Catalyst's SAML Authentication Moodle Plugin

by Andrew Boag and Brendan Heywood

In Catalyst’s capacity as a Moodle Partner, we do a lot of work in the identity and authentication integration space. This means integrating Moodle and other existing applications, such as a CRM, Library services, Portals, Course catalogues, Webmail.

Over the years, Catalyst have worked on Single Sign On (SSO) bodies of work with ADFS, OpenAM and Shibboleth.

Integrating with our clients authentication solutions means helping them achieve SSO capabilities. This means that their students log in once and have a seamless experience across all of their browsing activity. When this is done in partnership with a consistent look and feel, a student is able to cross into and out of Moodle while preserving a common user session. They are never prompted to enter login and password details as part of their browsing journey.

The identity and access management landscape is a smorgasbord of acronym soup, a collection of dense inscrutable specifications. The industry standard for cross-site authentication, Security Assertion Markup Language (SAML), is a mature and secure protocol that has great support. Other common protocols include LDAP, OAuth and OpenID, but none of these offer a perfectly seamless SSO experience. For example, LDAP authentication often means typing in your login and password again and again for each app and OAuth may means the user has to approve each application in a pointless confirmation step. And only SAML offers proper Single Logout; sign out once, sign out everywhere.

Our experience is that rolling out SAML-based authentication into Moodle is not a trivial task. This has been detrimental to the adoption of of SAML-based identity management. This is in contrast to using SAML in other applications, where it’s often as simple as either uploading an XML file, or adding a URL to an admin screen.

SAML in Moodle has been a bit of a second class citizen by comparison, requiring not only a Moodle authentication plugin, but also another whole extra application (either SimpleSamlPHP or Shibboleth) to be installed, configured and managed. Configuring these applications can be tricky and requires specialist domain knowledge. For many Moodle administrators this meant the benefits of SAML are never realised.

Catalyst decided to start from scratch and write a clean simple Moodle authentication plugin the way it should be done. Setting it up is a breeze and can be done in a minute.

Catalyst hopes that this improves the adoption of SAML and offers a smoother experience to your students. If you have any SAML or Moodle queries or would like to see more features added to this plugin to support your business better then please contact us, we’d love to help.