SSO Login

Short Description

A highly secure, token-based Single Sign-On (SSO) authentication plugin that seamlessly integrates Moodle with external systems using AES-256-CBC encryption and HMAC-SHA256 signatures.

Full Description

SSO Login is a robust local Moodle plugin designed to provide seamless and secure Single Sign-On (SSO) authentication from external platforms (such as custom portals, CRMs, or corporate intranets). Built with security as its primary focus, it employs an advanced Authenticate-then-Decrypt architecture to ensure that user data is protected at every step of the login process.

Whether you are looking to automatically provision users on the fly, synchronize profile fields, or just provide a frictionless login experience, this plugin provides all the necessary tools while maintaining strict adherence to Moodle’s core APIs and coding standards.

🌟 Key Features

• Advanced Cryptography: Utilizes AES-256-CBC for payload encryption and HMAC-SHA256 for cryptographic signatures.
• Just-In-Time (JIT) Provisioning: Automatically creates Moodle user accounts on their first SSO login if they do not already exist.
• Profile Synchronization: Keeps user data (name, email, city, country, etc.) up-to-date automatically upon every login.
• Smart Account Linking: Seamlessly falls back to linking accounts via email if the username isn't found, preventing the creation of duplicate accounts.
• Legacy Compatibility Mode: Allows for a smooth transition from older, less secure integrations to the new 2.0 security architecture without breaking existing flows.
• Developer Friendly: Easy to implement on the external system side with provided code examples for PHP, Python, and Java.

🛡️ Uncompromising Security & Compliance

• Authenticate-then-Decrypt: The HMAC signature is verified before any decryption occurs, nullifying Padding Oracle attacks.
• Timing Attack Resistance: Uses hash_equals() for secure signature comparison.
• Replay Attack Protection: Implements a strict, database-backed single-use Nonce system to prevent intercepted URLs from being reused.
• Clock-Skew Validation: Validates timestamps bidirectionally to ensure tokens expire properly.
• GDPR Compliant: Fully implements Moodle's Privacy API. No personal data is stored by the plugin beyond temporary, anonymous nonces.
• Code Quality: 100% compliant with Moodle CodeSniffer (PSR-12) and thoroughly tested for CI/CD pipelines.

⚙️ How It Works

1. Your external system builds a JSON payload containing the user's data (username, email, timestamp, nonce).
2. The payload is encrypted using AES-256-CBC (with a key derived from a shared secret).
3. The encrypted string is signed with an HMAC-SHA256 hash.
4. The user is redirected to Moodle with the encrypted data and signature.
5. Moodle verifies the signature, validates the timestamp and nonce, decrypts the payload, provisions/syncs the user, and securely authenticates them into the platform.

🚀 Installation & Configuration

1. Install the plugin via the Moodle plugin installer or by extracting the zip into the local/ssologin directory.
2. Log in as an Administrator and complete the database upgrade.
3. Navigate to Site Administration > Plugins > Local Plugins > SSO Login.
4. Retrieve the auto-generated Shared Secret Key (or set your own).
5. Configure Token Expiry, JIT Provisioning, and Profile Sync according to your needs.
6. Implement the token generation on your external system using the provided Shared Secret.

Developed by Richard Guedes, Cyber Defense Institute (IDCiber).