Your Moodle version

Authentication: SAML Authentication (simpleSAMLphp required)

auth_saml
Maintained by Picture of Sixto Martin Garcia Sixto Martin Garcia, Picture of Jan Aagaard Meier Jan Aagaard Meier
SAML Authentication plugin based on the simplesamlphp software. (Also install the SAML Enrolment plugin if you want auto-enrol based on SAML)
10k
479
1
Moodle 2.0, 2.1, 2.2, 2.3, 2.4, 2.5

Donations

Donations are welcome to support the development of the plugin.

Moodle's SAML PluginMoodle's SAML Plugin

 


Info of the plugin

This plugin add SAML authentication support to Moodle.
If you need auto-enrol based on SAML you need to install the SAML Enrolment Plugin too.


Prerequisites

Install in the same machine a simpleSAMLphp instance and configure it as a Service Provider

Install Instruction
1. Unpack this saml directory into the /auth/ directory as you would for any Moodle auth module (http://docs.moodle.org/en/Installing_contributed_modules_or_plugins).

2. Login to Moodle as an administrator, and activate the module by navigating
Site administration->Plugins->Manage authentication->SAML Authentication

3. Let priivileges to the server user to write over the auth/saml/saml_config.php file.

Configuration
After the installation we must configure the saml plugin, so go to "Settings" if you are in
"Manage Authentication" page, or you can also go to Users > Authentication > SAML Authentication. These are the fields of this form:

  • simpleSAMLphp Path: it will not work unless you specify the saml library path. This refers to the library path for the simpleSAMLphp environment you want to use. For example: /var/simplesamlphp/lib
  • SimpleSAMLphp SP source. Select the SP source you want to connect to moodle. (Sources are at the SP of simpleSAMLphp in /config/authsources.php).
  • SAML username mapping: it is a SAML attribute that will be mapped to the Moodle username. By default, this attribute will be set to 'mail'.
  • Single Log out: Enable/disable the single logout. This will log out you from moodle, identity provider and all conected service providers 
  • SAML Image: when you enable the SAML authentication plugin, a new button will be shown in the login Moodle page that allows to authenticate via SAML. By default, the simpleSAMLphp image (something like a fish) will be shown, but you can specify another one you want to use. Note: this image needs to exist in the server as it is not possible to upload an image through the form right now. 
  • SAML login description: you can also specify a description text for the previous button. This description will be shown below the SAML image in the login Moodle page.
  • Log file path: this is the absolute path of a file where the plugin will log information about its actions. It is optional.
  • Hook file path: this is the absolute path of a file with php functions that will be called to alter the default behaviour of this plugin. See the file custom_hook.php for more information.
  • SAML support Courses: this select has three options:
    • No suport (default value): the plugin will not have support for enrolling the user into courses automatically
    • Internal: the plugin will use an internal database table to map the courses in the next field with Moodle courses 
    • External: the plugin will use a tabla in an external database to map the courses in the next field with Moodle courses.
  • SAML courses mapping: it is a SAML attribute that is mapped to Moodle courses data. By default, it is set to 'schacUserStatus'.
  • Field used to identify a course: this can be the Short Name or the Number ID and referes to the Moodle field used to identify a course during the matching phase of the plugin.
  • Ignore inactive courses: if this field is checked the user will stay in previous enrolled courses even if the status of the course is inactive in the SAML attribute. 
  • Data Mapping section:  The Identity Provider (IdP) provides some user's data such as the first name, surname, email address, etc. In this section, you can specify the correspondence with the same data in Moodle. By default, the configuration is set as is shown below: First name = cn Surname = sn Email Address = mail
  • Course Mapping section: The course mapping section allows the administrator to link saml courses and moodle courses. To make it working we need to create an intermediate database on where we can store this data. This database will have the following internal structure:
    Field Type  Null   Key  Default    Extra
    course_mapping_id int(11)   NO   PRI   NULL  auto_increment
    saml_course_id    varchar(20)  NO    NULL  
     saml_course_period  int(4)  NO    NULL  
     lms_course_id  text  NO    NULL  

    Once we already have created the database, we need to specify the DSN (Data Source Name) that has the following syntax: 
    • MySQL
      mysql://user:password@host/database_name
    • SQLite
      sqlite:///path/to/database/file
    • PostgresSQL
      postgres://user:password@host/database_name
  • Below the database DSN field we can start introducing course mappings between Moodle and SAML courses. No field can be null, if you try to introduce a null course mapping, this data will be ignored and it will not be saved in the database. If you try to introduce a duplicate course mapping this data will not be saved in the database and you will be redirected to the form showing an error. If you want to delete a course mapping you must only check the corresponding checkbox to the left and clicking to 'delete' button. Also, you can update the previous introduced course mappings in every moment if the new data doesn't conflicts with none of the previous course mappings. Is possible to introduce several course mappings at the same time, you can add a new row by clicking in '+' button to the right. It no errors happen while introducing the course mappings, you will be redirected to the 'Manage Authentication' page as with any other field of the form.
In order to support course enrolling you must install the SAML Enrolment plugin, otherwise set SAML support Courses to 'no support'. 
 

Internal Changes
The 'config.html' file was renamed to 'config.php' because it now has PHP code. - Two new files was created in SAML plugin directory: - 'courses.php': this file contains the needed PHP code for showing the new 'Course mapping' table. - 'DBNewDatabase.php': this file contains a tiny function for creating a database connection, because it seems there is a bug when you try to open a SQLite database connection using a DSN.

In 'auth.php' we have used 'validate_form' for validating the form and store the errors, and 'process_config' for saving the data into the database if there are no errors. Also, 'sync_roles' function have been modified for mapping roles and courses.

NOTES
These changes are tested and valid for simpleSAMLphp >= 1.7

Important for enrollment!!

This plugin suppose that the IdP send the courses data of the user in a attribute that can be configured but the pattern of the expected data is always

You can change this pattern editing the file auth/saml/course_mapping.php

Default pattern is:  <country> : <domain> : <courseId> : <period> : <role> : <status>
status could be 'active' or 'inactive',
courseId, period and role depends on the configuration of the mapping.
Example  es:moodle.org:00001:2009-10:student:active 

And you may prefix it with the urn of your attribute. The default vaulue for carry course data is shacUserStatus so you may prefix the prevous string with the related urn
Example:
urn:mace:terena.org:schac:userStatus:es:moodle.org:00001:2009-10:student:active

If you use other attribute than shacUserStatus or you want to change the fortmat of the course data you may edit the course_mapping.php file

 

 

Problems with the login view

SAML auth plugin rewirte the login view I had to copy some code of the login/index.php view and made some changes. If you find problems on the login view, you can disable the "login view replacement". Edit the auth/saml/auth.php, at the the loginpage_hoook funcion, disable the following code:
        if (empty($CFG->
alternateloginurl)) {
            $CFG->alternateloginurl = $CFG->wwwroot.'/auth/saml/login.php';
        }

Then edit the login/index_form.html and insert before:

<!--

<h2><?php print_string("returningtosite") ?></h2> 

  -->

the following code


Who is using SAML plugin?

Screenshots

Screenshot
Screenshot
Screenshot
Screenshot

Contributors

Picture of Sixto Martin Garcia
Sixto Martin Garcia (Lead maintainer)
Picture of Jan Aagaard Meier
Jan Aagaard Meier: Maintainer assistant
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Picture of Laura Marcelo
    Thu, Feb 13, 2014, 8:12 PM
    Hi,

    I'll use saml plugin auth in my project. Making tests in my local enviroment i have two errors with saml:


    1. Strict standards: Declaration of auth_plugin_saml::config_form() should be compatible with auth_plugin_base::config_form($config, $err, $user_fields)

    I have seen the function declaration, and the $err parameter is passed by reference. When I remove the reference error no longer occurs, have you used that model for any specific reason?

    function config_form($config, &$err, $user_fields)

    The following is the same case:

    2. Strict standards: Declaration of auth_plugin_saml::validate_form() should be compatible with auth_plugin_base::validate_form($form, &$err)

    function validate_form(&$form, &$err)

    Thank you!
  • Picture of Kyle Belcher
    Wed, Feb 26, 2014, 12:26 AM
    I cannot for the life of me get the simplesamlphp instance installed and configured properly. I am running Server 2012 with SQL Express 2012, PHP 5.4, and Moodle 2.6.1.

    I have extracted the simplesaml contents and created a website that points to the 'www' subfolder inside of the sipmplesaml directory. when I try to browse to the site in IE, i get a 404.0 - Not Found error. I have granted read and execute permissions to the IIS_IUSRS group on the 'www' folder.

    Any assistance would be greatly appreciated.
  • Bluff at the bottom of New Zealand, next stop Antarctica - March 2013
    Tue, Apr 29, 2014, 11:10 PM
    Any ideas what settings I should use for the Okta identity provider? This is the requested information : https://support.okta.com/entries/23364161-Configuring-Okta-Template-SAML-2-0-Application
  • Picture of Christopher Cordi
    Tue, Jul 15, 2014, 5:04 AM
    @Sixto, I'm using Moodle 2.5.4, the latest version of the plugin, and simpleSAMLphp 1.12, and I'm having the same issue as @Oriol and @Jeff with the $wantsurl. No matter where I attempt to navigate to in the site, I get brought back to the moodle homepage after authenticating at the idp.
  • Bluff at the bottom of New Zealand, next stop Antarctica - March 2013
    Thu, Jul 17, 2014, 9:11 PM
    Is there a way to bypass the saml login and use manual login?
  • Bluff at the bottom of New Zealand, next stop Antarctica - March 2013
    Thu, Jul 17, 2014, 10:07 PM
    To skip saml and go to the manual login edit auth.php

    Go to functoion login_page_hook()

    and at the top of the function add

    if (optional_param('skipsaml', null, PARAM_BOOL)) {
    return false;
    }

    Then use with /login/index.php?skipsaml=1
  • Picture of Herson Cruz
    Fri, Jul 18, 2014, 1:12 AM
    Any plans to update this for Moodle 2.6 or 2.7? I can help if needed, just need some guidance.
  • Picture of Christopher Cordi
    Sat, Jul 19, 2014, 4:45 AM
    Hey there, I've got another question regarding the same configuration I mentioned four comments up from here.

    We're using an SP initiated HTTPPOST setup, and it's working well, but our IdP is using the simplesaml webpage provided with simpleSAMLphp as the assertion consumer. This functions correctly, but we'd like to be able to remove the simplesaml webpage from our server.

    Is there any way to set this up to hook that all directly to moodle instead of the secondary webpage?
  • Picture of Hiren Bhut
    Sat, Sep 20, 2014, 7:42 PM
    My question is simplesamlphp it is only work on https request?

    it is supported http request?

    please help me
  • Picture of Michael Lynn
    Tue, Nov 4, 2014, 10:53 PM
    @Sixto, I have 2 sites:
    https://simplesaml.mysite.com
    https://www.mymoodle.com
    Both sites use different digi certs.

    When I connect to my IDP the end point becomes https://www.mymoodle.com/simplesaml/module.php/saml/sp/saml2-logout.php/mysitesso

    www.mymoodle.com/simplesaml is an alias pointing back to https://simplesaml.mysite.com

    This works via the SimpleSAMLPHP test page but this is not trusted by the IDP on ADFS 2.0 when trying to login from Moodle.


    Do I have to setup a Relying Party Trust on ADFS?

    Also the attributes names are in the format:
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
    Do I access this by the full name or simply givenname in the attribute mapping for the SAML Authentication plugin?
  • Picture of Simon Thornett
    Tue, Nov 11, 2014, 12:11 AM
    @Sixto, Firstly, thank you for this plugin!

    I was wondering if there was any update with regards to the $wantsurl being passed from Moodle to ADSF and back again?

    Thanks in advance
  • Picture of julie prescott
    Mon, Feb 16, 2015, 8:16 PM
    I am having trouble accessing the simpleSAMLphp installation webpage (instructions here: https://simplesamlphp.org/docs/stable/simplesamlphp-install#section_10). I have set up an Alias in my virtualhost settings and the Alias name matches the baseurlpath in my simplesamlphp config.php file, but when I try to access the installation webpage I get a 500 internal error message. Does anyone know why I may be getting this error? I have checked my webserver error logs and there is nothing logged except File does not exist: /home/sitefolder/public_html/500.shtml.

    Any help is much appreciated, thanks
  • feeling fuzzy
    Wed, Mar 11, 2015, 6:47 PM
    Hi,

    I run a moodle application where visitors should be able to choose their identity provider. One of the screenshots above suggests that is possible with this plugin but the settings will only allow you to set a single provider and mapping.
    Could you give me some pointes on how set this up?

    Thank you.
  • Ahmad Fahim Ayub
    Tue, Apr 28, 2015, 9:49 AM
    Dear Sixto and Jan,
    Please check and ensure the files and folders' permission in the zip download are set to 644 and 755 by default. After installation, the accounts could not authenticate against the remote server. For the reason that none of the folders and files had the right permission. When I set them, it worked!
  • Picture of julie prescott
    Thu, May 28, 2015, 6:15 PM
    Hi, is it possible to add more user profile fields to the data mapping section? Thanks
1 2 3 4 5 6
Please login to post comments