Using simpleSAML with moodle
Randy Saeks
would like to be able to use simpleSAML to authenticate my users.
I've been trying to configure the plugin from:
http://code.google.com/p/simplesamlphp-moodle/ without any luck. I've
set the entity ID to what I am seeing in the simpleSAMLphp Metadata page.
The same setup is being used successfully with Google Apps for SSO, but
I can't seem to figure out what to put in Moodle. I'm expecting to see
something where I enter into simpleSAML a moodle URL to allow both
systems to talk, but I'm not seeing that.
Any tips?
--
Randy Saeks
Network& Server Administrator
Northbrook / Glenview School District 30
Twitter: rsaeks
Piers Harding
There is perhaps a more up to date version of the Moodle plugin at http://cvs.moodle.org/contrib/plugins/auth/saml/.
Cheers,
Piers Harding.
I have a moodle install on box A, and a simpleSAML install on box B. I would like to be able to use simpleSAML to authenticate my users.
I've been trying to configure the plugin from: http://code.google.com/p/simplesamlphp-moodle/ without any luck. I've set the entity ID to what I am seeing in the simpleSAMLphp Metadata page.
The same setup is being used successfully with Google Apps for SSO, but I can't seem to figure out what to put in Moodle. I'm expecting to see something where I enter into simpleSAML a moodle URL to allow both systems to talk, but I'm not seeing that..
Any tips?
--
Randy Saeks
Network& Server Administrator
Northbrook / Glenview School District 30
Twitter: rsaeks
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
--
Home - http://www.piersharding.com
mailto:pi...@ompka.net
Randy Saeks
> Hi Randy -
>
> There is perhaps a more up to date version of the Moodle plugin at
> http://cvs.moodle.org/contrib/plugins/auth/saml/.
That helps a bunch, thank you! The only last question I have is in
regards to the needed paths. The config and lib are on a remote machine
hosting the IdP. Can I copy over those files to the local machine, or
should I really be running the service (moodle in this case) on the same
box as the IdP as well?
Thanks for your fast response!
Piers Harding
Cheers.
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
Peter Schober
> I have a moodle install on box A, and a simpleSAML install on box B. I
> would like to be able to use simpleSAML to authenticate my users.
That's not possible. Moodle cannot use the simpleSAML API unless the
simpleSAML code is available to the application.
-peter
Stefano Gargiulo
> On 2/16/10 6:33 PM, Piers Harding wrote:
>> Hi Randy -
>>
>> There is perhaps a more up to date version of the Moodle plugin at
>> http://cvs.moodle.org/contrib/plugins/auth/saml/.
> Piers,
>
> That helps a bunch, thank you! The only last question I have is in
> regards to the needed paths. The config and lib are on a remote
> machine hosting the IdP. Can I copy over those files to the local
> machine, or should I really be running the service (moodle in this
> case) on the same box as the IdP as well?
>
> Thanks for your fast response!
>
I think the simpleSAMLphp config and lib directories into moodle plugin
are to tell Moodle where is the simpleSAMLphp used by the SP....
So you need to install a clean simplesamlphp on the moodle server to
give him all the dependencies to talk SAML with your REMOTE idp...
Stefano.
smartin
> give him all the dependencies to talk SAML with your REMOTE idp...
>
Yes. you need Simplesamlphp-SP and Moodle running in the same machine
and connect them with an IdP.
Here in Andalusia we have an Identity Federation called CONFIA that
connect some University IdPs with some LMS Services: Moodle, WebCT,
Ilias.
Our Moodle plugin works with 1.5.1 Simplesamlphp SP version and is a
bit different than official Moodle version. but I think has more
functionality
If you want to check it I will end the documentation soon and publish
it.
Piers Harding
If you happy for me to have a look at merging this back into auth/saml on Moodle contrib, then please send us a link to your code - it would become part of http://cvs.moodle.org/contrib/plugins/auth/saml/ .
Cheers,
Piers Harding.
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
Randy Saeks
Thanks for the info. I used your plugin and got things going. The most
recent stable moodle to a simplesaml 1.5.1 IdP.
Was there anything you had to configure for the Moodle "logout" process
to kill your SAML session a well? Right now when I do the logout via
moodle, it kills my moodle session, but keeps other SAML services logged
in. The second service uses a SAML logout page of:
https://HOST/sso/saml2/idp/initSLO.php?RelayState=/sso/logoaut.php
Can I just change the coding of logout to direct to that URL or is there
something in the confg file I can use to specify the saml logout URL?
Piers Harding
In the configuration of auth/saml - under Users -> Manage Authentication -> SAML Authentication
you check "Log out from Identity Provider:".
Cheers,
Piers Harding.
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
Randy Saeks
I have “Log out from IdP” checked, and when clicking “logout” from the moodle page, but it is still keeping my other SAML sessions alive. This is what I have found so far:
Can initiate a SAML request from either Moodle or Google Apps. Once logging in via either service, I am authenticated to both. (As expected)
When I click logout from Moodle, my Moodle SAML session is ended. Google Apps is still alive. (Not as expected – should kill both sessions)
When I click logout from Google Apps, both sessions are ended. (As expected)
Moodle is running w/ SAML 1.5.1 as a SP. Google is configured as a SP.
The IdP is sitting on a different box from the two, on 1.5.1.
Randy
Piers Harding
I couldn't say for sure what the problem is with out seeing, but you already have a problem with Google Apps, as it can only handle IdP initiated logout.
However - it should work, so I would switch on the IdP debug and start checking things like duplicate sessions, and what the Moodle SP actually communicates. Let me know what you find.
Cheers,
Piers Harding.
Randall Saeks
Piers Harding
Cheers.
Randy Saeks
If I initiate a SAML logout via Google, that sends a request to our IdP.� This SAML logout request is then relayed to our hosted SP and reflected in the SP log file with this:
simplesamlphp DEBUG [2e675fb6d7] module/saml2/sp/logout: Request from OURIdP
simplesamlphp NOTICE STAT [2e675fb6d7] saml20-idp-SLO idpinit OURSP OURIdP
simplesamlphp DEBUG [2e675fb6d7] Session: doLogout()
After that appears in my log files, going to our SP SAML login page (or Google for that matter) throws a login page as I've closed my SAML session.
When I initiate a SAML logout via our SP (Moodle), this goes back to our IdP and I can see in the logs the session is terminated.� What I am not seeing is a forwarder to Google to also terminate that session.� Since our SP is initiating the SAML logout request, that will not pass along to Google.� (In essence, to log out of Google, you need to click somewhere in the Google web-interface.� It will not handle a SAML logout request passed "up")
Is that more or less correct?
Thanks again for all the responses to my emails the last few days.� It has been really great to have this group as a resource and I sure hope I'm not a nuisance!
Randy
On 3/4/10 9:42 PM, Piers Harding wrote:
As far as I'm aware, you don't have to use the same cookie name, although you can run into different behaviour as to whether you are using memcache for session store or not (for ssphp).
Cheers.
On 5 March 2010 16:19, Randall Saeks <rsa...@district30.org> wrote:
Could it be anything to do with cookies?� I set an 8 hour cookie with Google Apps to keep the session alive for a bit.� Would I need to configure the SP on moodle to also use a cookie with the same cookie name?
On Thu, Mar 4, 2010 at 9:01 PM, Piers Harding <piers....@gmail.com> wrote:
Hi -
I couldn't say for sure what the problem is with out seeing, but you already have a problem with Google Apps, as it can only handle IdP initiated logout.
However - it should work, so I would switch on the IdP debug and start checking things like duplicate sessions, and what the Moodle SP actually communicates. Let me know what you find.
Cheers,
Piers Harding.
On 5 March 2010 15:45, Randy Saeks <rsa...@district30.org> wrote:
I have �Log out from IdP� checked, and when clicking �logout� from the moodle page, but it is still keeping my other SAML sessions alive.� This is what I have found so far:
�
Can initiate a SAML request from either Moodle or Google Apps.� Once logging in via either service, I am authenticated to both.� (As expected)
When I click logout from Moodle, my Moodle SAML session is ended.� Google Apps is still alive.� (Not as expected � should kill both sessions)
When I click logout from Google Apps, both sessions are �ended.� (As expected)
�
Moodle is running w/ SAML 1.5.1 as a SP.� Google is configured as a SP.
The IdP is sitting on a different box from the two, on 1.5.1.
�
Randy
�
�
From: simple...@googlegroups.com [mailto:simple...@googlegroups.com] On Behalf Of Piers Harding
Sent: Thursday, March 04, 2010 6:07 PM
To: simple...@googlegroups.com
Subject: Re: Using simpleSAML with moodle
�
Hi -
In the configuration of auth/saml - under Users -> Manage Authentication -> SAML Authentication
you check "Log out from Identity Provider:".
Cheers,
Piers Harding.
On 5 March 2010 12:31, Randy Saeks <rsa...@district30.org> wrote:
On 2/17/10 5:24 PM, smartin wrote:
So you need to install a clean simplesamlphp on the moodle server to
give him all the dependencies to talk SAML with your REMOTE idp...
� �
Yes. you need Simplesamlphp-SP and Moodle running in the same machine
and connect them with an IdP.
Here in Andalusia we have an Identity Federation called CONFIA that
connect some University IdPs with some LMS Services: Moodle, WebCT,
Ilias.
Our Moodle plugin works with 1.5.1 Simplesamlphp SP version and is a
bit different than official Moodle version. but I think has more
functionality
If you want to check it I will end the documentation soon and publish
it.
�
�
Thanks for the info. �I used your plugin and got things going. �The most recent stable moodle to a simplesaml 1.5.1 IdP.
Was there anything you had to configure for the Moodle "logout" process to kill your SAML session a well? �Right now when I do the logout via moodle, it kills my moodle session, but keeps other SAML services logged in. �The second service uses a SAML logout page of:
https://HOST/sso/saml2/idp/initSLO.php?RelayState=/sso/logoaut.php
Can I just change the coding of logout to direct to that URL or is there something in the confg file I can use to specify the saml logout URL?
-- Randy Saeks Network & Server Administrator Northbrook / Glenview School District 30 Twitter: rsaeks
Piers Harding
One thing to note, is that the Moodle auth/saml plugin does not check the SAML session state on every page request, so if you initiate the logout from somewhere other than Moodle, then the SAML session will be destroyed but the Moodle one wont.
I think I played with solutions to this at some stage, and you could insert some code in a custom Moodle theme (header.html) to test the session, and force a logout if there is no longer one (SAML session) - something like:
require_once($CFG->dirroot.'/auth/saml/config.php');
require_once($SIMPLESAMLPHP_LIB . '/lib/_autoload.php');
SimpleSAML_Configuration::init($SIMPLESAMLPHP_CONFIG);
$saml_session = SimpleSAML_Session::getInstance();
if (! $saml_session->isValid($SIMPLESAMLPHP_SP)) {
set_moodle_cookie('nobody');
require_logout();
redirect($CFG->wwwroot.'/auth/saml/index.php?logout=1');
}
Cheers,
Piers Harding.
Piers - Thanks for that info. This is seeming to make a bit more sense now with the Google component. I think I have this interaction understood.
If I initiate a SAML logout via Google, that sends a request to our IdP. This SAML logout request is then relayed to our hosted SP and reflected in the SP log file with this:
simplesamlphp DEBUG [2e675fb6d7] module/saml2/sp/logout: Request from OURIdP
simplesamlphp NOTICE STAT [2e675fb6d7] saml20-idp-SLO idpinit OURSP OURIdP
simplesamlphp DEBUG [2e675fb6d7] Session: doLogout()
After that appears in my log files, going to our SP SAML login page (or Google for that matter) throws a login page as I've closed my SAML session.
When I initiate a SAML logout via our SP (Moodle), this goes back to our IdP and I can see in the logs the session is terminated. What I am not seeing is a forwarder to Google to also terminate that session. Since our SP is initiating the SAML logout request, that will not pass along to Google. (In essence, to log out of Google, you need to click somewhere in the Google web-interface. It will not handle a SAML logout request passed "up")
Is that more or less correct?
Thanks again for all the responses to my emails the last few days. It has been really great to have this group as a resource and I sure hope I'm not a nuisance!
Randy
On 3/4/10 9:42 PM, Piers Harding wrote:
As far as I'm aware, you don't have to use the same cookie name, although you can run into different behaviour as to whether you are using memcache for session store or not (for ssphp).
Cheers.
On 5 March 2010 16:19, Randall Saeks <rsa...@district30.org> wrote:
Could it be anything to do with cookies? I set an 8 hour cookie with Google Apps to keep the session alive for a bit. Would I need to configure the SP on moodle to also use a cookie with the same cookie name?
On Thu, Mar 4, 2010 at 9:01 PM, Piers Harding <piers....@gmail.com> wrote:
Hi -
I couldn't say for sure what the problem is with out seeing, but you already have a problem with Google Apps, as it can only handle IdP initiated logout.
However - it should work, so I would switch on the IdP debug and start checking things like duplicate sessions, and what the Moodle SP actually communicates. Let me know what you find.
Cheers,
Piers Harding.
On 5 March 2010 15:45, Randy Saeks <rsa...@district30.org> wrote:
I have “Log out from IdP” checked, and when clicking “logout” from the moodle page, but it is still keeping my other SAML sessions alive. This is what I have found so far:
Can initiate a SAML request from either Moodle or Google Apps. Once logging in via either service, I am authenticated to both. (As expected)
When I click logout from Moodle, my Moodle SAML session is ended. Google Apps is still alive. (Not as expected – should kill both sessions)
When I click logout from Google Apps, both sessions are ended. (As expected)
Moodle is running w/ SAML 1.5.1 as a SP. Google is configured as a SP.
The IdP is sitting on a different box from the two, on 1.5.1.
Randy
From: simple...@googlegroups.com [mailto:simple...@googlegroups.com] On Behalf Of Piers Harding
Sent: Thursday, March 04, 2010 6:07 PM
To: simple...@googlegroups.com
Subject: Re: Using simpleSAML with moodle
Hi -
In the configuration of auth/saml - under Users -> Manage Authentication -> SAML Authentication
you check "Log out from Identity Provider:".
Cheers,
Piers Harding.
On 5 March 2010 12:31, Randy Saeks <rsa...@district30.org> wrote:
On 2/17/10 5:24 PM, smartin wrote:
So you need to install a clean simplesamlphp on the moodle server to
give him all the dependencies to talk SAML with your REMOTE idp...
Yes. you need Simplesamlphp-SP and Moodle running in the same machine
and connect them with an IdP.
Here in Andalusia we have an Identity Federation called CONFIA that
connect some University IdPs with some LMS Services: Moodle, WebCT,
Ilias.
Our Moodle plugin works with 1.5.1 Simplesamlphp SP version and is a
bit different than official Moodle version. but I think has more
functionality
If you want to check it I will end the documentation soon and publish
it.
Thanks for the info. I used your plugin and got things going. The most recent stable moodle to a simplesaml 1.5.1 IdP.
Was there anything you had to configure for the Moodle "logout" process to kill your SAML session a well? Right now when I do the logout via moodle, it kills my moodle session, but keeps other SAML services logged in. The second service uses a SAML logout page of:
https://HOST/sso/saml2/idp/initSLO.php?RelayState=/sso/logoaut.php
Can I just change the coding of logout to direct to that URL or is there something in the confg file I can use to specify the saml logout URL?
-- Randy Saeks Network & Server Administrator Northbrook / Glenview School District 30 Twitter: rsaeks
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
Stefano Gargiulo
One thing to note, is that the Moodle auth/saml plugin does not check the SAML session state on every page request, so if you initiate the logout from somewhere other than Moodle, then the SAML session will be destroyed but the Moodle one wont.
| 19 | // Destroy local session if exists. | 19 | // Destroy local session if exists. |
|---|---|---|---|
| 20 | $session->doLogout(); | 20 | $session->doLogout(); |
| 21 | $session->clean(); | 21 | $session->clean(); |
| 22 | 22 | ||
| 23 | //destroy also Joomla Session (/IdP/another SP initiated SLO implementation) | ||
| 24 | require_once('JoomlaSLO.php'); | ||
| 25 | $joomlaLogoutSuccess=doJoomlaSessionDestroy(); | ||
| 26 | if (!$joomlaLogoutSuccess){ | ||
| 27 | SimpleSAML_Utilities::fatalError($session->getTrackID(), 'LOGOUTREQUEST', $exception); | ||
| 28 | } | ||
| 29 | |||
| 30 | |||
| 23 | $binding = SAML2_Binding::getCurrentBinding(); | 31 | $binding = SAML2_Binding::getCurrentBinding(); |
| 24 | $message = $binding->receive(); | 32 | $message = $binding->receive(); |
chandan chandan
Peter Schober
Try https://simplesamlphp.org/docs/stable/simplesamlphp-install
-peter