Authentication: SAML2 Single sign on

auth_saml2
Maintained by Picture of Catalyst IT Catalyst IT, Picture of Brendan Heywood Brendan Heywood, Picture of Adam Riddell Adam Riddell, Picture of Daniel Thee Roperto Daniel Thee Roperto, Picture of Rossco Hellmans Rossco Hellmans, Picture of Kristian Ringer Kristian Ringer
SAML done 100% in moodle, fast, simple, secure
318 sites
302 downloads
30 fans
878 sites
751 downloads
45 fans

What is this?

This plugin does authentication, user auto creation with field mapping.

Why is it better?

  • 100% configured in the Moodle GUI - no installation of a whole separate app, and no touching of config files or generating certificates.
  • Minimal configuration needed, in most cases just copy the IdP metadata in and then give the SP metadata to your IdP admin and that's it.
  • Fast! - 3 redirects instead of 7
  • Supports back channel Single Logout which most big organisations require (unlike OneLogin)

How does it work?

It completely embeds a SimpleSamlPHP instance as an internal dependancy which is dynamically configured the way it should be and inherits almost all of it's configuration from Moodle configuration. In the future we should be able to swap to a different internal SAML implementation and the plugin GUI shouldn't need to change at all.

Features

  • Dual login VS forced login for all as an option, with ?saml=off on the login page for manual accounts, and ?saml=on supported everywhere to deep link and force login via saml if dual auth is on.
  • SAML attributes to Moodle user field mapping
  • Automatic certificate creation
  • Optionally auto create users

Features not yet implemented:

  • Enrolment - this should be an enrol plugin and not in an auth plugin
  • Role mapping - not yet implemented

Installation

1) Install the plugin the same as any standard moodle plugin either via the Moodle plugin directory, or you can use git to clone it into your source:

git clone git@github.com:CatalystIT-AU/moodle-auth_saml2.git auth/saml2

2) Then run the Moodle upgrade 3) If your IdP has a publicly available XML descriptor, copy this url into the SAML2 auth config settings page 4) If your IdP requires whitelisting each SP then in the settings page is links to download the XML, or you can provide that url to your IdP administrator.

For most simple setups this is enough to get authentication working, there are many more settings to define how to handle new accounts, dual authentication, and to easily debug the plugin if things are not working.

If you have issues please log them in github here:

https://github.com/CatalystIT-AU/moodle-auth_saml2/issues

Or if you want paid support please contact Catalyst IT Australia:

https://www.catalyst-au.net/contact-us

Testing

This plugin has been tested against:

  • SimpleSamlPHP set up as an IdP
  • openidp.feide.no
  • testshib.org
  • An AAF instance of Shibboleth

Other SAML plugins

The diversity and variable quality and features of SAML Moodle plugins is a reflection of a great need for a solid SAML plugin, but the neglect to do it properly in core. SAML2 is by far the most robust and supported protocol across the internet and should be fully integrated into moodle core as both a Service Provider and as an Identity Provider, and without any external dependencies to manage.

Here is a quick run down of the alternatives:

Core:

  • /auth/shibboleth - This requires a separately installed and configured Shibbolleth install

One big issue with this, and the category below, is as there is a whole extra application between moodle and the IdP, so the login and logout processes have more latency due to extra redirects. Latency on potentially slow mobile networks is by far the biggest bottle neck for login speed and the biggest complaint by end users in our experience.

Plugins that require SimpleSamlPHP

These are all forks of each other, and unfortunately have diverged quite early or have no common git history making it difficult to cross port features or fixes between them.

Plugins which embed a SAML client lib:

These are generally much easier to manage and configure as they are standalone.

  • https://moodle.org/plugins/view/auth_onelogin_saml - This one uses it's own embedded saml library which is great and promising, however it doesn't support 'back channel logout' which is critical for security in any large organisation.

  • This plugin, with an embedded and dynamically configured SimpleSamlPHP instance under the hood

Warm thanks

Thanks to the various authors and contributors to the other plugins above.

Thanks to LaTrobe university in Melbourne for sponsoring the initial creation of this plugin:

http://www.latrobe.edu.au

LaTrobe

Thanks to Centre de gestion informatique de l’éducation in Luxembourg for sponsoring the user autocreation and field mapping work:

http://www.cgie.lu

CGIE

This plugin was developed by Catalyst IT Australia:

https://www.catalyst-au.net/

Catalyst IT


Screenshots

Screenshot #0

Contributors

Picture of Catalyst IT
Catalyst IT (Lead maintainer)
Picture of Adam Riddell
Adam Riddell: Developer
Picture of Daniel Thee Roperto
Daniel Thee Roperto: Developer
Picture of Rossco Hellmans
Rossco Hellmans: Developer
Picture of Kristian Ringer
Kristian Ringer: Developer
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Picture of Adam Riddell
    Fri, Jan 25, 2019, 6:36 AM
    Hi Mohammed,

    It sounds like the IdP metadata link that you're using from Edx isn't right. You may be able to visit the XML URL in your browser and check the XML yourself. Usually the entityID will be one of the first elements you see on the page - it would look something like: the other thing to keep in mind is that if you're using a URL it must be accessible from the host that is serving Moodle. If the IdP is only accessible from within a private network that can't be reached from Moodle you may be able to copy the XML metadata and upload that, but in this case only users that can access the IdP from within this private network will be able to authenticate via SAML.
  • Picture of Adam Riddell
    Fri, Jan 25, 2019, 6:41 AM
    Hi Marc,

    No unfortunately the plugin doesn't support combining two fields for one mapping at the moment. I'd say your best bet would be to look into getting the IdP to expose the two concatenated fields as an additional field.
  • Picture of Adam Riddell
    Fri, Jan 25, 2019, 6:50 AM
    Hi Colin,

    I'd recommend you double check the "Mapping IdP" field that you've configured in the SAML2 plugin - it sounds like this might be empty or doesn't match any fields exposed by your IdP.
  • Picture of Mohammed Abdul Azeem
    Fri, Jan 25, 2019, 2:45 PM
    Hi Adam,

    https://courses.edx.org/auth/saml/metadata.xml this is the Edx meta data url , i hope this has Entity id , but am getting error as IDP xml has no entity id , could you please check and help me
  • Picture of ilun leem
    Thu, Feb 14, 2019, 5:10 PM
    Hi, team? can this plugin work in idp initiated mode, if then how to do? Thanks
  • Picture of Susan Mangan
    Thu, Mar 7, 2019, 9:41 AM
    Hi! I need help/info!!

    I am JUST in the process of upgrading our Moodle to 3.6 and just found out we will be looking to use saml for sso in the near future. It looks like your plug-in is by far the best supported so I am hoping it is supported with 3.6 and that perhaps the plug-in directory page is just not updated smile

    If it is not yet tested and supported for 3.6 we will likely upgrade to 3.5 instead.

    Thanks in advance!!
  • Picture of Neil Stapleton
    Fri, Mar 15, 2019, 9:48 PM
    Hi All

    Can this plugin be used to Authenticate against Office365?

    Does anyone have a guide on how to do it, both what's required on the O365 end as well as the Moodle end.

    I found this, but am not able to connect the dots... https://www.microsoft.com/en-us/microsoft-365/blog/2014/03/06/announcing-support-for-saml-2-0-federation-with-office-365/

    Thanks
    N
  • Picture of A Guy
    Thu, Mar 28, 2019, 5:13 AM
    When I use this my custom theme template is not shown for the user when they log in. Where is that set in this plugin? I have the theme plugin config file set. So some how it is by passing that. When I log in as a manual authenticated user (with dual authentication on) I see the template I want to be seen. Thanks.
  • Wazza
    Thu, Mar 28, 2019, 6:52 PM
    Please see here: https://moodle.org/mod/forum/discuss.php?d=384309 and here: https://github.com/catalyst/moodle-auth_saml2/issues/304 for quit a mayor problem with this plugin... direct links seem to be blocked, a page refresh does fix it but many users don't know that this fixes the error.
  • Picture of v3 rx
    Sat, Apr 6, 2019, 1:18 PM
    Dear Sir/Madam,

    I am new to 'SAML2 Single sign on'. I can install the plug-in 'SAML2 Single sign on', to moodle-3.5.5. I have fillled the parameters. However, I cannot see the link 'Login via SAML2'. Is there anything I have missed? Thanks!!!
  • Picture of Christian Poirier
    Wed, Apr 17, 2019, 2:23 AM
    Hi there

    is there any person who has configured the plugin to use a SAML IdP discovery service (more than one IdP can use the service)?
  • Picture of Dmitry Pupinin
    Thu, Apr 18, 2019, 5:47 PM
    Hi! Is there a way to reject login (and auto create user) for users who not have some groups at IdP?
  • Picture of Aaron Johnson
    Thu, Apr 25, 2019, 10:28 PM
    Hello,

    I'm trying to install this plugin and it is not working. After uploading the zip file, it goes to the next page, but all I get is this:

    Install plugin from ZIP file
    Validating auth_saml2 ...

    and then it gets stuck. If I go to my plugin manager, it is not in the list. I also tried copying the unzipped folder directly into the auth folder on my server, but then the Site Admin page was just blank.

    Any ideas?

    Thanks,
    Aaron
  • Picture of Susan Mangan
    Tue, May 7, 2019, 5:51 AM
    Hello - we just implemented sso with this plug-in (moodle version 3.5.5) and I have a question regarding the logout function. It is not working for our external users (who have not logged into any other systems). I just wanted to clarify how this should be set up in the plug-in settings. There is a URL for alternate logout - it's not clear to me whether or not this should be populated or not? Does the plug-in attempt a log-out regardless of whether or not this field is updated with a path? Just trying to troubleshoot why logout is not working and starting with simple configuration. Thanks in advance!!!!
  • Picture of Jeff Jones
    Thu, May 9, 2019, 5:31 AM
    Will this version work with 3.6?
1 2 3 4 5 6 7 8 9 10 11
Please login to post comments