Maintained by Picture of Sixto Martin GarciaSixto Martin Garcia
SAML Authentication plugin based on the simplesamlphp software. (Also install the SAML Enrolment plugin if you want auto-enrol based on SAML)
451 sites
378 downloads
19 fans

Donations

Donations are welcome to support the development of the plugin.

Moodle's SAML PluginMoodle's SAML Plugin

 
Sponsors:

  • Mark Stewart - Moodle Administrator in New Zealand


Info of the plugin

This plugin add SAML authentication support to Moodle.
If you need auto-enrol based on SAML you need to install the SAML Enrolment Plugin too.


Prerequisites

Install in the same machine a simpleSAMLphp instance and configure it as a Service Provider

Install Instruction
1. Unpack this saml directory into the /auth/ directory as you would for any Moodle auth module (http://docs.moodle.org/en/Installing_contributed_modules_or_plugins).

2. Login to Moodle as an administrator, and activate the module by navigating
Site administration->Plugins->Manage authentication->SAML Authentication

3. Let priivileges to the server user to write over the auth/saml/saml_config.php file.

Configuration
After the installation we must configure the saml plugin, so go to "Settings" if you are in
"Manage Authentication" page, or you can also go to Users > Authentication > SAML Authentication. These are the fields of this form:

  • simpleSAMLphp Path: it will not work unless you specify the saml library path. This refers to the library path for the simpleSAMLphp environment you want to use. For example: /var/simplesamlphp/lib
  • SimpleSAMLphp SP source. Select the SP source you want to connect to moodle. (Sources are at the SP of simpleSAMLphp in /config/authsources.php).
  • SAML username mapping: it is a SAML attribute that will be mapped to the Moodle username. By default, this attribute will be set to 'mail'.
  • Single Log out: Enable/disable the single logout. This will log out you from moodle, identity provider and all conected service providers 
  • SAML Image: when you enable the SAML authentication plugin, a new button will be shown in the login Moodle page that allows to authenticate via SAML. By default, the simpleSAMLphp image (something like a fish) will be shown, but you can specify another one you want to use. Note: this image needs to exist in the server as it is not possible to upload an image through the form right now. 
  • SAML login description: you can also specify a description text for the previous button. This description will be shown below the SAML image in the login Moodle page.
  • Log file path: this is the absolute path of a file where the plugin will log information about its actions. It is optional.
  • Hook file path: this is the absolute path of a file with php functions that will be called to alter the default behaviour of this plugin. See the file custom_hook.php for more information.
  • SAML support Courses: this select has three options:
    • No suport (default value): the plugin will not have support for enrolling the user into courses automatically
    • Internal: the plugin will use an internal database table to map the courses in the next field with Moodle courses 
    • External: the plugin will use a tabla in an external database to map the courses in the next field with Moodle courses.
  • SAML courses mapping: it is a SAML attribute that is mapped to Moodle courses data. By default, it is set to 'schacUserStatus'.
  • Field used to identify a course: this can be the Short Name or the Number ID and referes to the Moodle field used to identify a course during the matching phase of the plugin.
  • Ignore inactive courses: if this field is checked the user will stay in previous enrolled courses even if the status of the course is inactive in the SAML attribute. 
  • Data Mapping section:  The Identity Provider (IdP) provides some user's data such as the first name, surname, email address, etc. In this section, you can specify the correspondence with the same data in Moodle. By default, the configuration is set as is shown below: First name = cn Surname = sn Email Address = mail
  • Course Mapping section: The course mapping section allows the administrator to link saml courses and moodle courses. To make it working we need to create an intermediate database on where we can store this data. This database will have the following internal structure:
    Field Type  Null   Key  Default    Extra
    course_mapping_id int(11)   NO   PRI   NULL  auto_increment
    saml_course_id    varchar(20)  NO    NULL  
     saml_course_period  int(4)  NO    NULL  
     lms_course_id  text  NO    NULL  

    Once we already have created the database, we need to specify the DSN (Data Source Name) that has the following syntax: 
    • MySQL
      mysql://user:password@host/database_name
    • SQLite
      sqlite:///path/to/database/file
    • PostgresSQL
      postgres://user:password@host/database_name
  • Below the database DSN field we can start introducing course mappings between Moodle and SAML courses. No field can be null, if you try to introduce a null course mapping, this data will be ignored and it will not be saved in the database. If you try to introduce a duplicate course mapping this data will not be saved in the database and you will be redirected to the form showing an error. If you want to delete a course mapping you must only check the corresponding checkbox to the left and clicking to 'delete' button. Also, you can update the previous introduced course mappings in every moment if the new data doesn't conflicts with none of the previous course mappings. Is possible to introduce several course mappings at the same time, you can add a new row by clicking in '+' button to the right. It no errors happen while introducing the course mappings, you will be redirected to the 'Manage Authentication' page as with any other field of the form.
In order to support course enrolling you must install the SAML Enrolment plugin, otherwise set SAML support Courses to 'no support'. 
 

Internal Changes
The 'config.html' file was renamed to 'config.php' because it now has PHP code. - Two new files was created in SAML plugin directory: - 'courses.php': this file contains the needed PHP code for showing the new 'Course mapping' table. - 'DBNewDatabase.php': this file contains a tiny function for creating a database connection, because it seems there is a bug when you try to open a SQLite database connection using a DSN.

In 'auth.php' we have used 'validate_form' for validating the form and store the errors, and 'process_config' for saving the data into the database if there are no errors. Also, 'sync_roles' function have been modified for mapping roles and courses.

NOTES
These changes are tested and valid for simpleSAMLphp >= 1.7

Important for enrollment!!

This plugin suppose that the IdP send the courses data of the user in a attribute that can be configured but the pattern of the expected data is always

You can change this pattern editing the file auth/saml/course_mapping.php

Default pattern is:  <country> : <domain> : <courseId> : <period> : <role> : <status>
status could be 'active' or 'inactive',
courseId, period and role depends on the configuration of the mapping.
Example  es:moodle.org:00001:2009-10:student:active 

And you may prefix it with the urn of your attribute. The default vaulue for carry course data is shacUserStatus so you may prefix the prevous string with the related urn
Example:
urn:mace:terena.org:schac:userStatus:es:moodle.org:00001:2009-10:student:active

If you use other attribute than shacUserStatus or you want to change the fortmat of the course data you may edit the course_mapping.php file

 

 

Problems with the login view

SAML auth plugin rewirte the login view I had to copy some code of the login/index.php view and made some changes. If you find problems on the login view, you can disable the "login view replacement". Edit the auth/saml/auth.php, at the the loginpage_hoook funcion, disable the following code:
        if (empty($CFG->alternateloginurl)) {
            $CFG->alternateloginurl = $CFG->wwwroot.'/auth/saml/login.php';
        }

Then edit the login/index_form.html and insert before:

<!--

<h2><?php print_string("returningtosite") ?></h2> 

  -->

the following code


Who is using SAML plugin?

Screenshots

Screenshot #0
Screenshot #1
Screenshot #2
Screenshot #3

Contributors

Picture of Sixto Martin Garcia
Sixto Martin Garcia (Lead maintainer)
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Picture of Hen Hohen
    Tue, Jun 6, 2017, 1:37 AM
    Hey,

    I want to install th plugin on my site but I have version 3.3.
    I want to ask if there is a release date for the plugin to this version, and when is it?

    Thanks in advance smile
  • Picture of Kitti Lai
    Tue, Jul 25, 2017, 11:32 PM
    Hi and thanks for maintaining the SAML Authentication plugin.
    We have been suggested to use this plugin for SSO implementation, but the issue is we are unsure whether of this plugin will support or work properly with 3.3 or not.
    May I ask if its known or anyone else is using this plugin with the latest version (3.3.)? Many thanks in advance!
  • Picture of Sixto Martin Garcia
    Tue, Jul 25, 2017, 11:51 PM
    Moodle 3.3 introduces a new way to manage settings, instead the old config.html now the new admin settings API need to be used.
    Will take time to adapt the SAML plugin to this new environment. I can't provide right now an ETA, but I will try to get something working at the end of August.
    Read more at: https://raw.githubusercontent.com/moodle/moodle/master/auth/upgrade.txt

    Now that a re-write is required, I also I plan to fix the code style errors detected by the code prechecks:
    https://moodle.org/plugins/pluginversion.php?id=13021
  • Picture of Bobby Siegfried
    Thu, Dec 21, 2017, 12:12 AM
    Hi! Thank you for maintaining this module! I'm just curious if there is any update regarding a 3.3 release. I'm happy to help test. Thank you!
  • Picture of julie prescott
    Tue, May 1, 2018, 10:03 PM
    Hi @Sixto Martin Garcia, our moodle site is 2.7 and we currently use your plugin for SSO. We are planning to upgrade moodle, for GDPR reasons, to moodle 3.4. With this we will also have to upgrade our Simplesamlphp plugin.

    Regarding your comment dated Tue, 25 Jul 2017 - If we already have our config settings in place, will we still be able to use the latest version of your plugin? (As we dont need to change our settings in Moodle at this time) or will we need to re-set our settings when we upgrade your plugin?

    I am sure many users of your plugin will be curious to know if a 3.4+ compatible version of your plugin will be available soon as GDPR affects the whole of Europe - please can you give an update on when the next version will be available?

    Thanks
  • Picture of Memet Ødegaard Cataltepe
    Wed, May 2, 2018, 2:29 PM
    To Julie Prescott!
    I just want to let you know that I've been totally dependent on SAML to work. We have probably 50-80 installations that runs a SAML integration with ADFS, Feide (NOR common login for all schools in norway, etc..) and when this plugin no longer was maintained we had to think on something else. Since the GDPR-rules are coming soon, we already have all installations on 3.3/3.4 with the auth_saml2 module installed. Actually, it's much simpler to use saml2 than saml. All SimpleSamlPhp files are accessible and you can do changes to authsources, config, sp/idp-remote etc..
    So if you can clone your site and try an upgrade on a dev-environment you should be able to get things work with saml2.

    To answer one question of yours, all settings are stored from the old saml-module as long as you don't delete the tables in the DB. If you install auth_saml on the new version, all settings are kept.
  • Picture of Naresh devarasetty
    Wed, Jun 13, 2018, 7:18 PM
    I followed the above instructions and after this step

    "After the installation we must configure the saml plugin, so go to "Settings" if you are in
    "Manage Authentication" page, or you can also go to Users > Authentication > SAML Authentication."

    I could not see the settings option beside "Site administration --> Plugins --> Authentication --> Manage authentication --> SAML Authentication".

    I have installed and configured SimpleSAMLphp. I configured "/var/www/simplesamlphp/lib" path in /auth/saml/samp_config.php file. Still I could not see the Setting link for SAML Authentication plugin.

    Could you please help me.

    Thanks,
    Naresh
  • Picture of Sixto Martin Garcia
    Wed, Jan 16, 2019, 2:57 AM
    I released a version compatible with moodle 3.4+ but it removes support for internal/external role/course mapping. Now those data is managed as moodle settings.
  • Picture of Derek Henderson
    Thu, Mar 7, 2019, 2:47 AM
    Hi - just wondering what the relaystate setting should be in simplesamlphp in order for this work properly.

    For example - we are trying to pass in a link to a course:
    {url}/enrol/index.php?id=1184

    The relay state is set to:
    {moodle_url}/auth/saml/index.php
  • Picture of Heidi W
    Fri, May 10, 2019, 9:26 PM
    We have big problems with this plugin with moodle versions 3.6.2 amd 3.6.3. Upgrading broke the database because it named plugin wrong. We fixed it manually but after saving some settings the next page can not be shown. Only blank page is shown with http error 500. This problem is only in moodles with this plugin. What makes this problem? Version of this plugin is the newest one.
  • Picture of Sixto Martin Garcia
    Sat, Jul 13, 2019, 12:04 AM
    @Simon Harbinson,

    those parameters will be listed on the User Attribute Mapping section.
    Are you sure you are adding in the settings the same values that came from the simpleSAMLphp SP?
    You can always add a breakpoint at https://github.com/onelogin/moodle-saml/blob/0c4ffbe9ab7b31c215bc6a0790602c680ff3f42e/auth/onelogin_saml/index.php#L163
    and see the data that returns the getAttributes method and compare the names there with the ones you set on the mapping section.
  • Picture of Irith Herman
    Sun, Jul 14, 2019, 11:21 PM
    I moved my moodle to a new server and now I have problem with the plugin.
    Every time when I am trying to login its sends me toa form update my details when I save I got this error
    I got this error:Forbidden
    You don't have permission to access /user/edit.php on this server.
    Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
  • Picture of Chelsy Ann Koshy
    Mon, Aug 19, 2019, 9:51 PM
    Hi,

    We are not able to login using SAML authentication and getting the below error after entering the username and password.

    Notice: Undefined variable: user in ..../lib/outputrenderers.php on line 3291
    Coding error detected, it must be fixed by a programmer: User id is required when printing user avatar image.
    Debug info:
    Error code: codingerror
    Stack trace:

    line 219 of /lib/outputcomponents.php: coding_exception thrown
    line 2480 of /lib/outputrenderers.php: call to user_picture->__construct()
    line 839 of /user/lib.php: call to core_renderer->user_picture()
    line 3294 of /lib/outputrenderers.php: call to user_get_user_navigation_info()
    line 219 of /lib/mustache/src/Mustache/Context.php: call to core_renderer->get_user_name()
    line 138 of /lib/mustache/src/Mustache/Context.php: call to Mustache_Context->findVariableInStack()
    line 67 of /lib/mustache/src/Mustache/Template.php: call to __Mustache_dc53af75f8d1a9b2ba67816a08168563->renderInternal()
    line 191 of /lib/outputrenderers.php: call to Mustache_Template->render()
    line 27 of /theme/remui/layout/columns2.php: call to renderer_base->render_from_template()
    line 1287 of /lib/outputrenderers.php: call to include()
    line 1217 of /lib/outputrenderers.php: call to core_renderer->render_page_layout()
    line 1881 of /lib/setuplib.php: call to core_renderer->header()
    line 23 of /auth/saml/error.php: call to bootstrap_renderer->__call()
    line 204 of /auth/saml/index.php: call to auth_saml_error()

    Not sure,why this error is showing.Can you please help to reslove this?
  • Picture of Sixto Martin Garcia
    Mon, Aug 19, 2019, 10:36 PM
    @chelsy

    "User id is required when printing user avatar image" is not an error related to the SAML plugin, it seems something related to to your template.
  • Picture of Irith Herman
    Tue, Sep 3, 2019, 7:04 PM
    After log in with Saml students can"t log out.
    They pressing the log out button but staying looged in. moodle 3.5
1 2 3 4 5 6 7 8
Please login to post comments