Skip to content
Branch: master
Find file Copy path
Find file Copy path
2 contributors

Users who have contributed to this file

@pitbulk @janmeier
102 lines (73 sloc) 5.07 KB
SAML Authentication for Moodle
SAML for Moodle is an open-source implementation for federated identity-based authentication infrastructure based on Security Assertion Markup Language (SAML) that allows the Moodle users log in through simpleSAMLphp.
This plugin add SAML support to Moodle (SP) and require a [simpleSAMLphp instance to be configured as SP](
It works with 3.4, 3.5 and 3.6
The external support for course/role mapping was removed on the version released on 2019 that works with Moodle 3.5
and course and role mapping is now saved as Moodle settings rather than as an indepedent database table.
Install Instruction
1. Unpack this directory into a /auth/saml directory as you would for any Moodle auth module
2. Login to Moodle as an administrator, and activate the module by navigating
Site administration->Plugins->Manage authentication->SAML Authentication
3. Let priivileges to the server user to write over the auth/saml/saml_config.php
After the installation we must configure the saml plugin, so go to "Settings"
if you are in "Manage Authentication" page, or you can also go to
Users > Authentication > SAML Authentication. These are the fields of thi
- simpleSAMLphp Path: it will not work unless you specify the saml library
path. This refers to the library path for the simpleSAMLphp environment
you want to use. For example: /var/simplesamlphp/lib
- SAML username mapping: it is a SAML attribute that will be mapped to
the Moodle username. By default, this attribute will be set to 'mail'.
- Single Log out: Enable/disable the single logout. This will log out you
from moodle, identity provider and all conected service providers
- SAML Image: when you enable the SAML authentication plugin, a new
button will be shown in the login Moodle page that allows to authenticate
via SAML. By default, the simpleSAMLphp image (something like a fish) will
be shown, but you can specify another one you want to use.
Note: this image needs to exist in the server as it is not possible to
upload an image through the form right now.
- SAML login description: you can also specify a description text for the
previous button. This description will be shown below the SAML image in
the login Moodle page.
- Log file path: this is the absolute path of a file where the
plugin will log information about its actions. It is optional.
- Hook file path: this is the absolute path of a file with php functions
that will be called to alter the default behaviour of this plugin. See
the file custom_hook.php for more information.
- SAML support Courses: You will need to configure the Curse and Role mapping if you plan to use the enrol/saml plugin. This select has three options:
- No suport (default value): the plugin will not define course/role mapping (enrol/saml plugin not installed, support for enrolling the user into courses automatically not required).
- Internal: the plugin will use an internal database table to map
the courses in the next field with Moodle courses
- Synchronize users from module: The SAML module does not have direct support for synchronizing users, because SAML does not allow querying for all users at once. However, your underlying identify provider might support it (LDAP does for example). This option lists all enabled plugins which have a `sync_users` function. This means that we will use that plugin's code to fetch the user data, but the users will be created with auth='saml'
- SAML courses mapping: it is a SAML attribute that is mapped to Moodle
courses data. By default, it is set to 'schacUserStatus'.
- SAML System role mapping: it is a SAML attribute that is mapped to Moodle
system role info of the user.
- Ignore inactive courses: if this field is checked the user will stay
in previous enrolled courses even if the status of the course is
inactive in the SAML attribute.
- Data Mapping section:
The Identity Provider (IdP) provides some user's data such as the first
name, surname, email address, etc. In this section, you can specify the
correspondence with the same data in Moodle. By default, the configuration
is set as is shown below:
First name = cn
Surname = sn
Email Address = mail
- Role Mapping section:
The Identity Provider (IdP) provides info about the system role to be added,
or the role to be assigned during the enrollment process. In this section,
you can specify the correspondence.
- Course Mapping section:
The Identity Provider (IdP) provides info about the courses but the name used
on the IdP can differ from the one used at Moodle. In this section,
you can specify the correspondence.
You can’t perform that action at this time.