Skip to content

radzisze/moodle-auth_saml2sso

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

73 Commits
.github/ISSUE_TEMPLATE
.github/ISSUE_TEMPLATE
 
 
classes/task
classes/task
 
 
db
db
 
 
lang
lang
 
 
pix
pix
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
auth.php
auth.php
 
 
settings.php
settings.php
 
 
version.php
version.php
 
 

Repository files navigation

SAML2 Authentication using exists SimpleSAMLphp Service Provider

You'll need the following pre-requirement:

  • A working SimpleSAMLphp Service Provider (SP) installation (https://simplesamlphp.org) working means that the metadata from SP must be registered in Identity Provider (IdP). Can be found in /config/authsources.php
  • The absolute path for the SimpleSAMLphp installation on server (autodetected if the Apache enviroment variable is set)
  • The authsource name from SP in which your users will authenticate against

You are strongly encouraged to use a SimpleSAMLphp session storage other than the default phpsession.

There are a couple of related SAML plugins for Moodle. Below are the main diferences between this plugin, named as auth_saml2sso, and the others

  • auth_saml - There's no compatible version with Moodle 3.0+. The code is obsolete and the plugin go beyond the purpose of a authentication plugin, mixing auth and enrol rules.
  • auth_saml2 - It's a complete solution for those that don't have a working SP installation, but, because it generate its own SP, for every single instance of Moodle that you install, you must exchange the metadata with the owner of the IdP. In a environment that there are more than one IdP, this is unpractical.

The key for this plugin is that you can use your exists Service Provider (SP) without needed to exchange the metadata with the Identity Provider (IdP) for every new Moodle instances. (for instances in the same host name)

The following options can be set in config:

  • SimpleSAMLphp installation path
  • Dual login (Yes/No) - Can login with manual accounts like admin
  • Single Sign Off (Yes/No) - Should we sign off users from Moodle and IdP?
  • Username mapping - Which attribute from IdP should be used for username
  • Username checking - Where to check if the username exists
  • Auto create users - Allow create new users
  • SP source name - Generally default-sp in SimpleSAMLphp
  • Logout URL to redirect users after logout
  • User synchronization source (see below)
  • Allow users to edit or not the profile
  • Ability to break the full name from IdP into firstname and lastname

To override the authentication and login directly in Moodle (ex.: using admin account), add the saml=off parameter in the URL (ex.: https://my.moodle/login/index.php?saml=off)

User synchronization

SAML-based authentication services couldn't provide a user list suitable for users synchronization. But, in scenarios with a single IdP within the same organization (no discovery nor federation) is common that the IdP uses LDAP or a SQL DB as authentication backend.

You can configure the LDAP or DB Moodle auth plugin in order to access to that backend, leaving the plugin itself disabled, and configure SAML2 SSO auth to obtain user list from it.

The option 'Takeover existing users' provides an easy way to migrate a Moodle system from LDAP (or DB) to SAML-based SSO. User conversion will run as a scheduled task.

About

Moodle plugin for authentication using a SimpleSAMLphp Service Provider

moodle.org/plugins/auth_saml2sso

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

19 tags

Packages

No packages published

Languages

  • PHP 98.5%
  • Gherkin 1.5%