Authentication: SAML2 Single sign on

auth_saml2
Maintained by Picture of Catalyst ITCatalyst IT, Picture of Brendan HeywoodBrendan Heywood, Picture of Rossco HellmansRossco Hellmans, Picture of kristian rkristian r
SAML done 100% in moodle, fast, simple, secure
1426 sites
1k downloads
63 fans

What is this?

This plugin does authentication, user auto creation with field mapping.

Why is it better?

  • 100% configured in the Moodle GUI - no installation of a whole separate app, and no touching of config files or generating certificates.
  • Minimal configuration needed, in most cases just copy the IdP metadata in and then give the SP metadata to your IdP admin and that's it.
  • Fast! - 3 redirects instead of 7
  • Supports back channel Single Logout which most big organisations require (unlike OneLogin)

How does it work?

It completely embeds a SimpleSamlPHP instance as an internal dependancy which is dynamically configured the way it should be and inherits almost all of it's configuration from Moodle configuration. In the future we should be able to swap to a different internal SAML implementation and the plugin GUI shouldn't need to change at all.

Features

  • Dual login VS forced login for all as an option, with ?saml=off on the login page for manual accounts, and ?saml=on supported everywhere to deep link and force login via saml if dual auth is on.
  • SAML attributes to Moodle user field mapping
  • Automatic certificate creation
  • Optionally auto create users

Features not yet implemented:

  • Enrolment - this should be an enrol plugin and not in an auth plugin
  • Role mapping - not yet implemented

Installation

1) Install the plugin the same as any standard moodle plugin either via the Moodle plugin directory, or you can use git to clone it into your source:

git clone git@github.com:catalyst/moodle-auth_saml2.git auth/saml2

2) Then run the Moodle upgrade 3) If your IdP has a publicly available XML descriptor, copy this url into the SAML2 auth config settings page 4) If your IdP requires whitelisting each SP then in the settings page is links to download the XML, or you can provide that url to your IdP administrator.

For most simple setups this is enough to get authentication working, there are many more settings to define how to handle new accounts, dual authentication, and to easily debug the plugin if things are not working.

If you have issues please log them in github here:

https://github.com/catalyst/moodle-auth_saml2/issues

Or if you want paid support please contact Catalyst IT Australia:

https://www.catalyst-au.net/contact-us

Testing

This plugin has been tested against:

  • SimpleSamlPHP set up as an IdP
  • openidp.feide.no
  • testshib.org
  • An AAF instance of Shibboleth

Other SAML plugins

The diversity and variable quality and features of SAML Moodle plugins is a reflection of a great need for a solid SAML plugin, but the neglect to do it properly in core. SAML2 is by far the most robust and supported protocol across the internet and should be fully integrated into moodle core as both a Service Provider and as an Identity Provider, and without any external dependencies to manage.

Here is a quick run down of the alternatives:

Core:

  • /auth/shibboleth - This requires a separately installed and configured Shibbolleth install

One big issue with this, and the category below, is as there is a whole extra application between moodle and the IdP, so the login and logout processes have more latency due to extra redirects. Latency on potentially slow mobile networks is by far the biggest bottle neck for login speed and the biggest complaint by end users in our experience.

Plugins that require SimpleSamlPHP

These are all forks of each other, and unfortunately have diverged quite early or have no common git history making it difficult to cross port features or fixes between them.

Plugins which embed a SAML client lib:

These are generally much easier to manage and configure as they are standalone.

  • https://moodle.org/plugins/view/auth_onelogin_saml - This one uses it's own embedded saml library which is great and promising, however it doesn't support 'back channel logout' which is critical for security in any large organisation.

  • This plugin, with an embedded and dynamically configured SimpleSamlPHP instance under the hood

Warm thanks

Thanks to the various authors and contributors to the other plugins above.

Thanks to LaTrobe university in Melbourne for sponsoring the initial creation of this plugin:

http://www.latrobe.edu.au

LaTrobe

Thanks to Centre de gestion informatique de l’éducation in Luxembourg for sponsoring the user autocreation and field mapping work:

http://www.cgie.lu

CGIE

This plugin was developed by Catalyst IT Australia:

https://www.catalyst-au.net/

Catalyst IT


Screenshots

Screenshot #0

Contributors

Picture of Catalyst IT
Catalyst IT (Lead maintainer)
Picture of Brendan Heywood
Brendan Heywood: Solutions Architect
Picture of Rossco Hellmans
Rossco Hellmans: Developer
Picture of kristian r
kristian r: Developer
Picture of Adam Riddell
Adam Riddell: Developer
Picture of Daniel Thee Roperto
Daniel Thee Roperto: Developer
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Picture of Matt Polaniecki
    Fri, Nov 22, 2019, 2:57 AM
    How can I disable the standard Moodle login when using SAML2? I set the dual-login to "no" but it still appears.
  • Picture of Praj Basnet
    Fri, Nov 22, 2019, 4:22 AM
    Also make sure the plugin is enabled under Site administration > Plugins > Authentication > Manage authentication
  • Picture of Sunil Anthony
    Sat, Feb 1, 2020, 1:35 AM
    Just trying to find out if this plugin will cause any SMAL SSO problems when Google Chrome 80 releases on February 04, 2020? Google Chrome 80 will enforce SameSite cookies attribute to be specified.
  • Picture of Angela Grollmisch
    Tue, Mar 10, 2020, 10:44 PM
    It looks like there could be an issue with the newest version of Chrome. Unfortunately, we cannot reproduce with all users, but only with some few users.
  • Picture of George Schaathun
    Tue, Apr 7, 2020, 3:06 PM
    I used SAML2 with great success last semester (Moodle 3.5 and SimpleSAMLphp version
    auth_saml2 | sspversion
    1.15.4). Upgrading Moodle to 3.8, it still works.

    However, I am trying to duplicate the setup to a new server, running Moodle 3.8 and the latest SAML2 (1.17.7). Now I get
    Exception - Failure Signing Data: error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error - SHA256

    Does anyone know what causes such error? Missing dependency?
    I checked with the idP, and apparently, the idP is never contacted.
    I do notice that there is a new key entry in the SAML2 config page in the last version. Does that need attention?
  • Picture of Praj Basnet
    Tue, Apr 7, 2020, 3:13 PM
    Perhaps something to do with the certs stored on the file store/data directory in the saml2/ folder sometimes it helps to clear these out (the IdP XML) and re-save the plugin configuration.
  • Picture of George Schaathun
    Tue, Apr 7, 2020, 4:01 PM
    Thank you, but no luck. My guess would be a problem signing own data, rather than validating the signature of the idP. I could of course try regenerating the SP metadata, but since I need to call on the idP admin, I'd rather not do it before I am confident it is the right approach.
  • Picture of Praj Basnet
    Tue, Apr 7, 2020, 4:12 PM
    Yes that's probably the issue and you'll need the IdP admin to reload the SP configuration to fix it I'm thinking.
  • Picture of Marcus Huzell
    Wed, Apr 15, 2020, 9:59 PM
    Hi,
    I´m trying to use this plugin with my moodle instance but I don´t understand what this line is supposed to be set to $CFG->auth_saml2_disco_url = '';

    I also get an error when I try to log in saying "Redis server went away". Anyone know what that means?
    The Redis server is fine.

    Appreciate any help!
    Thanks
  • Picture of Daniel Rodriguez
    Tue, Apr 21, 2020, 10:04 PM
    Hi. I am trying to use your plugin for the moodle app. But I have two problems. When I start the app and go to the login web page, after logging in it doesn't redirect the app again, is there some kind of configuration that the plugin needs?
    I am also trying to configure the auto creation of users, the attributes are incorporated correctly, but the user isn't created, it sends me to the user modification website. I have read in your github about this problem and you recommend changing the user provisioning process, but I don't understand, what do you mean by that.

    Thanks for your attention and time.
  • Picture of Agi Pasieka
    Fri, May 22, 2020, 11:17 PM
    Hi,
    I am unable to install this plugin on version 3.8. It is a Debian VM on Azure. After I enabled debugging it gave me the "maximum execution time of 30 seconds exceeded" so I have increased it to 160 in PHP config file and now the page just throws "This page isn't working..... didn't send any data....ERR_EMPTY_RESPONSE". I have no issues with any other plugins.
    Thanks for any suggestions.
  • Wazza
    Fri, May 29, 2020, 9:43 PM
    If I try to add the URL of my ADFS in 'IdP metadata xml OR public xml URL' I get the error: Invalid metadata at https://fs.myhz.nl/federationmetadata/2007-06/federationmetadata.xml (ADFS 2016 server). What can be wrong here? If I download the XML and copy and paste it in the same field, I can authenticate...
  • Picture of Kyle Sellers
    Sat, Jul 11, 2020, 4:50 AM
    We have been trying to install this from Moodle. I can upload the zip file but it appears to be hanging up Validating the file. We have waited about an hour and the screen still says Validating auth_saml2
  • Picture of Kyle Sellers
    Tue, Jul 28, 2020, 2:36 AM
    Trying to install from the UI Gets stuck here:
    Install plugin from ZIP file
    Validating auth_saml2 ...
    We are running Moodle 3.9.1 (Build: 20200713)
  • Picture of Jan Derriks
    Tue, Sep 15, 2020, 4:05 PM
    It seems this plugin destroys some of the features of the underlying SimpleSamlphp lib.
    Like changing the value of an attribute with the AttrubuteAlter filter.
    Where do you put extra authproc filters to change the value of an attribute?
1 2 3 4 5 6 7 8 9 10 11 12 13
Please login to post comments