Moodle and Office 365 Step-by-Step Guide: Federation Using Active Directory Federation Services
Moodle and Office 365 Step-by-Step Guide: Federation Using Active Directory Federation Services
This document is provided as-is. Information and views expressed in this document, including URL and
other Internet Web site references, may change without notice. You bear the risk of using it.
Examples depicted herein are provided for illustration only and are fictitious. No real association or
connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any Microsoft
product. You may copy and use this document for your internal, reference purposes.
Summary: This guide walks you through the setup of a basic lab deployment of Moodle, Active Directory
Federation Services (AD FS) 2.0, and Windows Azure Active Directory to perform cross-product,
browser-based identity federation. This setup supports a federated single sign-on (SSO) experience for
Moodle and Office 365, in addition to user autoprovisioning, and user auto enrollment in Moodle
through Office 365.
Contents
About this guide................................................................................................................................................................................ 3
Terminology used in this guide ................................................................................................................................................. 3
About the author ...................................................................................................................................................................... 3
Prerequisites and other requirements .............................................................................................................................................. 4
AD FS 2.0 ................................................................................................................................................................................... 4
Moodle...................................................................................................................................................................................... 4
SimpleSAMLPHP........................................................................................................................................................................ 4
Moodle Plugins ......................................................................................................................................................................... 7
Appendix A: Using AD FS 2.0 with SimpleSAMLPHP Claim mapping rules ................................................................................... 10
Security token Assertion An XML document that is created and sent during a
federated access request that describes a user
Claims provider Identity provider A partner in a federation that creates security tokens for
(IdP) users
Relying party Service provider (SP) A partner in a federation that consumes security tokens
to provide access to applications
Claims Assertion attributes Data about users that is sent inside security tokens
In this deployment, each product performs both the claims provider/identity provider role and the
relying party/service provider role.
AD FS 2.0
AD FS 2.0 assumes the role of Identity Provider and Security Token Service and will handle login requests
that follow the WS-Fed (Active), WS-Trust (Passive), and SAMLP standards.
This deployment uses a wildcard SSO certificate to provide a cost effective way of securing a number of
different services with a single certificate.
Moodle
Use the Microsoft Web Platform Installer to install Moodle along with the other prerequisites, including
MySQL and PHP. Be sure that you have also made these modifications:
Enable both the SAML Authentication and SAML Enrolment modules (covered later in this
document).
SimpleSAMLPHP
This deployment uses the SimpleSAMLPHP framework to extend the authentication protocol abilities of
Moodle and provide SAML2 protocol support. SimpleSAMLPHP acts as a Service Provider and is
configured to send authentication requests to a remote SAMLP Identity Provider. Follow these steps to
install and configure SimpleSAMLPHP.
1. Download the latest version of SimpleSAMLPHP. At the time of writing, this was simplesamlphp-
1.10.0.tar.gz from http://code.google.com/p/simplesamlphp/downloads. Unzip the download to
a secure location.
2. In Internet Information Services (IIS) Manager, map a Virtual Directory /simplesaml to the
www directory inside the unzipped download. Ensure IIS has rights to this directory.
4. Configure the Identity Provider to be used with this Service Provider. Update the
metadata/saml20-idp-remote.php file. The certFingerprint value is the certificate thumbprint of
the AD FS Token-signing certificate. The updated configuration should look like the one in this
example:
$metadata['http://idp.contoso.com/adfs/services/trust'] = array(
'name' => array(
'en' => 'ADFS IdP',
),
'description' => 'Here you can login with your account on the
Active Directory network.',
'SingleSignOnService' => 'https://idp.contoso.com/adfs/ls',
'SingleLogoutService' =>
'https://idp.consoso.com/adfs/ls/?wa=wsignout1.0&wreply=https://idp.con
toso.com/adfs/ls/?wa=wsignoutcleanup1.0',
'certFingerprint' => '571f9d649a950280de1b25f7c1259bf84ff7501d',
);
5. When the Service Provider is configured, import the Service Provider Metadata. The URL for this
is available from the Administrative Console Federation tab.
a. In the Relying Party Trust relationship, set the advanced setting to use the SHA-1 secure
hash algorithm.
c. Add the necessary claim mappings by importing from the file containing the claim
mappings. See Error! Reference source not found. at the end of this document for the
omplete list of claims.
To provide support for single sign-on and automated account provisioning in Moodle, use the SAMLP
Authentication plugin. If youre interested in automatic course enrollment based on your Active
Directory group membership, use the SAMLP Enrollment plugin.
Both of these plugins use the SimpleSAMLPHP framework as the underlying mechanism to handle the
SAMLP login flows.
In the Site Administration interface, enable and configure the SAML Authentication Plugin. On a
Windows platform, the path to the SimpleSAMLPHP library must include the double backslashes (\\) as
shown in the SimpleSAMLPHP Library Path entry.
You can also configure User Data Mapping (which populates the Moodle User profile with values from
the SAML Attributes in the incoming claim). Ensure that all of the attributes you want to include in the
Moodle User profile are added to the incoming claim (as configured in AD FS 2.0).
Full documentation for this setup, which does the bulk of the enrollment work, is available in the SAML
Authentication Plugin Documentation
(https://github.com/pitbulk/moodle_saml/blob/master/auth/saml/moodle_auth_saml.txt).
You configure this component in the SAML Authentication Plugin. Only a small amount of configuration
is needed after you enable the plugin.
Add-PSSnapin Microsoft.Adfs.PowerShell
Set-AdfsRelyingPartyTrust -TargetName "SimpleSAMLPHP SP" -
IssuanceTransformRulesFile "c:\SimpleSAMLPHP-issuance-transformation-
rules.txt"
---snip---
@RuleTemplate = "LdapClaims"
@RuleName = "Default"
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types =
("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"http://schemas.xmlsoap.org/claims/Group",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"), query =
";userPrincipalName,userPrincipalName,tokenGroups,mail,givenName,sn;{0}",
param = c.Value);
@RuleName = "CN"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
=> issue(Type = "cn", Value = c.Value,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/at
tributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@RuleName = "mail"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email"]
=> issue(Type = "mail", Value = c.Value,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/at
tributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@RuleName = "UID"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
=> issue(Type = "uid", Value = c.Value,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/at
tributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@RuleName = "UPN"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"]
=> issue(Type = "UPN", Value = c.Value,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/at
tributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@RuleName = "GivenName"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"]
=> issue(Type = "givenName", Value = c.Value,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/at
tributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
@RuleName = "Surname"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"]
=> issue(Type = "sn", Value = c.Value,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/at
tributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri");
---snip---