Purpose
This article was written as instructions for a technical resource to be able to connect to Moodle-based LMS using SSO
Overview
Moodle is an open-source learning management platform that offers organizations or institutions the flexibility to build an LMS that fits their requirements. Admins can add features via plugins to structure courses, certifications, etc. This is no different for user provisioning/authentication. Moodle utilizes a plugin for SAML SSO called "auth_saml2" which is built from SimpleSAML PHP.
Pre-Requirements
- The user must be a System Admin in Allbound
- The user must be an administrator in the Moodle environment
Implementation
Moodle, or more specifically, SimpleSAML PHP SSO can be complicated to implement. The reason for this is that not all implementations are the same on the service provider side. Depending on what interface is utilizing the SimpleSAML PHP functionality(TalentLMS, Totara, etc) will require different steps on the service provider side of the configuration. The configuration on the Allbound (IdP) is similar across each platform for the most part.
Identity Provider Configuration
Login URL: Within your metadata file, this value will be represented as either the SingleSignOnService property and will look similar to the following example...
https://learning.allbound.com/auth/saml2/sp/saml2-acs.php/learning.allbound.com
Assertion URL: Within your metadata file, this value will be represented as the SingleSignOnService property and will look similar to the following example...
https://learning.allbound.com/auth/saml2/sp/saml2-acs.php/learning.allbound.com
Audience Restriction: Within your metadata file, this will be the entityID near the top of the XML
Logout URL: Within your metadata file, this value will be represented as either the SingleLogoutService property and will look similar to the following example...
https://learning.allbound.com/auth/saml2/sp/saml2-logout.php/learning.allbound.com
Issuer ID: This will default to your Allbound instance URL, which is the correct value
Attribute Mappings: These mappings will vary by what service provider requirements are, but generally it is best practice to map Email, First Name, and Last Name.
Once you are done with these settings, you may save. Upon saving, this configuration will be given a numeric identifier. If you navigate back to the configuration, at the end of the URL path it will show the ID. This will be important for the service provider configuration. Here is an example of how the URL will look.
https://portal.allbound.com/allbound-settings/sso/#/SAML/16
In this case, this configuration ID would be 16.
Service Provider Configurations
Upon generating the configuration on the Allbound side, you can export the metadata file in the top right corner of the configuration page where you can use the info to configure the service provider side. The requirements/configuration process will vary based on the LMS that is being utilized, but the metadata generated from Allbound will need to have one change made to it. The SingleSignOnService will be represented as your Allbound instance URL by default but will need to be changed to include a query parameter with the Allbound SSO configuration ID. Using the example from above for configuration ID 16, the SingleSignOnService URL should be...
https://portal.allbound.com/?sso=16
Once making that change, your system administrator may finish the configuration with the metadata file with that change included.
Caveats
One of the MAJOR caveats to implementing SimpleSAML PHP SSO configurations is that, as of this writing, does NOT support IdP-initiated SSO, meaning that from a technical standpoint, you cannot trigger the SSO from the Allbound side. Upon finishing the configuration within the service provider configurations, it should generate a login button for users to login via SSO from the service provider home login screen. If you copy the link from that button, you may include it in a Dashboard button or Quick Link on the Allbound side. This will emulate an IdP-initiated SSO without the need for it to be supported by SimpleSAML PHP SSO implementations.