SAML2 Authentication using exists SimpleSAMLphp Service Provider
You'll need the following pre-requirement:
- A working SimpleSAMLphp Service Provider (SP) installation (https://simplesamlphp.org) working means that the metadata from SP must be registered in Identity Provider (IdP). Can be found in /config/authsources.php
- The absolute path for the SimpleSAMLphp installation on server (autodetected if the Apache enviroment variable is set)
- The authsource name from SP in which your users will authenticate against
You are strongly encouraged to use a SimpleSAMLphp session storage other than the default phpsession.
There are a couple of related SAML plugins for Moodle. Below are the main diferences between this plugin, named as auth_saml2sso, and the others
- auth_saml - There's no compatible version with Moodle 3.0+. The code is obsolete and the plugin go beyond the purpose of a authentication plugin, mixing auth and enrol rules.
- auth_saml2 - It's a complete solution for those that don't have a working SP installation, but, because it generate its own SP, for every single instance of Moodle that you install, you must exchange the metadata with the owner of the IdP. In a environment that there are more than one IdP, this is unpractical.
The key for this plugin is that you can use your exists Service Provider (SP) without needed to exchange the metadata with the Identity Provider (IdP) for every new Moodle instances. (for instances in the same host name)
The following options can be set in config:
- SimpleSAMLphp installation path
- Dual login (Yes/No) - Can login with manual accounts like admin
- Single Sign Off (Yes/No) - Should we sign off users from Moodle and IdP?
- Username mapping - Which attribute from IdP should be used for username
- Username checking - Where to check if the username exists
- Auto create users - Allow create new users
- SP source name - Generally default-sp in SimpleSAMLphp
- Logout URL to redirect users after logout
- User synchronization source (see below)
- Allow users to edit or not the profile
- Ability to break the full name from IdP into firstname and lastname
To override the authentication and login directly in Moodle (ex.: using admin account), add the
saml=off parameter in the URL (ex.: https://my.moodle/login/index.php?saml=off)
SAML-based authentication services couldn't provide a user list suitable for users synchronization. But, in scenarios with a single IdP within the same organization (no discovery nor federation) is common that the IdP uses LDAP or a SQL DB as authentication backend.
You can configure the LDAP or DB Moodle auth plugin in order to access to that backend, leaving the plugin itself disabled, and configure SAML2 SSO auth to obtain user list from it.
The option 'Takeover existing users' provides an easy way to migrate a Moodle system from LDAP (or DB) to SAML-based SSO. User conversion will run as a scheduled task.