Introduction
Moodle is a learning platform designed to provide educators, administrators and learners with a single robust, secure and integrated system to create personalized learning environments.[1]. This is commonly used in the education sector and there might be occurrences where it would require to use SAML to login to Moodle instead of the default basic authentication. For this we would need to have an Identity Provider capable of issuing such SAML tokens and Moodle configured to accept the tokens in order to do the authentication
I will be discussing this in two parts.
Part I - How to configure moodle for SSO with WSO2 Identity Server
Part II - How to carry our user provisioning and attribute profile mapping with Moodle and WSO2 Identity Server
Let's see how this can be achieved using a SAML authentication plugin provided by one login.
Moodle is a learning platform designed to provide educators, administrators and learners with a single robust, secure and integrated system to create personalized learning environments.[1]. This is commonly used in the education sector and there might be occurrences where it would require to use SAML to login to Moodle instead of the default basic authentication. For this we would need to have an Identity Provider capable of issuing such SAML tokens and Moodle configured to accept the tokens in order to do the authentication
I will be discussing this in two parts.
Part I - How to configure moodle for SSO with WSO2 Identity Server
Part II - How to carry our user provisioning and attribute profile mapping with Moodle and WSO2 Identity Server
Let's see how this can be achieved using a SAML authentication plugin provided by one login.
Prerequisite
You need to have a working version of Moodle installed. If you want to try this tutorial from scratch you can simply download and install Moodle on your machine by following the tutorial [2]
1) Download the One Login SAML plugin from this link [3]. The plugin files are found at the end of the link.
2) Go to the moodle dashboard and login as the administrator and browse to the site administration page.
3) Under plugins you will find an option to install plugins. Upload the downloaded zip file to it.
4) Next go to the installed plugin. You can find this added under Authentication plugins in the plugin section. Click on the settings option for the entry corresponding to OneLogin SAML SSO Authentication.
5) Under the identity Provider Configuration provide the following information so that the WSO2 Identity Server is used as the Identity Provider for this use case.
6) Now the configuration on the moodle end should look like this.
7) Next under the Moodle's advanced settings set the Service Provider entity Id as below.
Now the configurations on the Moodle end is done. If you want to configure the attribute mapping in moodle at this stage you can refer the post [7] in order to do this and complete all the Moodle configurations with attribute mappings in one go.
If you are not configuring the attributes at this step then make sure the one login SAML plugin has not been enabled under the authentication plugins.
Next we need to register Moodle as a service provider on the WSO2 Identity server. Let's look at how we can do that.
1) Download the WSO2 Identity server.
Service Provider Name - moodle_php_saml
Issuer - moodle_php_saml
Default Assertion Consumer URL - http://localhost/moodle/auth/onelogin_saml/index.php
Let's get started
In order for Moodle to support SAML 2 SSO we need to install the One Login SAML SSO plugin into Moodle. You can find the jar which you can download and add as a plugin which is compatible with the Moodle version which you are using.1) Download the One Login SAML plugin from this link [3]. The plugin files are found at the end of the link.
2) Go to the moodle dashboard and login as the administrator and browse to the site administration page.
3) Under plugins you will find an option to install plugins. Upload the downloaded zip file to it.
- IdP Entity Id - localhost
- Single Sign On Service Url - https://localhost:9443/samlsso
- Single Log Out Service Url - https://localhost:9443/logout
- X.509 Certificate - For this you need to specify the public certificate of the IDP. Since we are using the WSO2 Identity Server we need to provide the public certificate of the wso2carbon.jks keystore here. You can follow the blog post [4] on how to obtain it. You can use the below command.
keytool -export -keystore pathToKeystore -rfc -alias aliasNameForCertificate
6) Now the configuration on the moodle end should look like this.
Now the configurations on the Moodle end is done. If you want to configure the attribute mapping in moodle at this stage you can refer the post [7] in order to do this and complete all the Moodle configurations with attribute mappings in one go.
If you are not configuring the attributes at this step then make sure the one login SAML plugin has not been enabled under the authentication plugins.
Next we need to register Moodle as a service provider on the WSO2 Identity server. Let's look at how we can do that.
1) Download the WSO2 Identity server.
2) After the installation navigate to the management console and add a new service provider. You can follow the documentation [6] on how to add a new service provider to WSO2 Identity Server.
3) Enter the following details for the configuration of the Moodle service provider. The SAML2 Web SSO related configurations can be found under the Inbound Authentication Configuration Section and update the configuration.
Service Provider Name - moodle_php_saml
Issuer - moodle_php_saml
Default Assertion Consumer URL - http://localhost/moodle/auth/onelogin_saml/index.php
NameID format - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Enable attribute profile
Now all the configurations have been completed. Moodle has been configured to use WSO2 as the identity provider.
This setup won't be complete until we carry out the attribute mappings also correctly. Let's see how we can map Moodle's user attributes to the Identity Server so the users are provisioned correctly. I will be discussing about it in my next post [7].
Read more on how to carry our user provisioning and attribute profile mapping with Moodle and WSO2 Identity Server here.
Now all the configurations have been completed. Moodle has been configured to use WSO2 as the identity provider.
This setup won't be complete until we carry out the attribute mappings also correctly. Let's see how we can map Moodle's user attributes to the Identity Server so the users are provisioned correctly. I will be discussing about it in my next post [7].
Read more on how to carry our user provisioning and attribute profile mapping with Moodle and WSO2 Identity Server here.
References
[1] https://docs.moodle.org/33/en/About_Moodle
[2] https://docs.moodle.org/23/en/Installing_Moodle
[3] https://support.onelogin.com/hc/en-us/articles/201173644-Configuring-SAML-for-Moodle2
[4] http://xacmlinfo.org/2013/11/30/how-to-certificate-retrieve-x509-certificate-as-data/
[5] https://wso2.com/identity-and-access-management
[6] https://docs.wso2.com/display/IS530/Configuring+a+Service+Provider
[7] http://shenavid.blogspot.com/2017/10/user-provisioning-and-attribute-profile.html
[2] https://docs.moodle.org/23/en/Installing_Moodle
[3] https://support.onelogin.com/hc/en-us/articles/201173644-Configuring-SAML-for-Moodle2
[4] http://xacmlinfo.org/2013/11/30/how-to-certificate-retrieve-x509-certificate-as-data/
[5] https://wso2.com/identity-and-access-management
[6] https://docs.wso2.com/display/IS530/Configuring+a+Service+Provider
[7] http://shenavid.blogspot.com/2017/10/user-provisioning-and-attribute-profile.html
Thanks for your efforts in sharing this information in detail. This was very helpful to me. kindly keep continuing the great work.
ReplyDeleteBig Data Hadoop Training In Chennai | Big Data Hadoop Training In anna nagar | Big Data Hadoop Training In omr | Big Data Hadoop Training In porur | Big Data Hadoop Training In tambaram | Big Data Hadoop Training In velachery