plugin to auth/samlidp on idp.enovation.lan.
In config/config.php configure session datastore:
As one of the possible options please use Moodle DB credentials. SQLite should also work.
In SimpleSAMLphp config/authsources.php, add following to $config var:
'moodle-userpass' => array(
'moodle:External',
'moodle_coderoot' => '/var/www/ticket/moodle314/www',
'logout_url' => 'https://idp.enovation.lan/auth/samlidp/logout.php', // plugin's logout page
'login_url' => 'https://idp.enovation.lan/login/index.php', // standard Moodle login page
'cookie_name' => 'MoodleSAMLIDPSessionID',
)
In SimpleSAMLphp, in metadata/saml20-idp-hosted.php, modify 'auth' with the name from previous step:
'auth' => 'moodle-userpass'
Now lets config the plugin in Moodle:
Go to Site administration -> Plugins -> Authentication -> SAML Identity Provider and set two parameters:
SimpleSAMLphp installation directory: /opt/vhosts/idp.enovation.lan/www-simplesamlphp
Auth source: moodle-userpass - the string from two previous steps.
Lets configure SP samlsp.enovation.lan. Download the SAML2 plugin and install it (https://moodle.org/plugins/auth_saml2). Go to Site administration -> Plugins -> Authentication ->SAML2 and set parameters. Some of them are described below:
* IdP metadata XML - copy metadata from idp.enovation.lan/idp_simplesaml/saml2/idp/metadata.php?output=xhtml
* Idp label override - any string for display the link on logging page for using SAML IdP logging.
* IdP to Moodle mapping - it is better to map users by email. If you use user id it can cause conflicts between two systems.
* Data mapping - describe how to match data from idp.enovation.lan to samlsp.enovation.lan
* SP metadata - allow you to download SP metadata. Download it and convert to PHP format - use metadata converter: http://idp.enovation.lan/idp_simplesaml/admin/metadata-converter.php. Converted code put in opt/vhosts/idp.enovation.lan/www-simplesamlphp/metadata/saml20-sp-remote.php
Now you can test the logging via SAML_IdP plugin. Create a new user or use existing idp.enovation.lan. Go to samlsp.enovation.lan login page and choose the SAML2 option. Enter username and password of a user from idp.enovation.lan and log in. After logging in the user will be added do samlsp.enovation.lan. That's all.
KNOWN ISSUES
1. If a user logs out from Moodle, it will not log them out from their SP application. The logout process is one-directional, from the SP app to Moodle
Version information
- Version build number
- 2017031400
- Maturity
- Unknown
- MD5 Sum
- 3edb7c01e7b64e5c55e706dfb820808b
- Supported software
- Moodle 3.1, Moodle 3.2, Moodle 3.3, Moodle 3.4
- Latest release for Moodle 3.1
- Latest release for Moodle 3.2
- Latest release for Moodle 3.3
- Latest release for Moodle 3.4
Version control information
- Version control system (VCS)
- GIT
- VCS repository URL
Default installation instructions for plugins of the type Authentication
- Make sure you have all the required versions.
- Download and unpack the module.
- Place the folder (eg "myauth") in the "auth" subdirectory.
- Visit http://yoursite.com/admin to finish the installation