Authentication: SAML2 SSO Auth

auth_saml2sso
Maintained by Picture of Daniel Miranda Daniel Miranda, Picture of AulaWeb Università di Genova AulaWeb Università di Genova
Authentication using exists SimpleSAMLphp Service Provider
318 sites
302 downloads
30 fans
107 sites
184 downloads
7 fans

SAML2 SSO Authentication using exists SimpleSAMLphp Service Provider


You'll need the following pre-requirement:

  • A working SimpleSAMLphp Service Provider (SP) installation (https://simplesamlphp.org) working means that the metadata from SP must be registered in Identity Provider (IdP). Can be found in /config/authsources.php
  • The absolute path for the SimpleSAMLphp installation on server
  • The authsource name from SP in which your users will authenticate against

There are a couple of related SAML plugins for Moodle. Below are the main diferences between this plugin, named as saml2sso, and the others. 

The key for this plugin is that you can use your exists Service Provider (SP) without need to exchange the metadata with the Identity Provider (IdP) for every new Moodle instances. (for instances in the same host name)


The following options can be set in config:

  • SimpleSAMLphp installation path
  • Dual login (Yes/No) - Can login with manual accounts like admin
  • Single Sign Off (Yes/No) - Should we sign off users from Moodle and IdP?
  • Username mapping - Which attribute from IdP should be used for username
  • Username checking - Where to check if the username exists
  • Auto create users - (Allow create new users)
  • SP source name (generally default-sp in SimpleSAMLphp)
  • Logout URL to redirect users after logout
  • Allow users to edit or not the profile
  • Ability to break the full name from IdP into firstname and lastname

To bypass the authentication and login directly in Moodle (ex.: using admin account), add the saml=off parameter in the URL (ex.: https://my.moodle/login/index.php?saml=off)

Screenshots

Screenshot #0
Screenshot #1

Contributors

Picture of Daniel Miranda
Daniel Miranda (Lead maintainer)
Picture of AulaWeb Università di Genova
AulaWeb Università di Genova
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Picture of Daniel Miranda
    Fri, Apr 6, 2018, 4:43 AM
    Harold Yung, it seems you have a SimpleSAMLphp issue.

    Do you have a proper SimpleSAMLphp Service Provider in the same host name as Moodle? (https://xxx/moodle)
    In my understood you are trying to redirect users from Moodle directly to Identity Provider.

    In my environment I have a SimpleSAMLphp Service Provider in the same host name as Moodle.
    Ex.:
    My Moodle is hosting in https://moodle.dev
    My Service Provider is hosting in https://moodle.dev/sso/
    and my Identity Provider is hosting in https://idp.dev/sso

    when users try to access Moodle, the auth_saml2sso plugin require authentication from my Service Provider and then users are redirected to IdP.

    About the session.cookiename I leave as default 'SimpleSAML'
  • Picture of Harold Yung
    Fri, Apr 13, 2018, 11:01 AM
    Hi Daniel,

    Yes, the SimpleSAMLphp Service Provider is at the same host as Moodle.
    My Moodle: https://moodle.mydomain/moodle34/
    My SimpleSAMLphp: https://moodle.mydomain/simplesaml/
    My Identity Provider: https://websso.subdomain.mydomain/adfs/

    I try to change session.cookiename but it does not work. If any way to further check?

    Thank you very much!
  • Picture of Ketan Ajudiya
    Thu, Jun 7, 2018, 9:04 PM
    Hi Daniel Miranda,

    I am new to moodle and i am trying to implement SSO to my website.
    so I have setup moodle on my server and installed plugin "SAML2 SSO Auth"
    and then I have setup "SimpleSAMLphp Service Provider" on my server, all great till now.
    But when i enabled plugin and setup things which plugin requires, i wont able to access moodle at all even i can not able to login to moodle admin? also moodle login screen look messy. it was all correct before plugin activated.
    when i try to login in moodle it redirect me to "SimpleSAMLphp" (setup on server) login screen and I am not sure which username/password it accepts.
    I have tried my website user login details but it says "Incorrect username or password" not sure what to do.
    since i am new to this, am i doing something wrong? or missing to add some settings?
    Please guide as i am not able to access moodle as a user or admin.

    what I am expecting is to setup that when user login to my website and when click on Moodle link placed on my website it should not ask any login details and directly login to Moodle. is it possible with this plugin? please give some details how to achieve my goal.

    Thank you,
  • Picture of Ketan Ajudiya
    Thu, Jun 7, 2018, 9:07 PM
    sorry forgot to mentioned versions.
    I am on moodle 3.5 and SimpleSAMLphp 1.15.4
  • Picture of Péter Lukács
    Tue, Aug 7, 2018, 2:15 PM
    Problems with the latest 3.5 release. It seems that the release v3.5-r00 is a renamed v3.4-r02 without any modifications. Can you fix it? Thanks.
  • Picture of Rodney Lanuzga
    Wed, Sep 26, 2018, 12:41 AM
    Hi,

    I have some issue with version 3.0 r12.

    The installation and configuration of the plugin went good until i test the SSO login.
    The moment i log in get from simplesaml (version 1.14.4) a state information lost error (SimpleSAML_Error_NoState: NOSTATE).

    When i test the authentication in Simplesaml the authentication and all works just fine.
    Is there a configuration i am missing to find the session when i log in?
  • Picture of Rodney Lanuzga
    Fri, Sep 28, 2018, 9:42 PM
    Hi,

    I have debugged version 3.0 R12 and i found out during several test why there is a no state error.
    The moment you to the https://mymoodlesite.com it creates a Session ID 123456 and redirects you to the SSO. Afterwards you log in and you will get a No state error, but the reason why this happens is that the session ID after you logged in through the SSO deviates with the Session ID before.

    So i was wondering am i missing a configuration in Simplesaml to complete the authentication process or is this a bug in the plugin?
  • Picture of Alain Raap
    Fri, Dec 21, 2018, 11:13 PM
    Hi Daniel,

    I'm using your plugin for a little POC and saw a message in the error_log of my webserver:

    [Fri Dec 21 16:04:17.688211 2018] [proxy_fcgi:error] [pid 19253] [client ::1:39528] AH01071: Got error 'PHP message: simplesamlphp WARNING [9d864cbda7] The class or interface 'SimpleSAML_Auth_Simple' is now using namespaces, please use 'SimpleSAML\\Auth\\Simple'.\n'


    In your auth.php I changed this and then the warning disappeared from my error_log:

    79 /**
    80 * Load SimpleSAMLphp library autoloader
    81 */
    82 private function getSSPauth() {
    83 require_once $this->config->sp_path . DIRECTORY_SEPARATOR . 'lib' . DIRECTORY_SEPARATOR . '_autoload.php';
    84
    85 //return new SimpleSAML_Auth_Simple($this->config->entityid);
    86 return new \SimpleSAML\Auth\Simple($this->config->entityid);
    87 }
  • Picture of AulaWeb Università di Genova
    Sat, Dec 22, 2018, 8:15 PM
    Hi Alain,
    which version of the plugin are you using? The method has been update since June 2018 at least.
  • Picture of Alain Raap
    Mon, Jan 7, 2019, 6:14 PM
    I used to version of may 2018, I see there's a new version, so I'll download the new version here
  • Picture of Alain Raap
    Mon, Jan 7, 2019, 8:27 PM
    I installed the latest version, but this broke my working SSO environment. What has changed in this latest version?
  • Picture of AulaWeb Università di Genova
    Tue, Jan 8, 2019, 2:45 AM
    Hi Alain,
    I need some clue... error messages, screenshoots, ecc... Could you move to GitHub and opening a a issue? It is easier to track than this forum.
  • Picture of Alain Raap
    Wed, Jan 9, 2019, 10:05 PM
    I sent you a PM about the issue
  • Picture of karthik Soundararajan
    Fri, Feb 22, 2019, 4:03 PM
    Plugin install was successful. However when I navigate to plugin overview to verify the plugin, then it displays a message "missing from disk" and settings link is invisible.

    Moodle ver. 3.6
    plugin version - 2018121500
    plugin release = '3.5.3'
  • Picture of AulaWeb Università di Genova
    Mon, Apr 1, 2019, 7:37 PM
    Hi Karthik,
    have you unzip the plugin files into the <$moodle_home>/auth/saml2sso/ folder?

    If you unzip as-is the file you downloaded from Github, it will create a directory named
    moodle-auth_saml2sso-master
    resulting the error you reported.
    You have to rename it saml2sso.
1 2 3 4 5
Please login to post comments