Configuring. Moodle. Chapter 82

(1)

Conf

Configuring

iguring

iguring Moodle

Moodle

The following is an overview of the steps required to configure the Moodle Web application for single sign-on (SSO) via SAML. Moodle offers SP-initiated SAML SSO only.

1111 Prepare for Moodle single sign-on (see "Moodle requirements for SSO" on page 82-2).

2222 In the Centrify Cloud Manager, add the application and configure application settings.

Once the application settings are configured, complete the user account mapping and assign the application to one or more roles. For details, see "Configuring Moodle in Cloud Manager" on page 82-4.

3333 Configure SimpleSAML.php and the Moodle application for single sign-on.

To configure Moodle for SSO, copy settings from the Application Settings page in the Centrify Cloud Manager and paste them into the SimpleSAML.php configuration. Once the SimpleSAML.php configuration is complete, configure settings on the Moodle web site. For details, see "Configuring SimpleSAML.php" on page 82-11 and "Configuring Moodle on its web site" on page 82-13.

(2)

Chapter 82 Chapter 82 Chapter 82

Chapter 82 • Configuring Moodle 2222

Preparing for Configuration

Moodle

Moodle requirements for SSO

requirements for SSO

Before you configure the Moodle web application for SSO, you need the following (for more information and links to additional documentation, see "For more information about Moodle" on page 82-14):

Moodle application installed and hosted on an application web server.

SimpleSAML.php installed on the same hosted application web server as Moodle.

Download and install simpleSAMLphp on your application web server and set it up as a service provider (SP).

SAML Authentication plug-in installed in Moodle.

This plug-in adds the SAML authentication option to the user profile available when you add new Moodle users.

An active Moodle account with administratorrights for your organization. A signed certificate.

You can either download one from Cloud Manager or use your organization’s trusted certificate.

Setting up the certificates for SSO

To establish a trusted connection between the web application and the cloud service, you need to have the same signing certificate in both the application and the application settings in Cloud Manager.

If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file to the application settings in Cloud Manager. You also upload the public key certificate in a .cer or .pem file to the web application.

To download an application certificate from Cloud Manager (overview): 1111 In the Apps page, add the application.

2222 Click the application to open the application details.

3333 In the Application Settings tab, click Download Signing Certificate to download and save the certificate.

What you need to know about

What you need to know about Moodle

Moodle

(3)

Capability Capability Capability

Capability Supported?Supported?Supported?Supported? Support detailsSupport detailsSupport detailsSupport details

Web browser client Yes

Mobile client No

SAML 2.0 Yes

SP-initiated SSO Yes

IdP-initiated SSO No

Force user login via SSO only Yes After SSO is enabled, users must authenticate through the

Centrify identity platform to access Moodle. Separate administrator login

after SSO is enabled

Yes • The super admin user account created during initial Moodle

installation is exempt from SSO when logging in to the Moodle Web Client.

• The super admin user must always log in to Moodle with a user name and password. The authentication method is set to Manual accounts

Manual accountsManual accounts

Manual accounts and cannot be changed. User or Administrator account

lockout risk

Yes Once an account is SSO is enabled, logging in to Moodle

manually with a user name and password is not allowed. However, since the super admin account authentication mode is always configured for username/password login, it can be used as a backdoor login in the event of a lockout.

Automatic user provisioning Yes Just -In-Time user provisioning is supported. All new users

added using Just-In-Time User Provisioning are configured to use the SAML Authentication method.

Multiple User types Yes Super admin, admin users, and users.

Self-service password No Once SSO is enabled passwords are not used to access Moodle.

Access restriction using a corporate IP range

Yes You can specify an IP Range in the Cloud Manager Policy page to

(4)

Configuring

Configuring Moodle

Moodle

Moodle in

Moodle

in

in Cloud Manager

in

Cloud Manager

Tip Tip Tip

Tip _{It is helpful to open the SimpleSAML.php and the Centrify Cloud Manager Application}

Settings window simultaneously to copy and paste settings between the two windows. For information on how to access the SimpleSAML.php, see "Configuring SimpleSAML.php" on page 82-11.

To add and configure the Moodle application in Cloud Manager: 1111 In Cloud Manager, click Apps.

2222 Click Add Web Apps.

The Add Web Apps screen appears.

3333 On the Search tab, enter the partial or full application name in the Search field and click the search icon.

4444 Next to the application, click Add.

5555 In the Add Web App screen, click Yes to confirm. Cloud Manager adds the application.

6666 Click Close to exit the Application Catalog.

(5)

7777 Configure the following:

Field FieldField

Field Required or Required or Required or Required or optional optional optional optional Set it to Set it to Set it to

Set it to What you doWhat you doWhat you doWhat you do Your Moodle's ACS Endpoint

URL Required https:// YOUR.SIMPLESAMLPHP.H OST/module.php/saml/ sp/saml2-acs.php/ SP.SOURCE

Change this value to the URL used for your Moodle implementation. For example, replace

YOUR.SIMPLESAMLPHP.HOST

with your Moodle host name and

replace SP.SOURCE with

moodle-sp.

If you need to locate the ACS Endpoint URL for your implementation, see "Locating the ACS Endpoint URL" on page 82-10.

IdP Entity ID Required The cloud service

automatically generates the content for this field.

Copy this URL and enter it as the

idp setting in authsources.php located in ~/simplesamlphp/ config/. See "Configuring SimpleSAML.php" on page 82-11. Remote IdP SingleSignOnService

Required The cloud service

Copy this URL and add it as the

SingleSignOnService setting in

saml20-idp-remote.php located in~/ simplesamlphp/

metadata/. See "Configuring SimpleSAML.php" on page 82-11.

(6)

Remote IdP SingleLogoutService

Optional The cloud service

Copy this URL and add it as the

SingleLogoutService setting in

saml20-idp-remote.php located in~/ simplesamlphp/

metadata/. See "Configuring SimpleSAML.php" on page 82-11.

Configuring this field means that users are logged out of the Centrify portal when they sign out of Moodle.

Download Signing Certificate Required The cloud service

automatically generates the meta data content.

Copy the thumbprint value from the Signing Certificate and enter the value into the

certFingerprint setting in

remote.php located in~/ simplesamlphp/ metadata/.See Step 6 on page 12.

To use a certificate with a private key (pfx file) from your local

storage, see Step 7 below.

Field FieldField

Field Required or Required or Required or Required or optional optional optional optional Set it to Set it to Set it to

(7)

8888 On the Application Settings page, expand the Additional Options section and specify the following settings:

9999 (Optional) On the Description page, you can change the name, description, and logo for the application. For some applications, the name cannot be modified.

The Category field specifies the default grouping for the application in the user portal. Users have the option to create a tag that overrides the default grouping in the user portal.

Option OptionOption

Option DescriptionDescriptionDescriptionDescription

Application ID Configure this field if you are deploying a mobile application that uses

the Centrify mobile SDK, for example mobile applications that are deployed into a Samsung KNOX version 1 container. The cloud service uses the Application ID to provide single sign-on to mobile applications. Note the following:

• The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field.

• There can only be one SAML application deployed with the name used by the mobile application.

The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters. Show in User app list Select Show in User app list Show in User app list Show in User app list Show in User app list to display this web application in the user

portal. (This option is selected by default.)

If this web application is added only to provide SAML for a corresponding mobile app, deselect this option so the web application won’t display for users in the user portal.

Security Certificate These settings specify the security certificate used for secure SSO

authentication between the cloud service and the web application. Select an option to change the security certificate.

• Use existing certificateUse existing certificateUse existing certificate displays beneath it the certificate currently in Use existing certificate use. The DownloadDownloadDownload button below the certificate name downloads the Download current certificate through your web browser to your computer so you can supply the certificate to the web application during SSO

configuration. It’s not necessary to select this option—it’s present to display current status.

• Use the default tenant signing certificate Use the default tenant signing certificate Use the default tenant signing certificate selects the cloud service Use the default tenant signing certificate standard certificate for use. This is the default setting.

(8)

10 10 10

10 On the User Access page, select the role(s) that represent the users and groups that have access to the application.

When assigning an application to a role, select either Automatic Install or Optional

Install:

Select Automatic Install for applications that you want to appear automatically for

users.

If you select Optional Install, the application doesn’t automatically appear in the

user portal and users have the option to add the application.

11 11 11

11 (Optional) On the Policy page, specify additional authentication control for this application.You can select one or both of the following settings:

Restrict app to clients within the Corporate IP Range: Select this option to

prevent users outside the company intranet from launching this application. To use this option, you must also specify which IP addresses are considered as your intranet by specifying the Corporate IP range in Settings > Corporate IP Range.

Require Strong Authentication: Select this option to force users to authenticate

using additional, stronger authentication mechanisms when launching an application. Specify these mechanisms in Policy > Add Policy Set > Account Security Policies > Authentication.

You can also include JavaScript code to identify specific circumstances when you want to block an application or you want to require additional authentication methods. For details, see Specifying application access policies with JavaScript.

12 12 12

12 On the Account Mapping page, configure how the login information is mapped to the application’s user accounts. The options are as follows:

Use the following Directory Service field to supply the user name: Use this

option if the user accounts are based on user attributes. For example, specify an Active Directory field such as mail or userPrincipalName or a similar field from the Centrify user service.

Everybody shares a single user name: Use this option if you want to share access

to an account but not share the user name and password. For example, some people share an application developer account.

Use Account Mapping Script: You can customize the user account mapping here

by supplying a custom JavaScript script. For example, you could use the following line as a script:

LoginUser.Username = LoginUser.Get('mail')+'.ad';

The above script instructs the cloud service to set the login user name to the user’s mail attribute value in Active Directory and add ‘.ad’ to the end. So, if the user’s mail attribute value is [email protected] then the cloud service uses

(9)

On the App Gateway page, you can configure the application so that your users can access it whether they are logging in from an internal or external location. For

applications configured for the App Gateway, users do not have to use a VPN connection to access the application remotely.

Note NoteNote

Note The App Gateway feature is a premium feature and is available only in the Centrify

Identity Service App+ Edition. Please contact your Centrify representative to have the feature enabled for your account.

Note NoteNote

Note Some applications can be used with App Gateway; not all applications are set up to

use this feature. At this time, Web applications may use HTTPS or HTTP, and either the standard port of 443 or a nstandard port. IP addresses are only supported for on-premise apps and are not supported for external-facing apps.

13 13 13

13 (Optional) To enable App Gateway mode, select Make this application available

via the internet.

The Centrify identity platform verifies the application settings and displays the URL that you provided in application settings as the internal URL for the application.

14 14 14

14 Specify the external URL that users open to access the application from external locations. You can use an existing external URL or use one that the cloud service generates automatically for you.

If you use an existing external URL, any links to the application URL do not need to change and will continue to work as is. However, you do need to upload an SSL certificate and modify your DNS settings.

To use your existing external URL, select the first option and do the following:

a Enter the existing external URL. You can enter an internal or external URL here. b Click Upload to browse to and upload your SSL certificate with the private key

for the URL that you entered.

The certificate file has either a .PFX or .P12 filename extension.

To use the auto-generated external URL, select the second option. Later, you’ll need

to be sure to notify your users of the updated URL to use.

15 15 15

15 Select a cloud connector to use with the application at the Cloud connectors to use

with this service section. Choose one of the following:

Any available

Select this option to allow the Centrify Identity Service to randomly select one of the available cloud connectors for your App Gateway configuration. Click Test

Connection to make sure the connection between the cloud connector and the

application is successful.

(10)

Identity Service randomly chooses one of the selected cloud connectors to use for the application. Once the configuration is saved, each future App Gateway request uses a random cloud connector from those selected, as long as the cloud connector is online. Once you select the cloud connectors you want to use, click Test Connection to make sure the connection between the selected cloud connectors and the application is successful. At least one cloud connector must succeed in order to save the

configuration.

Note NoteNote

Note If any of the cloud connectors are offline, they are not displayed in the list of

available cloud connectors.

16 16 16

16 Click Save to save the App Gateway changes.

Note NoteNote

Note _{If you configured the application to use an external URL, next you edit your DNS}

settings to accommodate the App Gateway connection to this application. You’ll enter a CNAME record to map this URL to the application’s gateway connection URL. For more information about configuring App Gateway and troubleshooting App Gateway

connection issues, see "Configuring an application to use the App Gateway" on page 3-25 and "Troubleshooting" on page 3-28.

17 17 17

17 (Optional) On the Advanced page, you can edit the script that generates the SAML assertion, if needed. In most cases, you don’t need to edit this script. For more information, see the SAML application scripting guide.

Note NoteNote

Note _{On the Changelog page, you can see recent changes that have been made to the}

application settings, by date, user, and the type of change that was made.

18 18 18

18 Click Workflow to set up a request and approval work flow for this application. The Workflow feature is a premium feature and is available only in the Centrify Identity Service App+ Edition. See Configuring Workflow for more information.

19 19 19

19 Click Save.

After configuring the application settings (including the role assignment) and the application’s web site, you’re ready for users to launch the application from the user portal.

Locating the ACS Endpoint URL

The following procedures are only required if you need to locate the Moodle ACS Endpoint URL for Step 7 of "Configuring Moodle in Cloud Manager" on page 82-4.

1111 Access the SimpleSAMLphp installation page.

(11)

2222 Click the Federation tab.

3333 Click Show metadata in the SAML 2.0 SP Metadata, Entity ID: moodle-centrify section.

The SAML 2.0 SP Metadata page is displayed.

4444 Locate the AssertionConsumerService node with Binding “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”.

The Location attribute is your Moodle ACS Endpoint URL.

5555 If necessary, copy the URL and paste it into Application Settings >Your Moodle's ACS Endpoint URL field.

Configuring SimpleSAML.php

Once your application web server is prepared with all the components necessary for SAML authentication through Moodle, you must configure simpleSAMLphp through an SSH connection to the application web server. SimpleSAMLphp installation and configuration is required in order to set up Moodle as a Service Provider. If you have not installed

SimpleSAMLphp already, see the following for installation instructions:

https://simplesamlphp.org/docs/stable/simplesamlphp-install

The following instructions provide the specific values required to configure

SimpleSAMLphp for your Moodle application. Some of the required values are available in the Moodle application settings in Cloud Manager, so if it’s not already open, open it and view the Application Settings page. For additional configuration information, see:

https://simplesamlphp.org/docs/stable/simplesamlphp-sp To configure SimpleSAML.php

1111 SSH to the server hosting Moodle and SimpleSAML.php and log in with your administrator credentials.

2222 Open authsources.php in ~/simplesamlphp/config/͘

3333 Copy the IdP Entity ID setting from Application Settings in Cloud Manager and add it as the ipd entry (new authentication source). For example:

'moodle-sp' => array( 'saml:SP',

(12)

//'discoURL' => NULL, ),

4444 Save the changes you made to authsources.php.

5555 Open saml20-idp-remote.php in ~/simplesamlphp/metadata/.

6666 Add a new remote IdP and enable the certificate:

$metadata['https://cloud.centrify.com/SAML/Moodle'] = array( 'name' => array(

'en' => 'Centrify Cloud', ),

'SingleSignOnService' => '{Remote IdP SingleSignOnService}', 'SingleLogoutService' => '{Remote IdP SingleLogoutService} ', 'certFingerprint' => ‘{Fingerprint of Security Certificate}'

In the above code:

Replace {Remote IdP SingleSignOnService} with the setting from Cloud

Manager > Application Settings > Remote IdP SingleSignOnService.

(Optional) Replace {Remote IdP SingleLogoutService} with the setting from

Cloud Manager > Application Settings > Remote IdP SingleLogoutService

Replace {Fingerprint of Security Certificate} with the thumbprint value you

copied in Step7 on page 5.

7777 Save the changes to the saml20-idp-remote.php file.

(13)

Configuring

Configuring Moodle

Moodle

Moodle on its web site

Moodle

on its web site

The following procedures describe how to configure SAML Authentication fields and Data mapping on the Moodle web site.

To configure Moodle for SSO:

1111 In your web browser, go to the URL for your Moodle instance and sign in with your administrator account credentials:

https://YOUR.SIMPLESAMLPHP.HOST/module.php/saml/sp/saml2-acs.php/SP.SOURCE where YOUR.SIMPLESAMLPHP.HOST is your hostname and SP.Source is moodle-sp.

2222 Navigate to Administration > Site Administration > Plugins > Authentication

> SAML Authentication.

3333 In SAML Authentication, configure the following settings:

4444 Click Save changes to save the configuration.

Configuring user data mappings

Moodle supports configuring user data mapping (Just-In-Time user provisioning) to manage certain user profile attributes. Configuring these attributes is optional, but Centrify recommends that you configure First name, Surname and Email address so new users have a name and email address the first time they log in through SSO.

Field FieldField

Field What you doWhat you doWhat you doWhat you do

SimpleSAMLPHP Library path: Make sure the path matches the actual library path of

your SimpleSAMLphp.

SimpleSAMLPHP SP source Enter moodle-spmoodle-spmoodle-spmoodle-sp.

SAML username mapping Enter eduPersoPrincipalNameeduPersoPrincipalNameeduPersoPrincipalNameeduPersoPrincipalName.

Single Log out (Optional) Check to enable Single Logout.

SAML Image (Optional) Enter the path to the image to be used as the

SAML login button.

SAML login description (Optional) Enter text to be displayed below the image.

Log file path (Optional) Enter a location to change the default location

for Moodle SAML plug-in errors.

Hook file path Make sure the path listed matches the actual path to

your hook file (custom_hook.php)custom_hook.php)custom_hook.php).custom_hook.php)

SAML support courses If you are not using the Auto Enrolment plugin, leave this

(14)

To configure user data mappings

1111 If you have not done so already, go to the URL for your Moodle instance and sign in with your administrator account credentials.

2222 Navigate to Administration > Site Administration > Plugins > Authentication

> SAML Authentication and scroll down to Data mapping.

3333 Enter information for First name, Surname, and Email address (configuring other fields is optional).

Note NoteNote

Note _{If you configure more than the recommended attributes (first name, surname and}

email address), you must remove the comment notation for those attributes in the SAML assertion in the Cloud Manager > Application Settings > Advanced tab.

4444 Configure Update local with one of the following:

On creation

Moodle uses the attribute value only if the user is a new user in Moodle.

On every login

Moodle updates the user profile with the attribute value every time the user logs in to Moodle. If the user is new, Moodle uses the attribute value to create a new user.

5555 Configure Lock value with one of the following:

Unlocked

The user can change the attribute value at any time.

Unlocked if empty

The attribute can be changed if it has not been set yet. Once the attribute is configured it is locked and can no longer be changed.

Locked

The user cannot change the attribute value at any time.

The Lock value is used to prevent users from changing the configuration of certain attributes. For more information, see https://docs.moodle.org/26/en/

Managing_authentication. 6666 Click Save changes.

Once you save the changes, you can exit out of the SAML Authentication.

For more information about

For more information about Moodle

Moodle

For more information about configuring Moodle for SSO, see the documentation available from the following websites:

(15)

https://docs.moodle.org/26/en/Managing_authentication

Moodle community forums

https://moodle.org/course/index.php

Installing Moodle

https://docs.moodle.org/26/en/Installing_Moodle

SimpleSAMLphp Service Provider QuickStart

https://simplesamlphp.org/docs/stable/simplesamlphp-sp

Plugin: SAML Authentication (requires SimpleSAMLphp)

(16)